Disallow unrestricted s3:* IAM Policies
Ensure that the creation of the IAM policy ‘s3:*’ is disallowed.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Create more restrictive S3 policies instead of using s3:*
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
AWSTemplateFormatVersion: "2010-09-09"
Resources:
GoodPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: good_policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
Resource: arn:aws:s3:::examplebucket/*
Roles:
- !Ref GoodRole
GoodRole:
Type: AWS::IAM::Role
Properties:
RoleName: good_role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
|
Create more restrictive S3 policies instead of using s3:*
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
resource "aws_iam_policy" "good_policy" {
name = "good_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:PutObject"
]
Resource = "arn:aws:s3:::examplebucket/*"
}
]
})
}
resource "aws_iam_role" "good_role" {
name = "good_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy_attachment" "good_role_policy_attachment" {
role = aws_iam_role.good_role.name
policy_arn = aws_iam_policy.good_policy.arn
}
|