Aws Negative Statement
Description
Identifies AWS IAM policies that contain explicit deny statements in their policy documents. While deny statements can be used for exceptions, they increase policy complexity and can lead to difficult-to-maintain access controls that may result in unintended access patterns or security gaps.
Detection Strategy
• Retrieves all IAM policies in the AWS account
• For each policy, fetches its current policy version document
• Analyzes each statement in the policy document
• Reports a vulnerability if a policy statement contains an explicit 'Deny' effect
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.