AWS IAM policies that allow full administrative privileges are created
Description
IAM policies are the means by which privileges are granted to users, groups, and roles. Standard security practice is to grant least privilege this is granting only the permissions required to perform a task. Providing full administrative may expose resources to potentially unwanted actions. We recommend:
- You determine what users need to do, then craft policies allowing them to perform only those tasks.
- You do not allow all users full administrative privileges.
- You start with a minimum set of permissions and grant additional permissions as necessary.
- IAM policies that have a statement with Effect: Allow with Action: * over Resource: * are removed.
Code Example
go
data "aws_iam_policy_document" "fail" {
version = "2012-10-17"
statement {
effect = "Allow"
actions = [
- "*"
+ "s3:Describe*"
]
resources = [
"*",
]
}
}Remediation
Terraform
Resource: aws_iam_policy_document
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0056 |
| Severity | LOW |
| IaC Type | Serverless |
| Frameworks | Terraform, Serverless, TerraformPlan |
| Checkov ID | CKV_AWS_1 |