Terraform Allow Notaction Trust Policy
Description
Detects overly permissive IAM trust policies in Terraform AWS configurations that use NotAction. Using NotAction in IAM policies is dangerous as it grants all permissions except those explicitly denied, which can lead to excessive privileges and violate the principle of least privilege.
Detection Strategy
• Search for AWS IAM role resources in Terraform configuration files
• Check if the IAM role's trust policy contains NotAction statements
• Report a vulnerability when NotAction is used in trust policies, as this implicitly allows all actions except those specifically listed
Vulnerable code example
resource "aws_iam_role" "vulnerable_role" {
name = "vulnerable_role"
assume_role_policy = jsonencode({ # Vulnerable: Using NotPrincipal is a security risk
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"...✅ Secure code example
resource "aws_iam_role" "secure_role" {
name = "secure_role"
assume_role_policy = jsonencode({ # Safe: Using explicit Principal and Action
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.