logo

Database

Terraform Unrestricted Policy Version Control

Description

Detects AWS IAM policy configurations in Terraform that could allow privilege escalation due to unrestricted version control settings. When IAM policies lack version constraints or use wildcards in version specifications, attackers could potentially exploit older or newer policy versions to gain elevated permissions.

Weakness:

005 - Privilege escalation

Category: Access Subversion

Detection Strategy

    Identifies Terraform resource blocks that define AWS IAM policies (group policies, role policies, user policies, or policy documents)

    Checks if the policy resource lacks version constraints or uses wildcards in version specifications

    Reports a vulnerability when an IAM policy configuration allows unrestricted version selection, which could enable privilege escalation through policy version manipulation

Vulnerable code example

resource "aws_iam_policy" "vulnerable_policy" {
  name = "vulnerable_example"
  
  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",    # Vulnerable: Allows dangerous IAM policy manipulation...

✅ Secure code example

data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}

resource "aws_iam_policy" "secure_policy" {
  name = "secure_example"
  
  policy = jsonencode({
    Version = "2012-10-17",...