/
aws-ecr-repository-wildcard-principal.yaml
66 lines (66 loc) · 2.31 KB
/
aws-ecr-repository-wildcard-principal.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
rules:
- id: aws-ecr-repository-wildcard-principal
patterns:
- pattern-inside: |
resource "aws_ecr_repository_policy" $ANYTHING {
...
}
- pattern-either:
- patterns:
- pattern: policy = "$JSONPOLICY"
- metavariable-pattern:
metavariable: $JSONPOLICY
language: json
patterns:
- pattern-not-inside: |
{..., "Effect": "Deny", ...}
- pattern-either:
- pattern: |
{..., "Principal": "*", ...}
- pattern: |
{..., "Principal": [..., "*", ...], ...}
- pattern: |
{..., "Principal": { "AWS": "*" }, ...}
- pattern: |
{..., "Principal": { "AWS": [..., "*", ...] }, ...}
- patterns:
- pattern-inside: policy = jsonencode(...)
- pattern-not-inside: |
{..., Effect = "Deny", ...}
- pattern-either:
- pattern: |
{..., Principal = "*", ...}
- pattern: |
{..., Principal = [..., "*", ...], ...}
- pattern: |
{..., Principal = { AWS = "*" }, ...}
- pattern: |
{..., Principal = { AWS = [..., "*", ...] }, ...}
message: >-
Detected wildcard access granted in your ECR repository policy principal.
This grants access to all users, including anonymous users (public access). Instead,
limit principals, actions and resources to what you need according to least privilege.
metadata:
category: security
technology:
- aws
- terraform
owasp:
- A05:2021 - Security Misconfiguration
cwe:
- 'CWE-732: Incorrect Permission Assignment for Critical Resource'
references:
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy
- https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html
- https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html
- https://cwe.mitre.org/data/definitions/732.html
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- hcl
severity: WARNING