[Security] Recommended IAM role/policies changes #1859
Description
Recommended changes to policies
- arn:aws:iam::<AWS_ACCOUNT>:policy/dataall-pivot-role-cdk-policy-us-east-1-1: Recommendation is to simply use StringLike or another appropriate condition operator without the ForAllValues qualifier for keys like ram:ResourceShareName that can only have one value.
This removes ambiguity, avoids misconfiguration, and makes intent clear in policies.
Instead of
"Condition": {
"ForAllValues:StringLike": {
"ram:ResourceShareName": ["LakeFormation*"]
}
}Use
"Condition": {
"StringLike": {
"ram:ResourceShareName": "LakeFormation*"
}
}- the below resources have been flagged for using wildcards (*) in the action and the resource. This can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on all resources. We recommend that you specify resource ARNs instead. Upon checking the CloudTrail logs, the iam:CreateServiceLinkedRole action has been created only twice since the policy was created, both times by a some cloud CI/CD roles. We believe that the reported policies could be further restricted in the resources section. Please let us know if that is not the case.
arn:aws:iam::<AWS_ACCOUNT>:policy/dataall-env_admin-1sny7nxn-services-policy-0
arn:aws:iam::<AWS_ACCOUNT>:policy/dataall-_data-m3ccdxtu-services-policy-0
arn:aws:iam::<AWS_ACCOUNT>:policy/dataall-_env_admin-m3ccdxtu-services-policy-0
arn:aws:iam::<AWS_ACCOUNT>:policy/DataAllCustomCDKPolicyus-east-1
- arn:aws:iam::<AWS_ACCOUNT>:policy/DataAllCustomCDKPolicyus-east-1: same as in 2. where iam:PassRole action is added without restriction on resources, which is overly permissive. A quick check on the CloudTrail log did not show indication that this action is used. Please check if this action is needed in the first place.