terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that no IAM policies allow "*" as a statement's actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.

Run Locally

Run in CI

Defintion

rules:
  - id: no-iam-star-actions
    patterns:
      - pattern-either:
          - patterns:
              - pattern-inside: |
                  resource $TYPE "..." {
                    ...
                    policy = jsonencode({
                      ...
                      Statement = [
                        ...
                      ]
                      ...
                    })
                    ...
                  }
              - pattern-not-inside: |
                  resource $TYPE "..." {
                    ...
                    policy = jsonencode({
                      ...
                      Statement = [
                        ...,
                        {... Effect = "Deny" ...},
                        ...
                      ]
                      ...
                    })
                    ...
                  }
              - pattern-either:
                  - pattern: Action = "*"
                  - pattern: Action = ["*"]
              - metavariable-pattern:
                  metavariable: $TYPE
                  pattern-either:
                    - pattern: |
                        "aws_iam_role_policy"
                    - pattern: |
                        "aws_iam_policy"
                    - pattern: |
                        "aws_iam_user_policy"
                    - pattern: |
                        "aws_iam_group_policy"
          - patterns:
              - pattern-inside: |
                  data aws_iam_policy_document "..." {
                    ...
                    statement {
                      ...
                    }
                    ...
                  }
              - pattern-not-inside: |
                  data aws_iam_policy_document "..." {
                    ...
                    statement {
                      ...
                      effect = "Deny"
                      ...
                    }
                    ...
                  }
              - pattern: |
                  actions = ["*"]
    message: Ensure that no IAM policies allow "*" as a statement's actions. This
      allows all actions to be performed on the specified resources, and is a
      violation of the principle of least privilege. Instead, specify the
      actions that a certain user or policy is allowed to take.
    metadata:
      references:
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
        - https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py
      category: security
      cwe:
        - "CWE-269: Improper Privilege Management"
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      technology:
        - terraform
        - aws
      owasp:
        - A04:2021 - Insecure Design
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      vulnerability_class:
        - Improper Authorization
    languages:
      - hcl
    severity: WARNING

Examples

no-iam-star-actions.tf

resource "aws_iam_user_policy" "lb_ro" {
  name = "test"
  user = aws_iam_user.lb.name

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        # ok: no-iam-star-actions
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}

data aws_iam_policy_document "policy" {
   statement {
     # ok: no-iam-star-actions
     actions = ["ec2:Describe"]
     principals {
       type        = "AWS"
       identifiers = ["*"]
     }
     resources = ["*"]
   }
}

resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        #ruleid: no-iam-star-actions
        Action = "*"
        Effect   = "Allow"
        Resource = "s3"
      },
    ]
  })
}

resource "aws_iam_policy" "policy" {
  name        = "test_policy"
  path        = "/"
  description = "My test policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        #ruleid: no-iam-star-actions
        Action = ["*"]
        Effect   = "Allow"
        Resource = "s3"
      },
    ]
  })
}

data aws_iam_policy_document "policy" {
   statement {
     # ruleid: no-iam-star-actions
     actions = ["*"]
     principals {
       type        = "AWS"
       identifiers = ["*"]
     }
     resources = ["someResource"]
   }
}