CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
  • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
        • Aws
        • Azure
        • Gcp
        • Lang
          • Security
          • Security
            • Iam
      • Typescript
      • Yaml
    Security

    Iam

    Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-269: Improper Privilege Management
    OWASP:
    - A04:2021 - Insecure Design

    Ensure that IAM policies with permissions on other users don’t allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-269: Improper Privilege Management
    OWASP:
    - A04:2021 - Insecure Design

    Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-250: Execution with Unnecessary Privileges

    Ensure that no IAM policies allow ”*” as a statement’s actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-269: Improper Privilege Management
    OWASP:
    - A04:2021 - Insecure Design

    Ensure IAM policies don’t allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn’t return sensitive data as part of the API response.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control

    Ensure IAM policies don’t allow resource exposure. These actions can expose AWS resources to the public. For example ecr:SetRepositoryPolicy could let an attacker retrieve container images. Instead, use another action that doesn’t expose AWS resources.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control

    IAM policies that allow full ”-” admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-269: Improper Privilege Management
    OWASP:
    - A04:2021 - Insecure Design

    Ensure that IAM policies don’t allow data exfiltration actions that are not resource-constrained. This can allow the user to read sensitive data they don’t need to read. Instead, make sure that the user granted these privileges are given these permissions on specific resources.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
    OWASP:
    - A01:2021 - Broken Access Control

    SecurityAngular route bypass security trust
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.