AWS IAM policies that allow full "-" administrative privileges are created
Description
Creating IAM policies that grant full "-" administrative privileges effectively provides unlimited access to all resources in an AWS account, which violates the principle of least privilege. Such policies can lead to security vulnerabilities by allowing overly broad permissions that can be exploited by malicious actors. It is essential to ensure that IAM policies are scoped down to only the permissions necessary for the specific tasks or roles they are meant to support. This policy aims to detect and prevent the creation of IAM policies with overly permissive configurations, promoting better security practices in managing AWS resources.
Code Example
# Example of a more restrictive IAM policy definition
resource "aws_iam_policy" "example" {
name = "example_policy"
description = "A more restrictive policy example"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::example_bucket",
"arn:aws:s3:::example_bucket/*"
]
}
]
}
EOF
}Remediation
Terraform
Resources: aws_iam_role_policy, aws_iam_user_policy, aws_iam_group_policy, aws_iam_policy, aws_ssoadmin_permission_set_inline_policy Policy Definition: Avoid using broad permissions in the policy and inline_policy definitions.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0115 |
| Severity | CRITICAL |
| IaC Type | Cloudformation |
| Frameworks | Terraform |
| Checkov ID | CKV_AWS_62 |