Description

Identifies overly permissive IAM role policies in CloudFormation templates that grant excessive privileges. This creates security risks by potentially allowing more access than necessary, violating the principle of least privilege in AWS environments.

Detection Strategy

• Scan CloudFormation template files for IAM role policy resources

• Check policy statements for overly permissive configurations like 'Effect: Allow' with 'Action: *' or 'Resource: *'

• Report vulnerability when policies grant broad access permissions without proper restrictions

• Analyze both inline role policies and managed policy attachments for excessive privileges

Vulnerable code example

Resources:
  VulnerableRole:
    Type: 'AWS::IAM::Role'
    Properties:
      Policies:
        - PolicyName: root
          PolicyDocument:
            Statement:...

✅ Secure code example

Resources:
  SecureRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: "secure-role"
      # Explicitly define who can assume this role
      AssumeRolePolicyDocument:
        Version: "2012-10-17"...