Iam - CodeAnt AI

no-iam-priv-esc-roles

Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design

no-iam-priv-esc-other-users

Ensure that IAM policies with permissions on other users don’t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design

no-iam-priv-esc-funcs

Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-250: Execution with Unnecessary Privileges

no-iam-star-actions

Ensure that no IAM policies allow ”*” as a statement’s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design

no-iam-creds-exposure

Ensure IAM policies don’t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn’t return sensitive data as part of the API response.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control

no-iam-resource-exposure

Ensure IAM policies don’t allow resource exposure. These actions can expose AWS resources to the public. For example ecr:SetRepositoryPolicy could let an attacker retrieve container images. Instead, use another action that doesn’t expose AWS resources.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control

no-iam-admin-privileges

IAM policies that allow full ”-” admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-269: Improper Privilege Management
OWASP:
- A04:2021 - Insecure Design

no-iam-data-exfiltration

Ensure that IAM policies don’t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don’t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
OWASP:
- A01:2021 - Broken Access Control

Get Started