terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users
semgrep
Author
unknown
Download Count*
License
Ensure that IAM policies with permissions on other users don't allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE
Run Locally
Run in CI
Defintion
rules:
- id: no-iam-priv-esc-other-users
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...,
{... Resource = $RESOURCE ...},
...
]
...
})
...
}
- pattern-not-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...,
{... Effect = "Deny" ...},
...
]
...
})
...
}
- pattern: |
Action = $ACTION
- metavariable-pattern:
metavariable: $TYPE
pattern-either:
- pattern: |
"aws_iam_role_policy"
- pattern: |
"aws_iam_policy"
- pattern: |
"aws_iam_user_policy"
- pattern: |
"aws_iam_group_policy"
- patterns:
- pattern-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
resources = $RESOURCE
...
}
...
}
- pattern-not-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
effect = "Deny"
...
}
...
}
- pattern: |
actions = [..., $ACTION, ...]
- metavariable-pattern:
metavariable: $RESOURCE
pattern-either:
- pattern-regex: .*\*.*
- metavariable-pattern:
metavariable: $ACTION
pattern-either:
- pattern: |
"iam:CreateAccessKey"
- pattern: |
"iam:CreateLoginProfile"
- pattern: |
"iam:UpdateLoginProfile"
- pattern: |
"iam:*"
message: Ensure that IAM policies with permissions on other users don't allow
for privilege escalation. This can lead to an attacker gaining full
administrator access of AWS accounts. Instead, specify which user the
permission should be used on or do not use the listed actions. $RESOURCE
metadata:
references:
- https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/
- https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py
category: security
cwe:
- "CWE-269: Improper Privilege Management"
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
technology:
- terraform
- aws
owasp:
- A04:2021 - Insecure Design
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
vulnerability_class:
- Improper Authorization
languages:
- hcl
severity: WARNING
Examples
no-iam-priv-esc-other-users.tf
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ok: no-iam-priv-esc-other-users
Action = [
"iam:CreateAccessKey",
]
Effect = "Allow"
Resource = ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws.username}"]
},
]
})
}
resource "aws_iam_user_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ok: no-iam-priv-esc-other-users
Action = [
"iam:CreateAccessKey",
]
Effect = "Allow"
Resource = ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws.username}"]
},
]
})
}
resource "aws_iam_policy" "lb_ro" {
name = "test"
user = aws_iam_user.lb.name
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ok: no-iam-priv-esc-other-users
Action = [
"ec2:Describe",
]
Effect = "Allow"
Resource = ["*"]
},
]
})
}
data aws_iam_policy_document "policy" {
statement {
# ok: no-iam-priv-esc-other-users
actions = ["iam:*"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws.username}"]
}
}
resource "aws_iam_user_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ruleid: no-iam-priv-esc-other-users
Action = "iam:CreateLoginProfile"
Effect = "Allow"
Resource = "*"
},
]
})
}
resource "aws_iam_user_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ruleid: no-iam-priv-esc-other-users
Action = "iam:CreateAccessKey"
Effect = "Allow"
Resource = "arn:aws:iam::account:user/*"
},
]
})
}
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "My test policy"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
# ruleid: no-iam-priv-esc-other-users
Action = ["iam:UpdateLoginProfile"]
Effect = "Allow"
Resource = "arn:aws:iam::*:user/*"
},
]
})
}
data aws_iam_policy_document "policy" {
statement {
# ruleid: no-iam-priv-esc-other-users
actions = ["iam:*"]
principals {
type = "AWS"
identifiers = ["*"]
}
resources = ["*"]
}
}
Short Link: https://sg.run/XOeA