π AWS IAM Policy (Customer Managed) Contains Potential Credentials Exposure π΄π
- Contextual name: π Policy (Customer Managed) Contains Potential Credentials Exposure π΄π
- ID:
/ce/ca/aws/iam/policy-customer-managed-potential-credentials-exposure - Located in: π AWS IAM
Flagsβ
- π Policy with internal.md
- π Policy without categories
- π΄ Policy without description.md
- π΄ Policy without remediation.md
- π Policy without type
- π WIP policy
Logicβ
- π§ wip.logic.yaml π΄π
- π AWS IAM Policy
Internal Notes π β
Policy descriptionβ
Origin of the policyβ
The policy is based on CA policy
ce:ca:aws:iam:policy-customer-managed-potential-credentials-exposure
The policy originates from a customer request and developed to their specifications.
Does this policy make sense?β
This policy basically looks for specific Actions in the policy statements. No other logic is applied.
Because the
inputTypeisAWS IAM Policy, the policy document isIdentity-basedand would not have anyPrincipal.We can not apply any specific
ACCESS_LEVELto filter out the statements, they all are going to be detected asEXTERNAL_PRINCIPAL, but actually you can only attach this policy to the objects in your account, so effectively it's likeSAME_ACCOUNT.The only way of fixing the violation is to delete the actions from the policy. But there would be use-cases where you have to have these actions to make things work.
[!WARNING] So it's not completely clear if this policy is meaningless or we can modify it to make it somehow useful.
... see more
