terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that IAM policies with permissions on other users don't allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE

Run Locally

Run in CI

Defintion

rules:
  - id: no-iam-priv-esc-other-users
    patterns:
      - pattern-either:
          - patterns:
              - pattern-inside: |
                  resource $TYPE "..." {
                    ...
                    policy = jsonencode({
                      ...
                      Statement = [
                        ...,
                        {... Resource = $RESOURCE ...},
                        ...
                      ]
                      ...
                    })
                    ...
                  }
              - pattern-not-inside: |
                  resource $TYPE "..." {
                    ...
                    policy = jsonencode({
                      ...
                      Statement = [
                        ...,
                        {... Effect = "Deny" ...},
                        ...
                      ]
                      ...
                    })
                    ...
                  }
              - pattern: |
                  Action = $ACTION
              - metavariable-pattern:
                  metavariable: $TYPE
                  pattern-either:
                    - pattern: |
                        "aws_iam_role_policy"
                    - pattern: |
                        "aws_iam_policy"
                    - pattern: |
                        "aws_iam_user_policy"
                    - pattern: |
                        "aws_iam_group_policy"
          - patterns:
              - pattern-inside: |
                  data aws_iam_policy_document "..." {
                    ...
                    statement {
                      ...
                      resources = $RESOURCE
                      ...
                    }
                    ...
                  }
              - pattern-not-inside: |
                  data aws_iam_policy_document "..." {
                    ...
                    statement {
                      ...
                      effect = "Deny"
                      ...
                    }
                    ...
                  }
              - pattern: |
                  actions = [..., $ACTION, ...]
      - metavariable-pattern:
          metavariable: $RESOURCE
          pattern-either:
            - pattern-regex: .*\*.*
      - metavariable-pattern:
          metavariable: $ACTION
          pattern-either:
            - pattern: |
                "iam:CreateAccessKey"
            - pattern: |
                "iam:CreateLoginProfile"
            - pattern: |
                "iam:UpdateLoginProfile"
            - pattern: |
                "iam:*"
    message: Ensure that IAM policies with permissions on other users don't allow
      for privilege escalation. This can lead to an attacker gaining full
      administrator access of AWS accounts. Instead, specify which user the
      permission should be used on or do not use the listed actions. $RESOURCE
    metadata:
      references:
        - https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/
        - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py
      category: security
      cwe:
        - "CWE-269: Improper Privilege Management"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      technology:
        - terraform
        - aws
      owasp:
        - A04:2021 - Insecure Design
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

no-iam-priv-esc-other-users.tf

resource "aws_iam_user_policy" "lb_ro" {
  name = "test"
  user = aws_iam_user.lb.name

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ok: no-iam-priv-esc-other-users
        Action = [
          "iam:CreateAccessKey",
        ]
        Effect   = "Allow"
        Resource = ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws.username}"]
      },
    ]
  })
}

resource "aws_iam_user_policy" "lb_ro" {
  name = "test"
  user = aws_iam_user.lb.name

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ok: no-iam-priv-esc-other-users
        Action = [
          "iam:CreateAccessKey",
        ]
        Effect   = "Allow"
        Resource = ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws.username}"]
      },
    ]
  })
}

resource "aws_iam_policy" "lb_ro" {
  name = "test"
  user = aws_iam_user.lb.name

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ok: no-iam-priv-esc-other-users
        Action = [
          "ec2:Describe",
        ]
        Effect   = "Allow"
        Resource = ["*"]
      },
    ]
  })
}

data aws_iam_policy_document "policy" {
   statement {
     # ok: no-iam-priv-esc-other-users
     actions = ["iam:*"]
     principals {
       type        = "AWS"
       identifiers = ["*"]
     }
     resources = ["arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/${aws.username}"]
   }
}

resource "aws_iam_user_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ruleid: no-iam-priv-esc-other-users
        Action = "iam:CreateLoginProfile"
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}
resource "aws_iam_user_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ruleid: no-iam-priv-esc-other-users
        Action = "iam:CreateAccessKey"
        Effect   = "Allow"
        Resource = "arn:aws:iam::account:user/*"
      },
    ]
  })
}

resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ruleid: no-iam-priv-esc-other-users
        Action = ["iam:UpdateLoginProfile"]
        Effect   = "Allow"
        Resource = "arn:aws:iam::*:user/*"
      },
    ]
  })
}

data aws_iam_policy_document "policy" {
   statement {
     # ruleid: no-iam-priv-esc-other-users
     actions = ["iam:*"]
     principals {
       type        = "AWS"
       identifiers = ["*"]
     }
     resources = ["*"]
   }
}