Ensure IAM policies with NotAction and NotResource are not attached or used

HIGH

Description

Pass role with NotAction and NotResource: Using NotAction with NotResource can be overly permissive because it can allow iam:PassRole permissions on multiple resources.. We recommend that you specify resource ARNs instead.

Remediation

In AWS Console -

  1. Sign in to the AWS console and go to the IAM console.
  2. In the Navigation pane, select Policies.
  3. In the list of policies, select the policy to edit.
  4. Select the Permissions tab, and then choose Edit policy.
  5. On the review page, review the changes and click Save.

In Terraform -

  1. In the aws_iam_policy, aws_iam_role_policy, aws_iam_group_policy, and aws_iam_user_policy resources, edit the policy field so that NotResource and NotAction are not used.
  2. Update the Resource ARN list to use specific IDs rather than a wildcard.
  3. Update the Action list to a specific set of IAM actions.
    For more information on how to effectively write an IAM policy see the AWS and Terraform documentation.

References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/service_code_examples_iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy

Policy Details

Rule Reference ID: AC_AWS_0040
CSP: AWS
Remediation Available: Yes
Resource: aws_iam_policy
Resource Type: Policy

Frameworks