Ensure IAM policies do not allow credentials exposure for ECR - ReLambda

Home
»
AWS Documentation
»
IAM
»
Ensure IAM policies do not allow credentials exposure for ECR

Credentials exposure actions return credentials in an API response

Description

AWS IAM users utilize various types of credentials, including passwords and access keys, to authenticate and access AWS resources. Certain API actions, classified as Credentials Exposure actions, return sensitive credentials as part of their response, potentially increasing the risk of credential leakage. Examples of such actions include ecr:GetAuthorizationToken, iam:UpdateAccessKey, and other similar API calls that expose credentials in the response payload.

For further details on Credentials Exposure and its implications, refer to the https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/

Fix - Buildtime

Terraform

Resource: aws_iam_policy_document
Argument: effect + actions

data "aws_iam_policy_document" "example" {
  statement {
    sid = "1"
    effect = "Allow"
    actions = [
      "lambda:CreateFunction",
      "lambda:CreateEventSourceMapping",
      "dynamodb:CreateTable",
    ]
    resources = [
      "*",
    ]
  }
}

CloudFormation

Resource: AWS::IAM::Policy / AWS::IAM::ManagedPolicy / AWS::IAM::Group /
AWS::IAM::Role / AWS::IAM::User
Argument: Effect + Actions

Resources:
  AdminDeny:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ...
      PolicyDocument:
        ...
        Statement:
          - Effect: Allow
            Action: 
            -   'lambda:CreateFunction'
                    -   'lambda:CreateEventSourceMapping'
                -   'dynamodb:CreateTable'
            Resource: '*'