- Home
- »
- AWS Documentation
- »
- IAM
- »
- Ensure IAM policies do not allow credentials exposure for ECR
Credentials exposure actions return credentials in an API response
Description
AWS IAM users utilize various types of credentials, including passwords and access keys, to authenticate and access AWS resources. Certain API actions, classified as Credentials Exposure actions, return sensitive credentials as part of their response, potentially increasing the risk of credential leakage. Examples of such actions include ecr:GetAuthorizationToken
, iam:UpdateAccessKey
, and other similar API calls that expose credentials in the response payload.
For further details on Credentials Exposure and its implications, refer to the https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/
Fix - Buildtime
Terraform
- Resource: aws_iam_policy_document
- Argument: effect + actions
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"lambda:CreateFunction",
"lambda:CreateEventSourceMapping",
"dynamodb:CreateTable",
]
resources = [
"*",
]
}
}
CloudFormation
- Resource: AWS::IAM::Policy / AWS::IAM::ManagedPolicy / AWS::IAM::Group /
AWS::IAM::Role / AWS::IAM::User - Argument: Effect + Actions
Resources:
AdminDeny:
Type: 'AWS::IAM::ManagedPolicy'
Properties:
...
PolicyDocument:
...
Statement:
- Effect: Allow
Action:
- 'lambda:CreateFunction'
- 'lambda:CreateEventSourceMapping'
- 'dynamodb:CreateTable'
Resource: '*'