Excessive privileges - AWS - Cloudformation

Need

Restriction of privileges to the minimum necessary level

Context

Usage of CloudFormation for Infrastructure as Code (IaC)
Usage of AWS SDK for interacting with Amazon Web Services

Description

Insecure Code Example

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  IAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "iam_role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: "ec2.amazonaws.com"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "iam_role_policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: "*"
                Resource: "*"

The above CloudFormation template creates an IAM role (`IAMRole`) and attaches an inline policy to it. The IAM role allows EC2 service to assume it. The vulnerability lies in the inline policy attached to the IAM role. The policy allows any action (`"Action": "*"`) on any resource (`"Resource": "*"`) in AWS. This means the role has excessive privileges and can perform any action on any resource in AWS. This is a security risk because if the role's credentials are compromised, an attacker can execute any operation, potentially leading to unauthorized access, data leakage, or a full AWS account takeover. The principle of least privilege is not followed here. This principle recommends that a user, program, or system process should have the minimum privileges necessary to complete its job. Overprivileged roles or users can lead to misuse, whether intentional (malicious insiders) or accidental (misuse of permissions).

Steps

Review the permissions required by the application, user, or role.
Identify the specific actions and resources that are necessary for the application to function properly.
Remove the 'Allow' statement with the wildcard (*) in the IAM role policy.
Replace the wildcard (*) with the specific actions and resources required by the application.
Ensure that the permissions assigned to the role follow the principle of least privilege.
Test the application to verify that it functions correctly with the updated permissions.

Secure Code Example

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  IAMRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: "iam_role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: "ec2.amazonaws.com"
            Action: "sts:AssumeRole"
      Policies:
        - PolicyName: "iam_role_policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - "ec2:Describe*"
                  - "ec2:StartInstances"
                  - "ec2:StopInstances"
                Resource:
                  - "arn:aws:ec2:us-west-2:123456789012:instance/*"

The original template had a vulnerability where the IAM role had excessive privileges. The IAM role policy allowed all actions (`"Action": "*"`) on all resources (`"Resource": "*"`). This is a security risk as it violates the principle of least privilege. The fixed CloudFormation template reduces the permissions of the IAM role to only what is necessary. The IAM role policy now only allows specific EC2 actions (`"Action": ["ec2:Describe*", "ec2:StartInstances", "ec2:StopInstances"]`) on specific EC2 instances (`"Resource": ["arn:aws:ec2:us-west-2:123456789012:instance/*"]`). This ensures that the IAM role cannot perform actions or access resources beyond its scope, reducing the impact of potential credential compromise.

References

031 - Excessive privileges - AWS

Last updated

2025/04/03