This repository was archived by the owner on Jul 20, 2024. It is now read-only.
This repository was archived by the owner on Jul 20, 2024. It is now read-only.
iam policy with wildcards #49
Description
Hi!
another tfsec warning
Result #2 HIGH IAM policy document uses sensitive action 'ec2:AttachNetworkInterface' on wildcarded resource '*'
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
.terraform/modules/nat_instance/main.tf Line 199
───────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
194 │ {
195 │ "Effect": "Allow",
196 │ "Action": [
197 │ "ec2:AttachNetworkInterface"
198 │ ],
199 │ "Resource": "*"
200 │ }
───────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
ID aws-iam-no-policy-wildcards
Impact Overly permissive policies may grant access to sensitive resources
Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.
More Information
- https://aquasecurity.github.io/tfsec/v1.8.0/checks/aws/iam/no-policy-wildcards/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
it can probably be solved by adding a condition to the policy (as per the ASG tag here) like
"Condition": {
"StringEquals": {
"aws:resourceTag/Name": "nat-instance-${var.name}"
}
}