Restriction of privileges and removal of wildcard usage
Resources:
ExcessivePrivilegesPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: excessive_privileges
Roles:
- Ref: ExampleRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action: "*"
Resource: "*"
Effect: "Allow"
The following CloudFormation example creates an IAM role policy named "excessive_privileges" associated with an IAM role. The policy allows all actions ("*") on all resources ("*"), which is a violation of the principle of least privilege.
This configuration grants the IAM role unrestricted access to perform any action on any AWS resource. This increases the risk of unintended or malicious operations, such as unauthorized data access, data loss, or disruption of critical operations.
The use of wildcard characters in IAM policies should be avoided, as they can grant permissions broader than intended. In this case, the wildcard
* in both "Action" and "Resource" fields makes this role too permissive.
Resources:
RestrictedPrivilegesPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: restricted_privileges
Roles:
- Ref: ExampleRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "s3:ListBucket"
- "s3:GetObject"
Resource:
- arn:aws:s3:::example_bucket
- arn:aws:s3:::example_bucket/*
Effect: "Allow"
In the updated CloudFormation template, the IAM policy has been revised to remove the use of wildcards. Instead of allowing any action on all resources, the policy explicitly lists the required actions and specifies the exact resources the IAM role should have access to. In this case, the role is granted the ability to list a specific S3 bucket and retrieve objects from it. This follows the principle of least privilege by limiting the permissions to only what is necessary. It's important to regularly review IAM role policies to ensure they do not have excessive permissions.