Skip to content

Write access allowed without constraint

Description

This policy allows actions that permit modification of resource-based policies or can otherwise can expose AWS resources to the public via similar actions that can lead to resource exposure.

For example:
1 - s3:PutBucketPolicy, s3:PutBucketAcl, and s3:PutObjectAcl grant permissions to modify the properties of S3 buckets or objects for new or existing objects in an S3 bucket, which could expose objects to rogue actors or to the internet.
2 - ecr:SetRepositoryPolicy could allow an attacker to exfiltrate container images (which sometimes unintentionally contain secrets and non-public information), tamper with container images, or otherwise modify.
3 - iam:UpdateAssumeRolePolicy could allow an attacker to create a backdoor by assuming a privileged role in the victim account from an external account.
The ability to modify AWS Resource Access Manager, which could allow a malicious actor to share a VPC hosting sensitive or internal services to rogue AWS accounts
Attackers can easily exploit Resource Exposure permissions to expose resources to rogue users or the internet, as shown by endgame, an AWS pentesting tool that was also released by Salesforce.

For more info, visit cloudsplaning documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/

Fix - Buildtime

Terraform

  • Resource: aws_iam_policy_document
  • *Argument: effect + actions
data "aws_iam_policy_document" "example" {
              statement {
                sid = "1"
                effect = "Allow"
                actions = [
                        "s3:*"
                ]

                resources = [
                  "foo",
                ]
              }
            }