IAM policy should be scoped

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: terraform-aws/iam-allow-all

Language: Terraform

Severity: Warning

Category: Security

Description

The IAM policy should be scoped rule is crucial to ensure the principle of least privilege (PoLP). This means that IAM entities (users, groups, and roles) should have only the necessary permissions to perform their tasks, and no more. Overly permissive policies, like granting all actions ("*") on all resources ("*"), can lead to unintended access, escalating privilege issues, and potential security vulnerabilities.

The importance of this rule lies in its role in maintaining a secure and manageable permission model. By scoping IAM policies, you can minimize the potential damage if an IAM entity is compromised. It also simplifies auditing and understanding the access that a particular entity has.

To adhere to this rule, avoid using wildcards for both actions and resources in your IAM policies. Instead, specify the necessary actions and resources that the IAM entity needs to access. For instance, if an IAM role only needs to read objects in a specific S3 bucket, grant only the s3:GetObject action on that bucket. This way, even if this role is compromised, the attacker cannot perform other actions or access other resources.

Non-Compliant Code Examples

data "aws_iam_policy_document" "failed" {
  version = "2012-10-17"

  statement {
    effect = "Allow"
    resources = [
      "*",
    ]
    actions = [
      "*"
    ]
  }
}
data "aws_iam_policy_document" "failed" {
  version = "2012-10-17"

  statement {
    effect = "Allow"
    actions = [
      "*"
    ]
    resources = [
      "*",
    ]
  }
}

Compliant Code Examples

data "aws_iam_policy_document" "pass" {
  version = "2012-10-17"

  statement {
    effect = "Allow"
    actions = [
      "s3:Describe*",
    ]
    resources = [
      "*",
    ]
  }
}
data "aws_iam_policy_document" "no_effect" {
  version = "2012-10-17"

  statement {
    actions = [
      "*"
    ]
    resources = [
      "*",
    ]
  }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis