rspec/rules/S6317/terraform/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

This policy allows to update the code of any lambda function. Updating the code of a lambda executing with high privileges will lead to privilege escalation.
[source,terraform]
----
resource "aws_iam_policy" "lambdaUpdatePolicy" {
  name = "lambdaUpdatePolicy"
  policy =<<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateFunctionCode"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}
----

=== Compliant solution

Narrow the policy to only allow to update the code of certain lambda functions.

[source,terraform]
----
resource "aws_iam_policy" "lambdaUpdatePolicy" {
  name = "lambdaUpdatePolicy"
  policy =<<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateFunctionCode"
            ],
            "Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"
        }
    ]
}
EOF
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Create rule S6317: AWS IAM policies should not allow privilege escalation (#183) 2021-09-20 13:56:24 +02:00			`include::../description.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Create rule S6317: AWS IAM policies should not allow privilege escalation (#183) 2021-09-20 13:56:24 +02:00
			`This policy allows to update the code of any lambda function. Updating the code of a lambda executing with high privileges will lead to privilege escalation.`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Create rule S6317: AWS IAM policies should not allow privilege escalation (#183) 2021-09-20 13:56:24 +02:00			`----`
			`resource "aws_iam_policy" "lambdaUpdatePolicy" {`
			`name = "lambdaUpdatePolicy"`
			`policy =<<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": [`
			`"lambda:UpdateFunctionCode"`
			`],`
			`"Resource": "*"`
			`}`
			`]`
			`}`
			`EOF`
			`}`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Create rule S6317: AWS IAM policies should not allow privilege escalation (#183) 2021-09-20 13:56:24 +02:00
			`Narrow the policy to only allow to update the code of certain lambda functions.`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,terraform]`
Create rule S6317: AWS IAM policies should not allow privilege escalation (#183) 2021-09-20 13:56:24 +02:00			`----`
			`resource "aws_iam_policy" "lambdaUpdatePolicy" {`
			`name = "lambdaUpdatePolicy"`
			`policy =<<EOF`
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Effect": "Allow",`
			`"Action": [`
			`"lambda:UpdateFunctionCode"`
			`],`
			`"Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"`
			`}`
			`]`
			`}`
			`EOF`
			`}`
			`----`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`include::../see.adoc[]`
Modify rule S6317: Add message, highlighting and the list of supported privilege escalation vector details (#872) 2022-04-05 14:57:22 +02:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::../highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`