A policy that allows identities to access all resources in an AWS account may violate the principle of least privilege. Suppose an identity has permission to access
all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive
information will occur.
Ask Yourself Whether
The AWS account has more than one resource with different levels of sensitivity.
A risk exists if you answered yes to this question.
Recommended Secure Coding Practices
It’s recommended to apply the least privilege principle, i.e., by only granting access to necessary resources. A good practice to achieve this is
to organize or tag
resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.
Sensitive Code Example
Update permission is granted for all policies using the wildcard (*) in the Resource property:
AWSTemplateFormatVersion: 2010-09-09
Resources:
ExamplePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicyVersion"
Resource:
- "*" # Sensitive
Roles:
- !Ref MyRole
Compliant Solution
Restrict update permission to the appropriate subset of policies:
AWSTemplateFormatVersion: 2010-09-09
Resources:
ExamplePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "iam:CreatePolicyVersion"
Resource:
- !Sub "arn:aws:iam::${AWS::AccountId}:policy/team1/*"
Roles:
- !Ref MyRole
Exceptions
- Should not be raised on key policies (when AWS KMS actions are used.)
- Should not be raised on policies not using any resources (if and only if all actions in the policy never require resources.)
See
