Data exfiltration allowed without resource constraints
Description
Data Exfiltration actions allow certain read-only IAM actions without resource constraints, such as s3:GetObject, ssm:GetParameter*, or secretsmanager:GetSecretValue.
. Unrestricted s3:GetObject permissions has a long history of customer data leaks. . ssm:GetParameter* and secretsmanager:GetSecretValue are both used to access secrets. . rds:CopyDBSnapshot and rds:CreateDBSnapshot can be used to exfiltrate RDS database contents.
For more information, visit the https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/[cloudsplaining documentation.]
Code Example
go
data "aws_iam_policy_document" "fail" {
version = "2012-10-17"
statement {
effect = "Allow"
actions = [
- "s3:GetObject",
- "ssm:GetParameter",
- "ssm:GetParameters",
- "ssm:GetParametersByPath",
- "secretsmanager:GetSecretValue",
"s3:GetBucketTagging",
"ec2:CreateTags"
]
resources = [
"*",
]
}
}Remediation
Terraform
- Resource: aws_iam_policy_document
- Arguments: effect + actions
Remove the Actions that could lead to data exfiltration
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0161 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_108 |