Terraform Ssm Full Access Locals
Description
Detects overly permissive IAM policies in Terraform configurations that grant full access to AWS Systems Manager (SSM). Full SSM access allows execution of commands on EC2 instances, access to parameter store secrets, and other sensitive operations that should be restricted.
Detection Strategy
• Scans Terraform configuration files for IAM policy definitions in 'locals' blocks
• Identifies IAM policies that grant unrestricted access ('*') to SSM services or actions
• Reports a vulnerability when an IAM policy allows full SSM access instead of limiting to specific required actions
Vulnerable code example
locals {
role = {
name = "example_role"
assume_role_policy = jsonencode({
Statement = [{ # Vulnerable: Missing Version and overly permissive
Effect = "Allow"
Principal = "*" # Vulnerable: Allows any principal to assume the role...✅ Secure code example
locals {
role = {
name = "example_role"
assume_role_policy = jsonencode({
Version = "2012-10-17" # Required for IAM policies
Statement = [{
Sid = "AllowEC2AndSSMAssumeRole" ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.