IAM policies allow exposure of credentials
Description
This policy is used to verify if Identity and Access Management (IAM) policies are configured in a way that prevents the exposure of credentials. This is paramount for security as exposure of credentials could allow unauthorized users access to sensitive resources and operations. This includes viewing, modifying or deleting data, which can expose the organization to a range of risks, from data breaches to the potential shut down of systems. Therefore, it's crucial to ensure IAM policies are correctly configured to prevent credentials exposure.
Code Example
hcl
resource "aws_iam_policy" "example" {
name = "example"
path = "/"
description = "An example policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.test_role.name
policy_arn = aws_iam_policy.example.arn
}Remediation
Terraform
- Resource: aws_iam_policy
- Arguments: policy
To fix this issue, you need to review and ensure that the IAM policies do not allow the exposure of credentials. IAM Policies should enforce the least privileges principle.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0335 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_287 |