Skip to main content

Excessive privileges - Wildcards

Description

  • Privileges are granted with wildcard (*) in critical actions.
  • Many roles have unnecessary privileges over IAM.
  • Some write actions allow the use of Wildcards(*).

Impact

Perform sensitive actions with roles that do not need it.

Recommendation

Grant privileges strictly to the roles that need it.

Threat

Internet attacker with access to the machines.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: P
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:X
  • Score:
    • Base: 6.3
    • Temporal: 6.0
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Access to resources is securely configured for each security policy

data "aws_iam_policy_document" "example" {
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = [
"iam:Write"
]
resources = [
"my_resource"
]
}
}

Non compliant code

Unnecesary privileges are given by the use of a wildcard "*"

data "aws_iam_policy_document" "example" {
statement {
sid = "Enable IAM User Permissions"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
}
actions = [
"iam:*"
]
resources = [
"*"
]
}
}
resource "aws_kms_key" "a" {
description = "KMS key 1"
deletion_window_in_days = 10

policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": "*"
},
"Effect": "Allow"
}
]
}
EOF
}
Resources:
key1:
Type: 'AWS::KMS::Key'
Properties:
Description: An example multi-Region primary key
MultiRegion: true
EnableKeyRotation: true
PendingWindowInDays: 10
KeyPolicy:
Version: 2012-10-17
Id: key-default-1
Statement:
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: 'arn:aws:iam::111122223333:root'
Action: 'kms:*'
Resource: '*'
- Sid: Enable IAM User Permissions
Effect: Allow
Principal:
AWS: '*'
Action: 'kms:*'
Resource: '*'

Using the AWS CLI, the following command checks if any IAM policies alow full administrative privileges

$ aws iam get-policy-version
--policy-arn {iam_policy_arn}
--version-id v1
--query 'PolicyVersion.Document'

If the json output document includes any wildcard (*) for the Effect, Allow, Action or Resource elements, the policy is insecurely configured

Requirements