🛡️ AWS IAM Policy (Customer Managed) Contains Potential Credentials Exposure🔴🟠

Contextual name: 🛡️ Policy (Customer Managed) Contains Potential Credentials Exposure🔴🟠
ID: /ce/ca/aws/iam/policy-customer-managed-potential-credentials-exposure
Tags:
- 🟠 Policy with internal.md
- 🟠 Policy without categories
- 🔴 Policy without description.md
- 🔴 Policy without remediation.md
- 🟠 Policy without type
- 🟠 WIP policy

Logic

🧠 wip.logic.yaml🔴🟠
- 📗 AWS IAM Policy

Internal Notes 🟠

Policy description

Origin of the policy

The policy is based on CA policy ce:ca:aws:iam:policy-customer-managed-potential-credentials-exposure

The policy originates from a customer request and developed to their specifications.

Does this policy make sense?

This policy basically looks for specific Actions in the policy statements. No other logic is applied.

Because the inputType is AWS IAM Policy, the policy document is Identity-based and would not have any Principal.

We can not apply any specific ACCESS_LEVEL to filter out the statements, they all are going to be detected as EXTERNAL_PRINCIPAL, but actually you can only attach this policy to the objects in your account, so effectively it's like SAME_ACCOUNT.

The only way of fixing the violation is to delete the actions from the policy. But there would be use-cases where you have to have these actions to make things work.

[!WARNING] So it's not completely clear if this policy is meaningless or we can modify it to make it somehow useful.

... see more

policy.yaml

Open File

Logic​

Internal Notes 🟠​

Policy description​

Origin of the policy​

Does this policy make sense?​

policy.yaml​

Logic

Internal Notes 🟠

Policy description

Origin of the policy

Does this policy make sense?

policy.yaml