Ensure IAM policies does not allow write access without constraint

Home
»
AWS Documentation
»
IAM
»
Ensure IAM policies does not allow write access without constraint

Write access allowed without constraint

Description

This policy grants permissions that enable the modification of resource-based policies or actions that could inadvertently expose AWS resources to the public. Such actions increase the risk of unauthorized resource exposure, potentially leading to significant security vulnerabilities.

Examples of critical actions include:

s3:PutBucketPolicy, s3:PutBucketAcl, and s3:PutObjectAcl: These permissions allow users to modify access control settings for S3 buckets and objects, either for new or existing objects. Improperly configured permissions could unintentionally expose sensitive data to unauthorized users, including the public or malicious actors on the internet.
ecr:SetRepositoryPolicy: This action allows modification of the policy associated with an Amazon Elastic Container Registry (ECR) repository. An attacker could exploit this to exfiltrate container images, which may contain sensitive information such as credentials or configuration secrets, tamper with existing container images, or manipulate repository access in other harmful ways.
iam:UpdateAssumeRolePolicy: This permission allows modification of the AssumeRole policy for a specific IAM role. An attacker could exploit this to establish a backdoor by enabling an external account to assume a privileged role within the victim account, potentially escalating privileges and gaining unauthorized access to sensitive resources.
AWS Resource Access Manager (RAM) modifications: The ability to modify configurations within AWS Resource Access Manager could enable a malicious actor to share access to a VPC that hosts sensitive or internal services with unauthorized AWS accounts, further compromising the security of the environment.

Attackers can easily leverage Resource Exposure permissions to expose critical AWS resources to rogue users or the public internet. This tactic has been demonstrated by Endgame, a penetration testing tool for AWS released by Salesforce, which illustrates how these permissions can be exploited to facilitate resource exposure.

For additional details and a deeper understanding of these risks, please refer to the https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/

Fix - Buildtime

Terraform

Resource: aws_iam_policy_document
*Argument: effect + actions

data "aws_iam_policy_document" "example" {
              statement {
                sid = "1"
                effect = "Allow"
                actions = [
                        "s3:*"
                ]

                resources = [
                  "foo",
                ]
              }
            }