Terraform Bucket Policy Allows Public Access

Description

Identifies AWS S3 bucket policies that allow public or overly permissive access through IAM configurations. Public access to S3 buckets can lead to unauthorized data exposure if not properly restricted.

Weakness:

325 - Excessive privileges - Wildcards

Category: Access Subversion

Detection Strategy

• Examines Terraform configuration files for AWS IAM policy resources

• Identifies policy resources including: aws_iam_group_policy, aws_iam_policy, aws_iam_role_policy, aws_iam_user_policy, and aws_iam_policy_document

• Analyzes policy statements to detect configurations that grant access to public/anonymous users

• Reports a vulnerability when a policy allows unrestricted access to bucket resources

Vulnerable code example

resource "aws_iam_role_policy" "vulnerable_policy" {
  name = "vulnerable_policy"
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [...

✅ Secure code example

resource "aws_iam_role_policy" "secure_policy" {
  name = "secure_policy"
  role = aws_iam_role.example_role.id  # Explicitly specify the role
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.