Skip to content

Data exfiltration allowed without resource constraints

Description

Data Exfiltration actions allow certain read-only IAM actions without resource constraints, such as s3:GetObject, ssm:GetParameter*, or secretsmanager:GetSecretValue.

1 - Unrestricted s3:GetObject permissions has a long history of customer data leaks
2 - ssm:GetParameter* and secretsmanager:GetSecretValue are both used to access secrets.
3 - rds:CopyDBSnapshot and rds:CreateDBSnapshot can be used to exfiltrate RDS database contents.

For more information, visit the cloudsplaining documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/

Fix - Buildtime

Terraform

  • Resource: aws_iam_policy_document
  • Argument: effect + actions
data "aws_iam_policy_document" "example" {
              statement {
                sid = "1"
                effect = "Allow"
                actions = [
                    "lambda:CreateFunction",
                    "lambda:CreateEventSourceMapping",
                    "dynamodb:CreateTable",
                ]
                resources = [
                  "*",
                ]
              }
            }

CloudFormation

  • Resource: AWS::IAM::ManagedPolicy
  • Argument: Effect + Actions
Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ...
      PolicyDocument:
        ...
        Statement:
          - Effect: Allow
            Action: 
            -   'lambda:CreateFunction'
            -   'lambda:CreateEventSourceMapping'
            -   'dynamodb:CreateTable'
            Resource: '*'