Json Yaml Secrets Manager Privileges
Description
This detector identifies AWS IAM resources (Groups, Roles, or Users) in CloudFormation templates that have overly permissive AWS Secrets Manager policies attached. Having broad Secrets Manager privileges can allow unauthorized access to sensitive credentials and secrets stored in AWS Secrets Manager, potentially leading to data breaches or privilege escalation.
Detection Strategy
• The detector analyzes CloudFormation templates (JSON/YAML format) for AWS IAM resource definitions
• It specifically looks for resources with Type values of 'AWS::IAM::Group', 'AWS::IAM::Role', or 'AWS::IAM::User'
• For each identified IAM resource, it examines attached policies to detect overly permissive Secrets Manager privileges
• A vulnerability is reported when an IAM resource has policies that grant excessive access to AWS Secrets Manager operations
• The detection focuses on policy configurations that could allow unauthorized retrieval or management of secrets beyond what is necessary for the resource's intended function
Vulnerable code example
Resources:
UnsafeRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecretsManagerReadWrite # Overly permissive AWS managed policy
UnsafeGroup:
Type: AWS::IAM::Group...✅ Secure code example
Resources:
SafeRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/SecretsManagerReadOnly # Read-only access follows least privilege
SafeGroup:
Type: AWS::IAM::Group...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.