AWS IAM policy allows full administrative privileges
Description
This policy detects if an AWS IAM policy allows full IAM privileges. Granting full IAM privileges can lead to unauthorized access, privilege escalation, and potential security breaches.
Code Example
go
data "aws_iam_policy_document" "example" {
statement {
effect = "Allow"
actions = [
"s3:Get*",
"s3:List*",
]
resources = ["arn:aws:s3:::my-bucket/*"]
}
}Remediation
Terraform
- Resource: aws_iam_policy, aws_iam_role_policy, aws_iam_group_policy, aws_iam_user_policy
- Arguments: statement
To fix this issue, review the IAM policy and remove any explicit Allow actions for IAM. Limit the IAM policy to only the necessary permissions required for the specific role or group.
Secure code example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0474 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_40 |