Ensure IAM policies do not allow credentials exposure for ECR

Error: Credentials exposure actions return credentials in an API response

Bridgecrew Policy ID: BC_AWS_IAM_54
Checkov Check ID: CKV_AWS_107
Severity: LOW

Credentials exposure actions return credentials in an API response

Description

AWS IAM users access AWS resources using different types of credentials, such as passwords or access keys. Credentials Exposure actions return credentials as part of the API response, such as ecr:GetAuthorizationToken, iam:UpdateAccessKey, and others.

For more info, visit cloudsplaning documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/

Fix - Buildtime

Terraform

  • Resource: aws_iam_policy_document
  • Argument: effect + actions
data "aws_iam_policy_document" "example" {
  statement {
    sid = "1"
    effect = "Allow"
    actions = [
      "lambda:CreateFunction",
      "lambda:CreateEventSourceMapping",
      "dynamodb:CreateTable",
    ]
    resources = [
      "*",
    ]
  }
}

CloudFormation

  • Resource: AWS::IAM::Policy / AWS::IAM::ManagedPolicy / AWS::IAM::Group /
    AWS::IAM::Role / AWS::IAM::User
  • Argument: Effect + Actions
Resources:
  AdminDeny:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ...
      PolicyDocument:
        ...
        Statement:
          - Effect: Allow
            Action: 
            -   'lambda:CreateFunction'
                    -   'lambda:CreateEventSourceMapping'
                -   'dynamodb:CreateTable'
            Resource: '*'

Did this page help you?