Disallow unrestricted S3 IAM Policies
Ensure that the creation of the unrestricted S3 IAM policies is disallowed.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Create more restrictive S3 policies
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
AWSTemplateFormatVersion: "2010-09-09"
Resources:
GoodPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: good_policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
Resource: arn:aws:s3:::examplebucket/*
Roles:
- !Ref GoodRole
GoodRole:
Type: AWS::IAM::Role
Properties:
RoleName: good_role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
|
Create more restrictive S3 policies
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
resource "aws_iam_policy" "good_policy" {
name = "good_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"s3:GetObject",
"s3:PutObject"
]
Resource = "arn:aws:s3:::examplebucket/*"
}
]
})
}
resource "aws_iam_role" "good_role" {
name = "good_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy_attachment" "good_role_policy_attachment" {
role = aws_iam_role.good_role.name
policy_arn = aws_iam_policy.good_policy.arn
}
|