For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-alicloud-ram-policy-admin-access-not-attached-to-users-groups-roles.md.
A documentation index is available at /llms.txt.
RAM policies that grant administrative access should not be associated with users, groups, or roles. This rule detects policy documents with Effect = "Allow" where both Action and Resource are set to "*". It flags any such policy attached via alicloud_ram_user_policy_attachment, alicloud_ram_group_policy_attachment, or alicloud_ram_role_policy_attachment.
Compliant Code Examples
# Create a RAM User Policy attachment.
resource"alicloud_ram_user""user1"{name="userName"display_name="user_display_name"mobile="86-18688888888"email="hello.uuu@aaa.com"comments="yoyoyo"force=true}resource"alicloud_ram_policy""policy1"{name="policyName"document=<<EOF {
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOFdescription="this is a policy test"force=true}resource"alicloud_ram_user_policy_attachment""attach"{policy_name=alicloud_ram_policy.policy1.namepolicy_type=alicloud_ram_policy.policy1.typeuser_name=alicloud_ram_user.user1.name}
# Create a RAM Group Policy attachment.
resource"alicloud_ram_group""group2"{name="groupName"comments="this is a group comments."force=true}resource"alicloud_ram_policy""policy2"{name="policyName"document=<<EOF {
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOFdescription="this is a policy test"force=true}resource"alicloud_ram_group_policy_attachment""attach"{policy_name=alicloud_ram_policy.policy2.namepolicy_type=alicloud_ram_policy.policy2.typegroup_name=alicloud_ram_group.group2.name}
# Create a RAM Role Policy attachment.
resource"alicloud_ram_role""role3"{name="roleName"document=<<EOF {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOFdescription="this is a role test."force=true}resource"alicloud_ram_policy""policy3"{name="policyName"document=<<EOF {
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOFdescription="this is a policy test"force=true}resource"alicloud_ram_role_policy_attachment""attach"{policy_name=alicloud_ram_policy.policy3.namepolicy_type=alicloud_ram_policy.policy3.typerole_name=alicloud_ram_role.role3.name}
Non-Compliant Code Examples
# Create a RAM User Policy attachment.
resource"alicloud_ram_user""user4"{name="userName"display_name="user_display_name"mobile="86-18688888888"email="hello.uuu@aaa.com"comments="yoyoyo"force=true}resource"alicloud_ram_policy""policy4"{name="policyName"document=<<EOF {
"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOFdescription="this is a policy test"force=true}resource"alicloud_ram_user_policy_attachment""attach"{policy_name=alicloud_ram_policy.policy4.namepolicy_type=alicloud_ram_policy.policy4.typeuser_name=alicloud_ram_user.user4.name}
# Create a RAM Group Policy attachment.
resource"alicloud_ram_group""group5"{name="groupName"comments="this is a group comments."force=true}resource"alicloud_ram_policy""policy5"{name="policyName"document=<<EOF {
"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOFdescription="this is a policy test"force=true}resource"alicloud_ram_group_policy_attachment""attach"{policy_name=alicloud_ram_policy.policy5.namepolicy_type=alicloud_ram_policy.policy5.typegroup_name=alicloud_ram_group.group5.name}
# Create a RAM Role Policy attachment.
resource"alicloud_ram_role""role6"{name="roleName"document=<<EOF {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"apigateway.aliyuncs.com",
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}
EOFdescription="this is a role test."force=true}resource"alicloud_ram_policy""policy6"{name="policyName"document=<<EOF {
"Statement": [
{
"Action": [
"oss:*"
],
"Effect": "Allow",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
],
"Version": "1"
}
EOFdescription="this is a policy test"force=true}resource"alicloud_ram_role_policy_attachment""attach"{policy_name=alicloud_ram_policy.policy6.namepolicy_type=alicloud_ram_policy.policy6.typerole_name=alicloud_ram_role.role6.name}
1
2
rulesets:- Terraform / Alicloud # Rules to enforce / Alicloud.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
