IAM policies allow permissions management or resource exposure without constraints
Description
This policy is verifying that IAM (Identity and Access Management) permissions don't allow unfettered management of permissions or exposure of resources without any limitations or safeguards.
The risk associated with not adhering to this policy is quite high. If IAM policies allow unconstrained permissions management or unrestricted resource exposure, it creates an opportunity for unauthorized access or manipulation of critical resources, potentially leading to data breaches or compromising the security of the system. Therefore, it's crucial to apply constraints or conditions to manage who can do what and prevent unnecessary exposure of resources.
Code Example
# Sample IAM Policy
resource "aws_iam_policy" "my_custom_policy" {
name = "my_custom_policy"
description = "A custom policy with only necessary permissions"
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my_bucket"
}
]
}
)
}Remediation
Terraform
- Resource: aws_iam_policy
- Arguments: policy
To fix this issue, you need to ensure that your IAM policies are correctly scoped and that resource exposure and permissions management are conducted with constraints. Avoiding overly permissive policies decreases the potential attack surface should any entity with those permissions be compromised.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0337 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_289 |