57 lines
1.0 KiB
Plaintext
57 lines
1.0 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Noncompliant Code Example
|
||
|
|
|
||
|
|
A customer managed policy that grants all permissions by using the wildcard (*) in the ``++Action++`` property:
|
||
|
|
|
||
|
|
----
|
||
|
|
resource "aws_iam_policy" "noncompliantpolicy" {
|
||
|
|
name = "noncompliantpolicy"
|
||
|
|
|
||
|
|
policy = jsonencode({
|
||
|
|
Version = "2012-10-17"
|
||
|
|
Statement = [
|
||
|
|
{
|
||
|
|
Action = [
|
||
|
|
"*" # Sensitive
|
||
|
|
]
|
||
|
|
Effect = "Allow"
|
||
|
|
Resource = [
|
||
|
|
aws_s3_bucket.mybucket.arn
|
||
|
|
]
|
||
|
|
}
|
||
|
|
]
|
||
|
|
})
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
A customer managed policy that lists and grants only the required permissions:
|
||
|
|
|
||
|
|
----
|
||
|
|
resource "aws_iam_policy" "compliantpolicy" {
|
||
|
|
name = "compliantpolicy"
|
||
|
|
|
||
|
|
policy = jsonencode({
|
||
|
|
Version = "2012-10-17"
|
||
|
|
Statement = [
|
||
|
|
{
|
||
|
|
Action = [
|
||
|
|
"s3:GetObject"
|
||
|
|
]
|
||
|
|
Effect = "Allow"
|
||
|
|
Resource = [
|
||
|
|
aws_s3_bucket.mybucket.arn
|
||
|
|
]
|
||
|
|
}
|
||
|
|
]
|
||
|
|
})
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|