terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.

Run Locally

Run in CI

Defintion

rules:
  - id: no-iam-priv-esc-funcs
    patterns:
      - pattern-either:
          - patterns:
              - pattern-inside: |
                  resource $TYPE "..." {
                    ...
                    policy = jsonencode({
                      ...
                      Statement = [
                        ...
                      ]
                      ...
                    })
                    ...
                  }
              - pattern-not-inside: |
                  resource $TYPE "..." {
                    ...
                    policy = jsonencode({
                      ...
                      Statement = [
                        ...,
                        {... Effect = "Deny" ...},
                        ...
                      ]
                      ...
                    })
                    ...
                  }
              - pattern: Action = $ACTION
              - metavariable-pattern:
                  metavariable: $TYPE
                  pattern-either:
                    - pattern: |
                        "aws_iam_role_policy"
                    - pattern: |
                        "aws_iam_policy"
                    - pattern: |
                        "aws_iam_user_policy"
                    - pattern: |
                        "aws_iam_group_policy"
          - patterns:
              - pattern-inside: |
                  data aws_iam_policy_document "..." {
                    ...
                    statement {
                      ...
                    }
                    ...
                  }
              - pattern-not-inside: |
                  data aws_iam_policy_document "..." {
                    ...
                    statement {
                      ...
                      effect = "Deny"
                      ...
                    }
                    ...
                  }
              - pattern: |
                  actions = [..., $ACTION, ...]
      - metavariable-pattern:
          metavariable: $ACTION
          pattern-either:
            - pattern: |
                "iam:AddUserToGroup"
            - pattern: |
                "iam:CreatePolicyVersion"
            - pattern: |
                "iam:SetDefaultPolicyVersion"
            - pattern: |
                "iam:AttachUserPolicy"
            - pattern: |
                "iam:AttachGroupPolicy"
            - pattern: |
                "iam:AttachRolePolicy"
            - pattern: |
                "iam:PutUserPolicy"
            - pattern: |
                "iam:PutGroupPolicy"
            - pattern: |
                "iam:PutRolePolicy"
            - pattern: |
                "glue:UpdateDevEndpoint"
            - pattern: |
                "iam:*"
            - pattern: |
                "glue:*"
    message: Ensure that actions that can result in privilege escalation are not
      used. These actions could potentially result in an attacker gaining full
      administrator access of an AWS account. Try not to use these actions.
    metadata:
      references:
        - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
        - https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/
      category: security
      cwe:
        - "CWE-250: Execution with Unnecessary Privileges"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      technology:
        - terraform
        - aws
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

no-iam-priv-esc-funcs.tf

resource "aws_iam_user_policy" "lb_ro" {
  name = "test"
  user = aws_iam_user.lb.name

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ok: no-iam-priv-esc-funcs
        Action = [
          "std:AssumeRole",
        ]
        Effect   = "Allow"
        Resource = ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws.username}"]
      },
    ]
  })
}

resource "aws_iam_policy" "lb_ro" {
  name = "test"
  user = aws_iam_user.lb.name

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ok: no-iam-priv-esc-funcs
        Action = [
          "ec2:Describe",
        ]
        Effect   = "Allow"
        Resource = ["*"]
      },
    ]
  })
}

data aws_iam_policy_document "policy" {
   statement {
     # ok: no-iam-priv-esc-funcs
     actions = ["ec2:Describe"]
     principals {
       type        = "AWS"
       identifiers = ["*"]
     }
     resources = ["*"]
   }
}

resource "aws_iam_user_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ruleid: no-iam-priv-esc-funcs
        Action = "iam:PutGroupPolicy"
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ruleid: no-iam-priv-esc-funcs
        Action = ["iam:PutUserPolicy", "ec2:Describe"]
        Effect   = "Allow"
        Resource = "arn:aws:iam::*:user/*"
      },
    ]
  })
}

data aws_iam_policy_document "policy" {
   statement {
     # ruleid: no-iam-priv-esc-funcs
     actions = ["glue:*"]
     principals {
       type        = "AWS"
       identifiers = ["*"]
     }
     resources = ["*"]
   }
}