Terraform Allow With Notaction
Description
Detects AWS IAM policies that use NotAction statements which allow all actions except those explicitly listed. This is a security risk because NotAction creates overly permissive policies that may grant unintended access rights, especially when new AWS services or actions are added.
Detection Strategy
• Scan Terraform configuration files for IAM policy resources (aws_iam_policy, aws_iam_role_policy, aws_iam_user_policy, aws_iam_group_policy, or aws_iam_policy_document)
• Check if the policy document contains 'NotAction' or 'not_actions' statements
• Report a vulnerability if NotAction is used in combination with an Allow effect in the policy
Vulnerable code example
resource "aws_iam_policy" "vulnerable_policy" {
name = "overly_permissive_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"...✅ Secure code example
resource "aws_iam_policy" "secure_policy" {
name = "restricted_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.