AWS SageMaker notebook instance IAM policy is overly permissive
Description
This policy checks whether IAM policies for SageMaker Notebook Instances are overly permissive. Overly permissive IAM policies can grant unauthorized access, potentially leading to data breaches or loss. This includes unauthorized users modifying configurations or deleting resources. This policy enforces least privilege, ensuring users only have necessary permissions for their tasks, strengthening your security posture.
Code Example
go
resource "aws_iam_role" "example_role_restricted" {
name = "example_role_restricted"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
- Action = "*"
+ Action = "s3:ListBucket"
Resource = "arn:aws:s3:::example-bucket"
}
]
})
assume_role_policy = ""
}
resource "aws_sagemaker_notebook_instance" "example" {
...
role_arn = aws_iam_role.example_role_restricted.arn
}Remediation
Terraform
- Resource: aws_sagemaker_notebook_instance, aws_iam_role
- Arguments: policy
Ensure the IAM role attached to the SageMaker notebook does not have an Allow statement with Action = "*".
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0501 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | Terraform, TerraformPlan, CloudFormation |
| Checkov ID | CKV2_AWS_68 |