Terraform Admin Managed Policy Attached

Description

Identifies AWS IAM roles configured with excessive administrative privileges in Terraform configurations. This violates the principle of least privilege and creates security risks by granting broader permissions than necessary for the role's intended function.

Weakness:

031 - Excessive privileges - AWS

Category: Access Subversion

Detection Strategy

• Scans Terraform configuration files for AWS IAM role definitions

• Checks if the IAM role has administrative managed policies attached

• Reports a vulnerability when an IAM role is found with overly permissive policies like full administrative access

• Focuses specifically on resource blocks of type 'aws_iam_role' in the Terraform code

Vulnerable code example

resource "aws_iam_role" "example_role" {
  name = "example_role"
  
  # Security issue: Grants full admin access - violates principle of least privilege
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/AdministratorAccess"
  ]
}

✅ Secure code example

resource "aws_iam_role" "example_role" {
  name = "example_role"
  
  # Security: Use specific service policies instead of admin access
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/service-role/AWSIoTLogging",    # Restrict to only IoT logging permissions
    "arn:aws:iam::aws:policy/AWSAgentlessDiscoveryService"   # Add discovery service if needed
  ]...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.