Fixed potential self-escalation from iam:PassRole (#215)

* Fixed potential self-escalation from iam:PassRole by moving it from AllowOperations to a new statement named AllowPassRole that restricts resources to aws_iam_role.ec2 and aws_iam_role.service * Auto Format Co-authored-by: cloudpossebot <[email protected]> Co-authored-by: Andriy Knysh <[email protected]>
cloudposse · Oct 24, 2022 · 87808f7 · 87808f7
1 parent 92a3ade
commit 87808f7
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/main.tf b/main.tf
@@ -255,7 +255,6 @@ data "aws_iam_policy_document" "default" {
       "elasticloadbalancing:RegisterTargets",
       "elasticloadbalancing:DeregisterTargets",
       "iam:ListRoles",
-      "iam:PassRole",
       "logs:CreateLogGroup",
       "logs:PutRetentionPolicy",
       "rds:DescribeDBEngineVersions",
@@ -281,6 +280,21 @@ data "aws_iam_policy_document" "default" {
     effect = "Allow"
   }
 
+  statement {
+    sid = "AllowPassRole"
+
+    actions = [
+      "iam:PassRole"
+    ]
+
+    resources = [
+      join("", aws_iam_role.ec2.*.arn),
+      join("", aws_iam_role.service.*.arn)
+    ]
+
+    effect = "Allow"
+  }
+
   statement {
     sid = "AllowS3OperationsOnElasticBeanstalkBuckets"