Description

Detects overly permissive IAM role policies defined in Terraform locals blocks. Excessive permissions in IAM policies can violate the principle of least privilege and create security risks by granting more access than necessary to AWS resources.

Detection Strategy

• Identifies Terraform configuration files that contain 'locals' blocks

• Examines IAM role policy definitions within those locals blocks

• Reports a vulnerability if policies grant overly broad permissions or use wildcards (*) in resource or action specifications

• Checks if the policy allows unrestricted actions on sensitive AWS services

Vulnerable code example

locals {
  vulnerable_policy = {
    name = "vulnerable_policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"...

✅ Secure code example

locals {
  secure_policy = {
    name = "secure_policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Sid    = "RestrictedIAMAttach"...