Skip to content

Credentials exposure actions return credentials in an API response

Description

AWS IAM users access AWS resources using different types of credentials, such as passwords or access keys. Credentials Exposure actions return credentials as part of the API response, such as ecr:GetAuthorizationToken, iam:UpdateAccessKey, and others.

For more info, visit cloudsplaning documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/

Fix - Buildtime

Terraform

  • Resource: aws_iam_policy_document
  • Argument: effect + actions
data "aws_iam_policy_document" "example" {
  statement {
    sid = "1"
    effect = "Allow"
    actions = [
      "lambda:CreateFunction",
      "lambda:CreateEventSourceMapping",
      "dynamodb:CreateTable",
    ]
    resources = [
      "*",
    ]
  }
}

CloudFormation

  • Resource: AWS::IAM::Policy / AWS::IAM::ManagedPolicy / AWS::IAM::Group /
    AWS::IAM::Role / AWS::IAM::User
  • Argument: Effect + Actions
Resources:
  AdminDeny:
    Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ...
      PolicyDocument:
        ...
        Statement:
          - Effect: Allow
            Action: 
            -   'lambda:CreateFunction'
                    -   'lambda:CreateEventSourceMapping'
                -   'dynamodb:CreateTable'
            Resource: '*'