Fluid Attacks Database

Description

Detects the use of NotAction in AWS IAM policies defined within Terraform local variables. Using NotAction creates an allow list for all actions except those specified, which can lead to overly permissive permissions and violate the principle of least privilege.

Weakness:

165 - Insecure service configuration - AWS

Category: Functionality Abuse

Detection Strategy

• Identifies local variable blocks in Terraform configuration files

• Examines IAM policy definitions within these local variables

• Reports a vulnerability when NotAction is used in an Allow effect statement

• The policy must be defined within Terraform locals to trigger this check

Vulnerable code example

locals {
  vulnerable_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Resource  = "*"                    # Dangerous: Applies to all resources
        NotAction = ["iam:GetRole"]        # Vulnerable: NotAction allows ALL actions except GetRole...

✅ Secure code example

locals {
  secure_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Resource  = "arn:aws:iam:::role/specific_role"  # Explicitly scope to specific role
        Action    = [                                   # Explicitly list allowed actions...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.