terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure
semgrepAuthor
unknown
Download Count*
License
Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.
Run Locally
Run in CI
Defintion
rules:
- id: no-iam-creds-exposure
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...
]
...
})
...
}
- pattern-not-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...,
{... Effect = "Deny" ...},
...
]
...
})
...
}
- pattern: |
Action = $ACTION
- metavariable-pattern:
metavariable: $TYPE
pattern-either:
- pattern: |
"aws_iam_role_policy"
- pattern: |
"aws_iam_policy"
- pattern: |
"aws_iam_user_policy"
- pattern: |
"aws_iam_group_policy"
- patterns:
- pattern-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
}
...
}
- pattern-not-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
effect = "Deny"
...
}
...
}
- pattern: |
actions = [..., $ACTION, ...]
- metavariable-pattern:
metavariable: $ACTION
pattern-either:
- pattern: |
"chime:CreateApiKey"
- pattern: |
"codepipeline:PollForJobs"
- pattern: |
"cognito-identity:GetOpenIdToken"
- pattern: |
"cognito-identity:GetOpenIdTokenForDeveloperEdentity"
- pattern: |
"cognito-identity:GetCredentialsForIdentity"
- pattern: |
"connect:GetFederationToken"
- pattern: |
"connect:GetFederationTokens"
- pattern: |
"ec2:GetPasswordData"
- pattern: |
"ecr:GetAuthorizationToken"
- pattern: |
"gamelift:RequestUploadCredentials"
- pattern: |
"iam:CreateAccessKey"
- pattern: |
"iam:CreateLoginProfile"
- pattern: |
"iam:CreateServiceSpecificCredential"
- pattern: |
"iam:ResetServiceSpecificCredential"
- pattern: |
"iam:UpdateAccessKey"
- pattern: |
"lightsail:GetInstanceAccessDetails"
- pattern: |
"lightsail:GetRelationalDatabaseMasterUserPassword"
- pattern: |
"rds-db:Connect"
- pattern: |
"redshift:GetClusterCredentials"
- pattern: |
"sso:GetRoleCredentials"
- pattern: |
"mediapackage:RotateChannelCredentials"
- pattern: |
"mediapackage:RotateIngestEndpointCredentials"
- pattern: |
"sts:AssumeRole"
- pattern: |
"sts:AssumeRoleWithSaml"
- pattern: |
"sts:AssumeRoleWithWebIdentity"
- pattern: |
"sts:GetFederationToken"
- pattern: |
"sts:GetSessionToken"
- pattern: |
"ec2:*"
- pattern: |
"codepipeline:*"
- pattern: |
"rds-db:*"
- pattern: |
"connect:*"
- pattern: |
"iam:*"
- pattern: |
"ecr:*"
- pattern: |
"sts:*"
- pattern: |
"chime:*"
- pattern: |
"mediapackage:*"
- pattern: |
"redshift:*"
- pattern: |
"gamelift:*"
- pattern: |
"cognito-identity:*"
- pattern: |
"lightsail:*"
- pattern: |
"sso:*"
message: Ensure IAM policies don't allow credentials exposure. Credentials
exposure actions return credentials as part of the API response, and can
possibly lead to leaking important credentials. Instead, use another
action that doesn't return sensitive data as part of the API response.
metadata:
references:
- https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/
- https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py
category: security
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
technology:
- terraform
- aws
owasp:
- A01:2021 - Broken Access Control
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
vulnerability_class:
- Mishandled Sensitive Information
languages:
- hcl
severity: WARNING
Examples
no-iam-creds-exposure.tf
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ok: no-iam-creds-exposure
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
data aws_iam_policy_document "policy" {
statement {
# ok: no-iam-creds-exposure
actions = ["ec2:Describe"]
resources = ["*"]
}
}
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ruleid: no-iam-creds-exposure
Action = "sts:GetSessionToken"
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ruleid: no-iam-creds-exposure
Action = ["ec2:GetPasswordData"]
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ok: no-iam-creds-exposure
Action = ["ec2:GetPasswordData"]
Effect = "Deny"
Resource = "*"
},
]
})
}
data aws_iam_policy_document "policy" {
statement {
# ruleid: no-iam-creds-exposure
actions = ["chime:CreateApiKey"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = ["*"]
}
}
data aws_iam_policy_document "policy" {
statement {
# ok: no-iam-creds-exposure
actions = ["chime:CreateApiKey"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = ["*"]
effect = "Deny"
}
}
Short Link: https://sg.run/zxY1