Ensure IAM policies do not allow permissions management / resource exposure without constraint

Error: Resource exposure allows modification of policies and exposes resources

Bridgecrew Policy ID: BC_AWS_IAM_56
Checkov Check ID: CKV_AWS_109
Severity: LOW

Resource exposure allows modification of policies and exposes resources

Description

This policy allows actions that permit modification of resource-based policies or can otherwise can expose AWS resources to the public via similar actions that can lead to resource exposure.

For example:
1 - s3:PutBucketPolicy, s3:PutBucketAcl, and s3:PutObjectAcl grant permissions to modify the properties of S3 buckets or objects for new or existing objects in an S3 bucket, which could expose objects to rogue actors or to the internet.
2 - ecr:SetRepositoryPolicy could allow an attacker to exfiltrate container images (which sometimes unintentionally contain secrets and non-public information), tamper with container images, or otherwise modify.
3 - iam:UpdateAssumeRolePolicy could allow an attacker to create a backdoor by assuming a privileged role in the victim account from an external account.
The ability to modify AWS Resource Access Manager, which could allow a malicious actor to share a VPC hosting sensitive or internal services to rogue AWS accounts
Attackers can easily exploit Resource Exposure permissions to expose resources to rogue users or the internet, as shown by endgame, an AWS pentesting tool that was also released by Salesforce.

For more info, visit cloudsplaning documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/

Fix - Buildtime

Terraform

  • Resource: aws_iam_policy_document
  • Argument: effect + actions
data "aws_iam_policy_document" "example" {
  statement {
    sid = "1"
    effect = "Allow"
    actions = [
      "s3:*"
    ]     
    resources = [
      "foo",
    ]
  }
}

CloudFormation

  • Resource: aws_iam_policy_document
  • Argument: effect + actions
Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ...
      PolicyDocument:
        ...
        Statement:
          - Effect: Allow
            Action: 
            - 's3:*'
            Resource: 'foo'

Did this page help you?