Restrict AWS IAM policy with full administrative privileges Critical

AWS IAM policy permits full administrative privileges. Make sure that AWS IAM policy restricts full administrative privileges allowance.

Detector ID
terraform/restrict-iam-admin-policy-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_iam_policy" "ec2_pricing" {
2  name        = "ec2_pricing"
3  description = "allow access to ec2 instance types and pricing information"
4  path        = "/"
5  policy = jsonencode({
6    Version = "2012-10-17"
7    # Noncompliant: IAM policies that allow full "*-*" administrative privileges is created.
8    Statement = [
9      {
10        Effect = "Allow"
11        Action = [
12          "*"
13        ],
14        Resource = "*"
15      }
16    ]
17  })
18  tags = {
19    Terraformed = "true"
20  }
21}

Compliant example

1resource "aws_iam_policy" "ec2_pricing" {
2  name        = "ec2_pricing"
3  description = "allow access to ec2 instance types and pricing information"
4  path        = "/"
5  policy = jsonencode({
6    Version = "2012-10-17"
7    # Compliant: IAM policies that allow full "*-*" administrative privileges is not created.
8    Statement = [
9      {
10        Effect = "Allow"
11        Action = [
12          "ec2:DescribeInstanceTypes",
13          "ec2:DescribeRegions",
14          "pricing:*",
15          "elasticache:DescribeEngineDefaultParameters"
16        ],
17        Resource = "*"
18      }
19    ]
20  })
21  tags = {
22    Terraformed = "true"
23  }
24}