Terraform Locals Bucket Policy Public Access

Description

Detects overly permissive bucket policies in Terraform configurations that allow public access to storage buckets. When bucket policies are defined in local variables that grant access to all users ('*' or 'Principal: "*"'), this creates a security risk by exposing bucket contents publicly.

Weakness:

325 - Excessive privileges - Wildcards

Category: Access Subversion

Detection Strategy

• Scan Terraform configuration files for 'locals' blocks containing bucket policy definitions

• Analyze policy statements to identify public access grants through Principal specifications

• Look for wildcards ('*') or anonymous access configurations in the policy Principal field

• Check if the policy Effect is 'Allow' combined with public Principal access

• Report a vulnerability if the bucket policy in locals enables unrestricted public access

Vulnerable code example

locals {
  # Vulnerable: Overly permissive policy with wildcard principal and sensitive actions
  policy = {
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:*",           # Dangerous: Grants full EC2 access...

✅ Secure code example

locals {
  policy = {
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:DescribeInstances",    # Specific EC2 action instead of wildcard
          "s3:DeleteObjectVersion"...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.