Json Yaml Allow With Notresource
Description
Detects potentially dangerous IAM policy configurations in AWS CloudFormation templates that use NotResource in allow statements. Using NotResource with Allow permissions creates an overly broad policy that grants access to all resources except those explicitly denied, which violates the principle of least privilege.
Detection Strategy
• Identifies AWS IAM Role resources in CloudFormation templates
• Examines IAM policy statements attached to the role
• Reports a vulnerability when an Allow effect is combined with a NotResource element in the policy
• Focuses on IAM permissions policies where NotResource creates overly permissive access
Vulnerable code example
Resources:
VulnerableRole:
Type: AWS::IAM::Role
Properties:
Policies:
- PolicyName: vulnerable_policy
PolicyDocument:
Statement:...✅ Secure code example
Resources:
SecureRole:
Type: AWS::IAM::Role
Properties:
Policies:
- PolicyName: secure_policy
PolicyDocument:
Statement:...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.