Role with privilege escalation by actions 'iam:UpdateLoginProfile'
This product is not supported for your selected
Datadog site. (
).
Id: 35ccf766-0e4d-41ed-9ec4-2dab155082b4
Cloud Provider: AWS
Platform: Terraform
Severity: Medium
Category: Access Control
Learn More
Description
Granting the iam:UpdateLoginProfile action with the Resource attribute set to "*" in an IAM policy allows a role or user to change the login passwords of any IAM user in the AWS account. This creates a privilege escalation vulnerability, as a user with this permission could take over other accounts and gain unauthorized access to critical resources.
To prevent this, use least-privilege access—for example, by restricting allowed actions and resource scope, as shown below:
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
This sample policy grants only read-only access to EC2 information, rather than sensitive IAM actions.
Compliant Code Examples
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Non-Compliant Code Examples
resource "aws_iam_role" "cosmic" {
name = "cosmic"
}
resource "aws_iam_role_policy" "test_inline_policy" {
name = "test_inline_policy"
role = aws_iam_role.cosmic.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:UpdateLoginProfile",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
