terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs
semgrep
Author
unknown
Download Count*
License
Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.
Run Locally
Run in CI
Defintion
rules:
- id: no-iam-priv-esc-funcs
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...
]
...
})
...
}
- pattern-not-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...,
{... Effect = "Deny" ...},
...
]
...
})
...
}
- pattern: Action = $ACTION
- metavariable-pattern:
metavariable: $TYPE
pattern-either:
- pattern: |
"aws_iam_role_policy"
- pattern: |
"aws_iam_policy"
- pattern: |
"aws_iam_user_policy"
- pattern: |
"aws_iam_group_policy"
- patterns:
- pattern-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
}
...
}
- pattern-not-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
effect = "Deny"
...
}
...
}
- pattern: |
actions = [..., $ACTION, ...]
- metavariable-pattern:
metavariable: $ACTION
pattern-either:
- pattern: |
"iam:AddUserToGroup"
- pattern: |
"iam:CreatePolicyVersion"
- pattern: |
"iam:SetDefaultPolicyVersion"
- pattern: |
"iam:AttachUserPolicy"
- pattern: |
"iam:AttachGroupPolicy"
- pattern: |
"iam:AttachRolePolicy"
- pattern: |
"iam:PutUserPolicy"
- pattern: |
"iam:PutGroupPolicy"
- pattern: |
"iam:PutRolePolicy"
- pattern: |
"glue:UpdateDevEndpoint"
- pattern: |
"iam:*"
- pattern: |
"glue:*"
message: Ensure that actions that can result in privilege escalation are not
used. These actions could potentially result in an attacker gaining full
administrator access of an AWS account. Try not to use these actions.
metadata:
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/
category: security
cwe:
- "CWE-250: Execution with Unnecessary Privileges"
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
technology:
- terraform
- aws
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: WARNING
Examples
no-iam-priv-esc-funcs.tf
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ok: no-iam-priv-esc-funcs
Action = [
"std:AssumeRole",
]
Effect = "Allow"
Resource = ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws.username}"]
},
]
})
}
resource "aws_iam_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ok: no-iam-priv-esc-funcs
Action = [
"ec2:Describe",
]
Effect = "Allow"
Resource = ["*"]
},
]
})
}
data aws_iam_policy_document "policy" {
statement {
# ok: no-iam-priv-esc-funcs
actions = ["ec2:Describe"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = ["*"]
}
}
resource "aws_iam_user_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ruleid: no-iam-priv-esc-funcs
Action = "iam:PutGroupPolicy"
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ruleid: no-iam-priv-esc-funcs
Action = ["iam:PutUserPolicy", "ec2:Describe"]
Effect = "Allow"
Resource = "arn:aws:iam::*:user/*"
},
]
})
}
data aws_iam_policy_document "policy" {
statement {
# ruleid: no-iam-priv-esc-funcs
actions = ["glue:*"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = ["*"]
}
}
Short Link: https://sg.run/28y5