- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: terraform-aws/iam-all-privileges
Language: Terraform
Severity: Error
Category: Security
This rule is designed to prevent the assignment of all privileges to a single IAM policy in AWS, which is considered a high security risk. Allowing all privileges or actions can potentially expose the resources to unwanted manipulations or data breaches. This is especially important when managing access control for S3 buckets, which often store sensitive data.
This rule plays an important role in enforcing the principle of least privilege (PoLP), a computer security concept in which a user is given the minimum levels of access necessary to complete his or her job functions. This minimizes the potential damage that can result from error, unauthorized use, or compromise of user accounts.
To adhere to this rule, instead of using a wildcard (*) to denote all actions, specify the exact actions that the IAM policy should allow. For example, instead of using "Action": ["*"]
in your IAM policy, use "Action": ["s3:GetObject"]
to only allow the specific action of getting an object from an S3 bucket. This way, you can ensure that the IAM policy only has the privileges it needs, and no more.
resource "aws_iam_policy" "mypolicy" {
name = "mypolicyname"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"*"
]
Effect = "Allow"
Resource = [
mybucket
]
}
]
})
}
resource "aws_iam_policy" "mypolicy" {
name = "mypolicyname"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:GetObject"
]
Effect = "Allow"
Resource = [
mybucket
]
}
]
})
}