Json Yaml Notaction Notresource Policy

Description

Detects the use of negative statements (NotAction/NotResource) in AWS IAM policies, which can create overly permissive access by excluding specific actions/resources rather than explicitly allowing only required ones. This pattern is risky as it may unintentionally grant broader permissions than intended.

Weakness:

031 - Excessive privileges - AWS

Category: Access Subversion

Detection Strategy

• Scans AWS IAM policy documents in CloudFormation templates

• Identifies policy statements that use NotAction or NotResource elements

• Reports a vulnerability when negative statement patterns are found in policy statements

Vulnerable code example

Resources:
  DangerousPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Statement:
          - Effect: Allow
            NotAction: '*'           # Dangerous: NotAction with wildcard grants all actions except specified...

✅ Secure code example

Resources:
  SecurePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "Secure policy following least-privilege principle"
      PolicyDocument:
        Version: "2012-10-17"  # Always specify policy version
        Statement:...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.