Group with privilege escalation by actions 'iam:PutGroupPolicy'
This product is not supported for your selected
Datadog site. (
).
Id: e77c89f6-9c85-49ea-b95b-5f960fe5be92
Cloud Provider: AWS
Platform: Terraform
Severity: Medium
Category: Access Control
Learn More
Description
This check identifies IAM group policies that grant the action iam:PutGroupPolicy with a resource set to "*", allowing anyone in the group to attach arbitrary inline policies to any IAM group. This presents a privilege escalation risk, as users with this permission could assign themselves broader or unauthorized permissions by updating policies on other groups. To mitigate this, restrict the Action and Resource fields in policies and avoid assigning sensitive permissions to groups broadly.
A secure Terraform configuration should limit permissions to only what is necessary. For example:
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Compliant Code Examples
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Non-Compliant Code Examples
resource "aws_iam_group" "cosmic" {
name = "cosmic"
}
resource "aws_iam_group_policy" "test_inline_policy" {
name = "test_inline_policy"
group = aws_iam_group.cosmic.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:PutGroupPolicy",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
