terraform-aws-ecs-codepipeline icon indicating copy to clipboard operation
terraform-aws-ecs-codepipeline copied to clipboard

Published 20 hours ago verified publisher icon cloudposse

IAM policy is too loose

Open bougyman opened this issue 5 years ago • 3 comments

The IAM policy for the role allows * too too many aws services without resource restrictions. Allowing a var supplied policy here could be a good first step. (https://github.com/cloudposse/terraform-aws-ecs-codepipeline/blame/master/main.tf#L66-L87).

bougyman avatar Feb 25 '20 19:02 bougyman

Uh. Another iam:PassRole to * again. See https://github.com/cloudposse/terraform-aws-elastic-beanstalk-environment/issues/147 and the source Unit 42 Cloud Threat Report: Misconfigured IAM Roles Lead to Thousands of Compromised Cloud Workloads.

razorsedge avatar Feb 09 '21 01:02 razorsedge

That's a great suggestion. We accept PRs and always welcome new contributors.

nitrocode avatar Aug 03 '21 04:08 nitrocode

I beleive this in main.tf is the code in question:

data "aws_iam_policy_document" "default" {
  statement {
    sid = ""

    actions = [
      "ec2:*",
      "elasticloadbalancing:*",
      "autoscaling:*",
      "cloudwatch:*",
      "s3:*",
      "sns:*",
      "cloudformation:*",
      "rds:*",
      "sqs:*",
      "ecs:*",
      "iam:PassRole"
    ]

    resources = ["*"]
    effect    = "Allow"
  }
}

That's an awful lot of asterisks. But I'm not clear if this policy is actually being used. aws_iam_role_policy_attachment.default is only referenced in depends_on in two aws_codepipeline resources. But if it's unneeded, why is it declared at all?

nk9 avatar Jan 20 '22 18:01 nk9