Description

Detects IAM permission policies defined in Terraform locals that use NotResource statements. Using NotResource is considered a security risk since it grants permissions to all resources except those explicitly denied, which could lead to unintended access to sensitive resources.

Detection Strategy

• Search for 'locals' blocks in Terraform configuration files

• Within locals blocks, identify IAM policy definitions that contain NotResource statements

• Report a vulnerability if any IAM policy uses NotResource instead of explicitly listing allowed resources

Vulnerable code example

locals {
  risky_policy = {
    name = "risky_policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"...

✅ Secure code example

locals {
  secure_policy = {
    name = "secure_policy"
    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Effect = "Allow"...