Terraform Excessive Attach Privileges
Description
Detects overly permissive IAM policies in AWS Terraform configurations that could grant excessive privileges to users, groups, or roles. Such policies violate the principle of least privilege and could allow unauthorized access to AWS resources if compromised.
Detection Strategy
• Scans Terraform configuration files for IAM policy resources including aws_iam_group_policy, aws_iam_policy, aws_iam_role_policy, aws_iam_user_policy, and aws_iam_policy_document
• Examines the policy statements and permissions defined within these IAM resources
• Identifies policies that grant overly broad permissions or use wildcards (*) in resource or action definitions
• Reports vulnerabilities when policies grant more permissions than necessary for the intended function
• Specifically analyzes attached policies to roles to ensure they follow the principle of least privilege
Vulnerable code example
resource "aws_iam_role_policy" "vulnerable_policy" {
name = "vulnerable_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"...✅ Secure code example
resource "aws_iam_role_policy" "secure_policy" {
name = "secure_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.