Terraform Write Actions Wildcard Resource Locals
Description
Detects overly permissive IAM policies defined in Terraform local variables that use wildcards (*) for write actions or resources. This creates a security risk by potentially granting excessive permissions that violate the principle of least privilege.
Detection Strategy
• Review local variable definitions in Terraform files for IAM policy statements
• Check if policy actions contain wildcards (e.g., 's3:*', 'dynamodb:*') that grant write permissions
• Examine if policy resources contain wildcards (e.g., 'arn:aws:s3:::*') that apply to all resources of a service
• Flag policies where wildcards are used for both the action and resource components
Vulnerable code example
locals {
# Vulnerable: Uses heredoc with overly permissive IAM policy (*) resource
dangerous_policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",...✅ Secure code example
locals {
# Safe: Restricts IAM user actions to specific path prefix
safe_policy = <<-EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.