AWS IAM Policy permission may cause privilege escalation
Description
Privilege escalation is when a user obtains rights or permissions beyond what they ought to have. If an IAM policy enables privilege escalation, it means that a user or service with lower levels of access could potentially gain higher-level privileges.
For instance, a user with read-only access could exploit vulnerabilities to get administrative access. This is bad because it increases the risk of unintended or malicious activities, potentially leading to data loss, corruption, or unauthorized access. Therefore, it's critical that IAM policies are designed not to allow privilege escalation, thus reducing the possibility of such breaches.
Code Example
resource "aws_iam_policy" "example" {
name = "example"
path = "/"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
}
]
}
EOF
}Remediation
Terraform
- Resource: aws_iam_policy
- Arguments: policy
To fix this issue, you need to specify the actions which the IAM policy allows explicitly, and avoid using wildcards (*) which may grant more permissions than necessary.
Also, avoid granting permissions to IAM actions that can change the permissions of IAM roles, as it results in privilege escalation. IAM actions that can cause privilege escalation include: iam:AddUserToGroup, iam:AttachUserPolicy, iam:AttachRolePolicy, iam:AttachGroupPolicy, iam:PutUserPolicy, iam:PutRolePolicy, iam:PutGroupPolicy, etc.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0334 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_286 |