terraform.lang.security.iam.no-iam-data-exfiltration.no-iam-data-exfiltration
semgrepAuthor
unknown
Download Count*
License
Ensure that IAM policies don't allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don't need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.
Run Locally
Run in CI
Defintion
rules:
- id: no-iam-data-exfiltration
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...,
{... Resource = "*" ...},
...
]
...
})
...
}
- pattern-not-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...,
{... Effect = "Deny" ...},
...
]
...
})
...
}
- pattern: |
Action = $ACTION
- metavariable-pattern:
metavariable: $TYPE
pattern-either:
- pattern: |
"aws_iam_role_policy"
- pattern: |
"aws_iam_policy"
- pattern: |
"aws_iam_user_policy"
- pattern: |
"aws_iam_group_policy"
- patterns:
- pattern-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
resources = ["*"]
...
}
...
}
- pattern-not-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
effect = "Deny"
...
}
...
}
- pattern: |
actions = [..., $ACTION, ...]
- metavariable-pattern:
metavariable: $ACTION
pattern-either:
- pattern: |
"s3:GetObject"
- pattern: |
"ssm:GetParameter*"
- pattern: |
"secretsmanager:GetSecretValue"
- pattern: |
"rds:CopyDBSnapshot"
- pattern: |
"rds:CreateDBSnapshot"
- pattern: |
"ssm:*"
- pattern: |
"s3:*"
- pattern: |
"rds:*"
- pattern: |
"rn: secretsmanager:*"
message: Ensure that IAM policies don't allow data exfiltration actions that are
not resource-constrained. This can allow the user to read sensitive data
they don't need to read. Instead, make sure that the user granted these
privileges are given these permissions on specific resources.
metadata:
references:
- https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMDataExfiltration.py
- https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/
category: security
cwe:
- "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
technology:
- terraform
- aws
owasp:
- A01:2021 - Broken Access Control
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
vulnerability_class:
- Mishandled Sensitive Information
languages:
- hcl
severity: WARNING
Examples
no-iam-data-exfiltration.tf
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ok: no-iam-data-exfiltration
Action = [
"ssm:GetParameter*",
]
Effect = "Allow"
Resource = "someResource"
},
]
})
}
data aws_iam_policy_document "policy" {
statement {
# ok: no-iam-data-exfiltration
actions = ["rds:*"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = ["someResource"]
}
}
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ruleid: no-iam-data-exfiltration
Action = "secretsmanager:GetSecretValue"
Effect = "Allow"
Resource = "*"
},
]
})
}
data aws_iam_policy_document "policy" {
statement {
# ruleid: no-iam-data-exfiltration
actions = ["ssm:*"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = ["*"]
}
}
Short Link: https://sg.run/pYrN