logo

Database

Terraform Notaction Notresource Policy

Description

Detects the use of negative statements (NotAction/NotResource) in AWS IAM policies defined in Terraform. Using negative statements can lead to overly permissive access by inadvertently granting more permissions than intended, especially when new AWS services are added.

Weakness:

031 - Excessive privileges - AWS

Category: Access Subversion

Detection Strategy

    Scans Terraform configuration files for IAM policy resources (aws_iam_policy, aws_iam_role_policy, aws_iam_group_policy, aws_iam_user_policy) and policy documents

    Identifies policy statements that use NotAction or NotResource elements in their definition

    Reports a vulnerability when an IAM policy uses negative statement patterns which could lead to excessive permissions

Vulnerable code example

resource "aws_iam_role_policy" "vulnerable_policy" {
  name = "vulnerable_policy"
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"...

✅ Secure code example

resource "aws_iam_role_policy" "secure_policy" {
  name = "secure_policy"
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "ExplicitPermissions"...