logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Excessive privileges - Wildcards - Cloudformation

Need

Restriction of privileges and removal of wildcard usage

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS IAM Roles for managing access and permissions in AWS services
  3. Usage of AWS IAM Role Policy for defining permissions and access control policies for AWS IAM roles.

Description

Insecure Code Example

Resources:
  ExcessivePrivilegesPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: excessive_privileges
      Roles:
        - Ref: ExampleRole
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action: "*"
            Resource: "*"
            Effect: "Allow"

The above CloudFormation example creates an IAM role policy named "excessive_privileges" associated with an IAM role. The policy allows all actions ("*") on all resources ("*"), which is a violation of the principle of least privilege. This configuration grants the IAM role unrestricted access to perform any action on any AWS resource. This increases the risk of unintended or malicious operations, such as unauthorized data access, data loss, or disruption of critical operations. The use of wildcard characters in IAM policies should be avoided, as they can grant permissions broader than intended. In this case, the wildcard `*` in both "Action" and "Resource" fields makes this role too permissive.

Steps

  1. Review the permissions required by the role and identify the specific actions and resources that are necessary.
  2. Remove the wildcard (`*`) from the 'Action' field in the IAM role policy.
  3. Update the 'Resource' field in the IAM role policy to specify the exact resources that the role should have access to.
  4. Ensure that the IAM role policy grants only the minimum required privileges.
  5. Regularly audit IAM role policies to confirm that they don't grant excessive privileges.

Secure Code Example

Resources:
  RestrictedPrivilegesPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: restricted_privileges
      Roles:
        - Ref: ExampleRole
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action:
              - "s3:ListBucket"
              - "s3:GetObject"
            Resource:
              - arn:aws:s3:::example_bucket
              - arn:aws:s3:::example_bucket/*
            Effect: "Allow"

In the updated CloudFormation template, the IAM policy has been revised to remove the use of wildcards. Instead of allowing any action on all resources, the policy explicitly lists the required actions and specifies the exact resources the IAM role should have access to. In this case, the role is granted the ability to list a specific S3 bucket and retrieve objects from it. This follows the principle of least privilege by limiting the permissions to only what is necessary. It's important to regularly review IAM role policies to ensure they do not have excessive permissions.

References

  • 325 - Excessive privileges - Wildcards

    • Last updated

    2025/04/04