Excessive privileges - Wildcards
Need
Restriction of privileges and removal of wildcard usage
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS IAM Roles for managing access and permissions in AWS services
- Usage of AWS IAM Role Policy for defining permissions and access control policies for AWS IAM roles.
Description
Non compliant code
resource "aws_iam_role_policy" "excessive_privileges" {
name = "excessive_privileges"
role = aws_iam_role.example.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
EOF
}
The above Terraform code creates an IAM role policy named "excessive_privileges" in AWS. The policy is associated with an IAM role (referenced as aws_iam_role.example.id in the code).
The vulnerability arises from the fact that the policy grants all ("") actions on all ("") resources. This is defined in the "Statement" section of the policy. This means the IAM role associated with this policy has full permissions to perform any action on any resource in the AWS environment.
This is a critical security vulnerability as it contradicts the principle of least privilege (PoLP), a security concept in which a user is given the minimum levels of access necessary to complete his/her job functions. By assigning excessive privileges, you increase the potential for damage if the role's credentials are compromised.
Furthermore, the use of wildcards (*) in IAM policies can lead to unintended permissions being granted. For example, a policy that is intended to allow access to a specific S3 bucket could inadvertently grant access to all S3 buckets if a wildcard is used in the resource ARN.
In this case, any entity (user, service, application) assuming this IAM role would have unrestricted access to perform any operation (read, write, delete, etc.) on any AWS resource. This could lead to unauthorized data access, data loss, or disruption of critical operations.
Steps
- Review the permissions required by the role and identify the specific actions and resources that are necessary.
- Remove the wildcard (*) from the 'Action' field in the IAM role policy.
- Update the 'Resource' field in the IAM role policy to specify the specific resources that the role should have access to.
- Ensure that the IAM role policy only grants the necessary privileges to perform the required actions.
- Regularly review and audit the IAM role policies to ensure they remain up-to-date and do not have excessive privileges.
Compliant code
resource "aws_iam_role_policy" "excessive_privileges" {
name = "excessive_privileges"
role = aws_iam_role.example.id
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::example_bucket",
"arn:aws:s3:::example_bucket/*"
],
"Effect": "Allow"
}
]
}
EOF
}
The original code had a vulnerability due to the use of wildcards (*) in the 'Action' and 'Resource' fields of the IAM role policy. This means that the role had excessive privileges, being able to perform any action on any resource, which is a security risk.
The fixed code removes the wildcards and specifies the exact actions and resources that the role should have access to. In this case, the role is only allowed to list the contents of a specific S3 bucket (s3:ListBucket) and retrieve objects from it (s3:GetObject). The resources are also specified to be only the example_bucket and its contents.
This way, the role's privileges are limited to only what is necessary, reducing the potential for unauthorized access or actions. It's important to regularly review and audit IAM role policies to ensure they remain up-to-date and do not grant excessive privileges.