rspec/rules/S6317/terraform/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

This policy allows to update the code of any lambda function. Updating the code of a lambda executing with high privileges will lead to privilege escalation.
[source,terraform]
----
resource "aws_iam_policy" "lambdaUpdatePolicy" {
  name = "lambdaUpdatePolicy"
  policy =<<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateFunctionCode"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}
----

== Compliant Solution

Narrow the policy to only allow to update the code of certain lambda functions.

[source,terraform]
----
resource "aws_iam_policy" "lambdaUpdatePolicy" {
  name = "lambdaUpdatePolicy"
  policy =<<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateFunctionCode"
            ],
            "Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"
        }
    ]
}
EOF
}
----

include::../see.adoc[]
Create rule S6317: AWS IAM policies should not allow privilege escalation (#183) 2021-09-20 13:56:24 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			`This policy allows to update the code of any lambda function. Updating the code of a lambda executing with high privileges will lead to privilege escalation.`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Create rule S6317: AWS IAM policies should not allow privilege escalation (#183) 2021-09-20 13:56:24 +02:00			`----`
			`resource "aws_iam_policy" "lambdaUpdatePolicy" {`
			`name = "lambdaUpdatePolicy"`
			`policy =<<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": [`
			`"lambda:UpdateFunctionCode"`
			`],`
			`"Resource": "*"`
			`}`
			`]`
			`}`
			`EOF`
			`}`
			`----`

			`== Compliant Solution`

			`Narrow the policy to only allow to update the code of certain lambda functions.`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Create rule S6317: AWS IAM policies should not allow privilege escalation (#183) 2021-09-20 13:56:24 +02:00			`----`
			`resource "aws_iam_policy" "lambdaUpdatePolicy" {`
			`name = "lambdaUpdatePolicy"`
			`policy =<<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": [`
			`"lambda:UpdateFunctionCode"`
			`],`
			`"Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"`
			`}`
			`]`
			`}`
			`EOF`
			`}`
			`----`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`include::../see.adoc[]`