Resource-based policies granting access to all users can lead to information leakage.

Why is this an issue?

Resource-based policies in AWS define who can access a resource and what actions they can perform. When the Principal element of a policy is set to "*", access is granted to all users, including anonymous and unauthenticated ones. This violates the principle of least privilege and can expose sensitive data or operations to unauthorized parties.

What is the potential impact?

Unauthorized data access

When a resource-based policy grants access to all principals, any user on the internet can read, modify, or delete the resource’s contents. This can lead to data breaches, exposure of sensitive information, and potential misuse of cloud resources.

How to fix it in AWS CDK

Use a specific principal such as AccountRootPrincipal instead of AnyPrincipal.

Code examples

Noncompliant code example

from aws_cdk.aws_iam import PolicyStatement, AnyPrincipal, Effect
from aws_cdk.aws_s3 import Bucket

bucket = Bucket(self, "ExampleBucket")

bucket.add_to_resource_policy(PolicyStatement(
  effect=Effect.ALLOW,
  actions=["s3:*"],
  resources=[bucket.arn_for_objects("*")],
  principals=[AnyPrincipal()] # Noncompliant
))

Compliant solution

from aws_cdk.aws_iam import PolicyStatement, AccountRootPrincipal, Effect
from aws_cdk.aws_s3 import Bucket

bucket = Bucket(self, "ExampleBucket")

bucket.add_to_resource_policy(PolicyStatement(
  effect=Effect.ALLOW,
  actions=["s3:*"],
  resources=[bucket.arn_for_objects("*")],
  principals=[AccountRootPrincipal()]
))

Resources

Documentation

• AWS Documentation - Grant least privilege

Standards

• CWE - CWE-732 - Incorrect Permission Assignment for Critical Resource
• CWE - CWE-284 - Improper Access Control
• STIG Viewer - Application Security and Development: V-222620 - Application web servers must be on a separate network segment from the application and database servers.