AVD-AWS-0057 is detected when AWS IAM conditions are set in policy

[Malcolm-GetAHead]

IDs

AVD-AWS-0057

Description

When you configure conditions in an IAM policy that uses a wildcard in it's resource spec AVD-AWS-0057 is detected.

Reproduction Steps

1. Create a new terraform file with this minimum code example:

terraform {
  required_version = "~> 1.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}
data "aws_iam_policy_document" "this" {
  statement {
    effect    = "Allow"
    resources = ["*"]
    actions = [
      "ec2:DescribeTags"
    ]
  }
  statement {
    effect    = "Allow"
    resources = ["*"]
    actions   = ["ec2:CreateTags"]
    condition {
      test     = "StringEquals"
      values   = ["true"]
      variable = "ec2:ResourceTag/CanUpdate"
    }
    condition {
      test     = "StringLike"
      values   = ["*"]
      variable = "aws:RequestTag/TagUpdate"
    }
  }
}
resource "aws_iam_policy" "this" {
  name   = "temp"
  policy = data.aws_iam_policy_document.this.json
}

2. Run trivy code scan

Target

AWS

Scanner

Misconfiguration

Target OS

No response

Debug Output

[~]$ trivy conf -d .
2024-03-25T09:43:59.242-0400	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-25T09:43:59.254-0400	DEBUG	cache dir:  /home/____/.cache/trivy
2024-03-25T09:43:59.254-0400	INFO	Misconfiguration scanning is enabled
2024-03-25T09:43:59.254-0400	DEBUG	Policies successfully loaded from disk
2024-03-25T09:43:59.254-0400	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-03-25T09:43:59.257-0400	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-03-25T09:43:59.265-0400	DEBUG	Walk the file tree rooted at '.' in series
2024-03-25T09:43:59.265-0400	DEBUG	Scanning Terraform files for misconfigurations...
2024-03-25T09:43:59.265-0400	DEBUG	[misconf] 43:59.265429554 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13941030943663961160 430561731 0xcc3f020} <nil>} {{{0 0} {[] {} 0xc001eee660} map[tmp.tf:0xc0017930c0] 0}}}) .}] at '.'...
2024-03-25T09:43:59.266-0400	DEBUG	[misconf] 43:59.266936510 terraform.scanner.rego           Overriding filesystem for policies!
2024-03-25T09:43:59.298-0400	DEBUG	[misconf] 43:59.298713019 terraform.scanner.rego           Loaded 190 policies from disk.
2024-03-25T09:43:59.299-0400	DEBUG	[misconf] 43:59.299001383 terraform.scanner.rego           Overriding filesystem for data!
2024-03-25T09:43:59.606-0400	DEBUG	[misconf] 43:59.606884750 terraform.parser.<root>          Setting project/module root to '.'
2024-03-25T09:43:59.606-0400	DEBUG	[misconf] 43:59.606916339 terraform.parser.<root>          Parsing FS from '.'
2024-03-25T09:43:59.606-0400	DEBUG	[misconf] 43:59.606930863 terraform.parser.<root>          Parsing 'tmp.tf'...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607114088 terraform.parser.<root>          Added file tmp.tf.
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607264438 terraform.scanner                Scanning root module '.'...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607295030 terraform.parser.<root>          Setting project/module root to '.'
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607297843 terraform.parser.<root>          Parsing FS from '.'
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607303785 terraform.parser.<root>          Parsing 'tmp.tf'...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607415326 terraform.parser.<root>          Added file tmp.tf.
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607419709 terraform.parser.<root>          Evaluating module...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607496741 terraform.parser.<root>          Read 3 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607520742 terraform.parser.<root>          Added 0 variables from tfvars.
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607526921 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607536152 terraform.parser.<root>          Working directory for module evaluation is '/home/____/tmp/vuln-test'
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607567969 terraform.parser.<root>.evaluator Filesystem key is '3cc88f6c7faea61d71f629766612b3d0c921ab755d429264e1ada3037540cb10'
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607570816 terraform.parser.<root>.evaluator Starting module evaluation...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607657369 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607661356 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607665196 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607715894 terraform.parser.<root>.evaluator Module evaluation complete.
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607724750 terraform.parser.<root>          Finished parsing module 'root'.
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607728764 terraform.executor               Adapting modules...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607855125 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607859105 terraform.executor               Using max routines of 15
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607863537 terraform.executor               Applying state modifier functions...
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607962760 terraform.executor               Initialized 486 rule(s).
2024-03-25T09:43:59.607-0400	DEBUG	[misconf] 43:59.607967042 terraform.executor               Created pool with 15 worker(s) to apply rules.
2024-03-25T09:43:59.608-0400	DEBUG	[misconf] 43:59.608261703 terraform.scanner.rego           Scanning 1 inputs...
2024-03-25T09:43:59.616-0400	DEBUG	[misconf] 43:59.616899680 terraform.executor               Finished applying rules.
2024-03-25T09:43:59.616-0400	DEBUG	[misconf] 43:59.616943882 terraform.executor               Applying ignores...
2024-03-25T09:43:59.644-0400	DEBUG	OS is not detected.
2024-03-25T09:43:59.644-0400	INFO	Detected config files: 2
2024-03-25T09:43:59.644-0400	DEBUG	Scanned config file: .
2024-03-25T09:43:59.644-0400	DEBUG	Scanned config file: tmp.tf

tmp.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: IAM policy document uses sensitive action 'ec2:CreateTags' on wildcarded resource '*'
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.

See https://avd.aquasec.com/misconfig/avd-aws-0057
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 tmp.tf:21
   via tmp.tf:19-33 (data.aws_iam_policy_document.this)
    via tmp.tf:11-34 (data.aws_iam_policy_document.this)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  11   data "aws_iam_policy_document" "this" {
  ..   
  21 [     resources = ["*"]
  ..   
  34   }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

### Version

```bash
[~]$ trivy --version
Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-06 18:10:56.550497062 +0000 UTC
  NextUpdate: 2024-03-07 00:10:56.550496821 +0000 UTC
  DownloadedAt: 2024-03-06 19:16:09.89453687 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-25 13:10:58.968438662 +0000 UTC

### Checklist

- [X] Read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/dev/community/contribute/discussion/#false-detection)
- [X] Ran Trivy with `-f json` that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

What did you expect to happen differently in this case?

[Malcolm-GetAHead]

What did you expect to happen differently in this case?

In this case the policy is being applied to an EC2 instance, typically deployed as a disposable resource (autoscaling, etc) so attempting to use an ARN specific to the resource would be fairly difficult in a dynamic environment.

By using conditions I'd expect the scanner to note that the scope is reduced from all EC2 instances to a specific subset and not flag this particular finding.

Thanks!

[simar7]

I understand, thanks for explaining. Unfortunately, while your reasoning is correct, the policy still holds true (and has usefulness) for a larger set of cases.

You always have the option to ignore the check if you think it is not relevant in your case.