- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: terraform-aws/iam-allow-all
Language: Terraform
Severity: Warning
Category: Security
The IAM policy should be scoped rule is crucial to ensure the principle of least privilege (PoLP). This means that IAM entities (users, groups, and roles) should have only the necessary permissions to perform their tasks, and no more. Overly permissive policies, like granting all actions ("*"
) on all resources ("*"
), can lead to unintended access, escalating privilege issues, and potential security vulnerabilities.
The importance of this rule lies in its role in maintaining a secure and manageable permission model. By scoping IAM policies, you can minimize the potential damage if an IAM entity is compromised. It also simplifies auditing and understanding the access that a particular entity has.
To adhere to this rule, avoid using wildcards for both actions and resources in your IAM policies. Instead, specify the necessary actions and resources that the IAM entity needs to access. For instance, if an IAM role only needs to read objects in a specific S3 bucket, grant only the s3:GetObject
action on that bucket. This way, even if this role is compromised, the attacker cannot perform other actions or access other resources.
data "aws_iam_policy_document" "failed" {
version = "2012-10-17"
statement {
effect = "Allow"
resources = [
"*",
]
actions = [
"*"
]
}
}
data "aws_iam_policy_document" "failed" {
version = "2012-10-17"
statement {
effect = "Allow"
actions = [
"*"
]
resources = [
"*",
]
}
}
data "aws_iam_policy_document" "pass" {
version = "2012-10-17"
statement {
effect = "Allow"
actions = [
"s3:Describe*",
]
resources = [
"*",
]
}
}
data "aws_iam_policy_document" "no_effect" {
version = "2012-10-17"
statement {
actions = [
"*"
]
resources = [
"*",
]
}
}