IAM roles attached to instance profiles should not allow broad list actions on S3 buckets¶
Description¶
Instance profiles contain trust policies that enable EC2 instances to assume IAM roles. To prevent compromised EC2 instances from being able to effectively survey all S3 buckets and potentially access sensitive data, trust policies attached to instance profiles should not allow broad list actions on S3 buckets, such as ListAllBuckets
.
Remediation Steps¶
AWS Console¶
AWS CLI¶
Ensure that IAM policies attached to IAM roles associated with instance profiles do not include broad S3 list actions:
aws iam update-policy --policy-id PolicyID --policy-document file://policy.json
policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:Get*",
"Effect": "Allow",
"Resource": "*"
}
]
}
Terraform¶
Ensure that IAM policies declared inline with aws_iam_role or aws_iam_role_policy resources, or with a aws_iam_policy that are associated with an aws_iam_instance_profile do not allow broad list actions on S3 buckets.
Example Configuration¶
resource "aws_iam_role_policy" "example" {
name = "my_role_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "s3:Get*"
Effect = "Allow"
Resource = "*"
}
},
]
})
# other required fields here
}