Json Yaml Unrestricted Policy Version Control
Description
Detects AWS CloudFormation templates that define IAM policies with unrestricted version control capabilities. This configuration could allow attackers to restore previous policy versions with elevated permissions, potentially leading to privilege escalation within AWS environments.
Detection Strategy
• Analyze CloudFormation template files that contain IAM policy resource definitions
• Check if the policy configuration allows modification or restoration of policy versions without proper restrictions
• Verify if the policy permissions could enable changing versions of sensitive IAM policies
• Report a vulnerability when policy version control is not adequately restricted, risking privilege escalation
Vulnerable code example
Resources:
DangerousPolicy:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
Description: 'Vulnerable policy example'
PolicyDocument:
Version: '2012-10-17'
Statement:...✅ Secure code example
Parameters:
ManagedPolicyArn:
Type: String
Description: ARN of the specific policy to manage
Resources:
SafePolicy:
Type: 'AWS::IAM::ManagedPolicy'...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.