Data exfiltration allowed without resource constraints
Description
Data Exfiltration actions encompass specific read-only IAM permissions that allow access to sensitive data without sufficient resource constraints. Examples of such actions include s3:GetObject, ssm:GetParameter*, and secretsmanager:GetSecretValue, which enable unauthorized access to critical resources.
- Unrestricted - s3:GetObjectpermissions have been a well-known vector for customer data leaks, as they allow the retrieval of objects from S3 buckets without limitations on the data being accessed.
- ssm:GetParameter*and- secretsmanager:GetSecretValueare actions used to retrieve sensitive configuration data and secrets stored within AWS Systems Manager and AWS Secrets Manager, respectively, making them key targets for exfiltrating credentials or other confidential information.
- rds:CopyDBSnapshotand- rds:CreateDBSnapshotare actions that can facilitate the exfiltration of RDS database snapshots, potentially leading to the exposure of database contents.
For a detailed analysis and further information on Data Exfiltration actions, refer to the https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/
Fix - Buildtime
Terraform
- Resource: aws_iam_policy_document
- Argument: effect + actions
data "aws_iam_policy_document" "example" {
              statement {
                sid = "1"
                effect = "Allow"
                actions = [
                    "lambda:CreateFunction",
                    "lambda:CreateEventSourceMapping",
                    "dynamodb:CreateTable",
                ]
                resources = [
                  "*",
                ]
              }
            }
CloudFormation
- Resource: AWS::IAM::ManagedPolicy
- Argument: Effect + Actions
Type: 'AWS::IAM::ManagedPolicy'
    Properties:
      ...
      PolicyDocument:
        ...
        Statement:
          - Effect: Allow
            Action: 
            -   'lambda:CreateFunction'
            -   'lambda:CreateEventSourceMapping'
            -   'dynamodb:CreateTable'
            Resource: '*'