110 lines
2.1 KiB
Plaintext
110 lines
2.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
A customer-managed policy for AWS that grants all permissions by using the wildcard (*) in the ``++Action++`` property:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_iam_policy" "example" {
|
|
name = "noncompliantpolicy"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = [
|
|
"*" # Sensitive
|
|
]
|
|
Effect = "Allow"
|
|
Resource = [
|
|
aws_s3_bucket.mybucket.arn
|
|
]
|
|
}
|
|
]
|
|
})
|
|
}
|
|
----
|
|
|
|
A customer-managed policy for GCP that grants all permissions by using the actions admin role ``++role++`` property:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_project_iam_binding" "example" {
|
|
project = "example"
|
|
role = "roles/owner" # Sensitive
|
|
|
|
members = [
|
|
"user:jane@example.com",
|
|
]
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
A customer-managed policy for AWS that grants only the required permissions:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_iam_policy" "example" {
|
|
name = "compliantpolicy"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = [
|
|
"s3:GetObject"
|
|
]
|
|
Effect = "Allow"
|
|
Resource = [
|
|
aws_s3_bucket.mybucket.arn
|
|
]
|
|
}
|
|
]
|
|
})
|
|
}
|
|
----
|
|
|
|
A customer-managed policy for GCP that grants restricted permissions by using the actions admin role ``++role++`` property:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_project_iam_binding" "example" {
|
|
project = "example"
|
|
role = "roles/actions.Viewer"
|
|
|
|
members = [
|
|
"user:jane@example.com",
|
|
]
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* For a policy: Make sure it is safe to give all members full access.
|
|
* For a binding: Make sure it is safe to give all members full access.
|
|
* For a member add: Make sure it is safe to grant that member full access.
|
|
|
|
Secondary message:
|
|
|
|
* For a policy: The policy is used here.
|
|
|
|
=== Highlighting
|
|
|
|
Highlight the full role assignment.
|
|
|
|
endif::env-github,rspecator-view[]
|