Terraform Allow With Notresource
Description
Identifies IAM policies in Terraform configurations that use NotResource elements, which can create overly permissive access by excluding specific resources while allowing access to all others. This practice increases security risk by potentially granting unintended broad permissions.
Detection Strategy
• Check if the Terraform resource type is one of: aws_iam_group_policy, aws_iam_policy, aws_iam_role_policy, aws_iam_user_policy, or aws_iam_policy_document
• Search for 'not_resources' or 'NotResource' elements within the IAM policy document
• Flag any IAM policies that use NotResource instead of explicitly listing allowed resources
Vulnerable code example
resource "aws_iam_policy" "vulnerable_policy" {
name = "overly_permissive_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"...✅ Secure code example
resource "aws_iam_policy" "secure_policy" {
name = "limited_access_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.