Data source IAM policy document allows all resources with restricted actions
Description
This policy checks IAM policies for statements that allow unrestricted resource access ('*') for actions that can and should be restricted to specific resources. This behavior is potentially unsafe because it broadens the scope of access controls and increases the risk of unauthorized access. Prisma Cloud checks the AWS documentation for IAM actions that can be restricted to a resource and recommends defining a specific resource rather than '*'. For example, the s3:PutObject action can be restricted to a specific S3 bucket instead of allowing uploads to any S3 bucket using '*'. It is best security practice to define granular permissions to each user access, as unrestricted access can lead to unwanted manipulations or data breaches. Therefore, it is recommended to specify restrictions and assign minimum necessary access rights.
Code Example
data "aws_iam_policy_document" "example" {
statement {
sid = "samplePassRole"
effect = "Allow"
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
]
resources = [
- "*",
+ "arn:aws:s3:::my_bucket/my_object"
]
}
}Remediation
Terraform
- Resource: aws_iam_policy_document
- Arguments: statement
Review your IaC IAM policies to identify if any resources are set to "*" that can be restricted, which grants full access to all resources of that type. For each identified statement, replace "*" with the specific Amazon Resource Names (ARNs) corresponding to the resources users or roles actually need access to.
The following Terraform code example describes how to define specific resources in the Resource field of the Statement block, replacing "*".
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0403 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_356 |