A policy that allows identities to access all resources in an AWS account may violate the principle of least privilege. Suppose an identity has permission to access
all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive
information will occur.
Ask Yourself Whether
The AWS account has more than one resource with different levels of sensitivity.
A risk exists if you answered yes to this question.
Recommended Secure Coding Practices
It’s recommended to apply the least privilege principle, i.e., by only granting access to necessary resources. A good practice to achieve this is
to organize or tag
resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.
Sensitive Code Example
The wildcard "*" is specified as the resource for this PolicyStatement. This grants the update permission for all
policies of the account:
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement
PolicyDocument(
statements=[
PolicyStatement(
effect=Effect.ALLOW,
actions="iam:CreatePolicyVersion",
resources=["*"] # Sensitive
)
]
)
Compliant Solution
Restrict the update permission to the appropriate subset of policies:
from aws_cdk import Aws
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement
PolicyDocument(
statements=[
PolicyStatement(
effect=Effect.ALLOW,
actions="iam:CreatePolicyVersion",
resources=[f"arn:aws:iam::{Aws.ACCOUNT_ID}:policy/team1/*"]
)
]
)
Exceptions
- Should not be raised on key policies (when AWS KMS actions are used.)
- Should not be raised on policies not using any resources (if and only if all actions in the policy never require resources.)
See
