terraform-aws-elastic-beanstalk-environment icon indicating copy to clipboard operation
terraform-aws-elastic-beanstalk-environment copied to clipboard

Published 20 hours ago verified publisher icon cloudposse

SECURITY: iam:PassRole is dangerous

Open razorsedge opened this issue 4 years ago • 2 comments

Describe the Bug

The inline policy *-eb-default in main.tf line 138 is generally overreaching with all of it's permissions, but in particular Action: ["iam:PassRole"] with Resource: "*" is downright dangerous. See Unit 42 Cloud Threat Report: Misconfigured IAM Roles Lead to Thousands of Compromised Cloud Workloads for details on how to exploit.

Expected Behavior

Privilege escalation should not be possible. iam:PassRole (and iam:ListRole) should not be used.

razorsedge avatar Oct 26 '20 17:10 razorsedge

@razorsedge what do you think is the best approach? Add inputs to specify a resource pattern for each class of permissions, or make the module more opinionated and specify the resource pattern using the module context?

joe-niland avatar Apr 23 '21 01:04 joe-niland

@joe-niland My naive approach would be to completely remove those two actions. I do not understand why they would be needed. Otherwise, forcing a user to specify the role to be passed else not allow that action.

razorsedge avatar Jun 01 '21 16:06 razorsedge

Closed via #215

joe-niland avatar Jan 31 '23 02:01 joe-niland