Credentials exposure actions return credentials in an API response
Description
AWS IAM users access AWS resources using different types of credentials, such as passwords or access keys. Credentials Exposure actions return credentials as part of the API response, such as ecr:GetAuthorizationToken, iam:UpdateAccessKey, and others. For more info, visit cloudsplaning documentation https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/
Code Example
go
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"lambda:CreateFunction",
"lambda:CreateEventSourceMapping",
"dynamodb:CreateTable",
]
resources = [
"*",
]
}
}Remediation
Terraform
- Resource: aws_iam_policy_document
- Arguments: effect + actions
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0160 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_107 |