62 lines
1.1 KiB
Plaintext
62 lines
1.1 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
Update permission is granted for all policies using the wildcard (*) in the ``++Resource++`` property:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_iam_policy" "noncompliantpolicy" {
|
|
name = "noncompliantpolicy"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = [
|
|
"iam:CreatePolicyVersion"
|
|
]
|
|
Effect = "Allow"
|
|
Resource = [
|
|
"*" # Sensitive
|
|
]
|
|
}
|
|
]
|
|
})
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Restrict update permission to the appropriate subset of policies:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_iam_policy" "compliantpolicy" {
|
|
name = "compliantpolicy"
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = [
|
|
"iam:CreatePolicyVersion"
|
|
]
|
|
Effect = "Allow"
|
|
Resource = [
|
|
"arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/team1/*"
|
|
]
|
|
}
|
|
]
|
|
})
|
|
}
|
|
----
|
|
|
|
include::../exceptions.adoc[]
|
|
|
|
include::../see.adoc[]
|