aws-resource-public-policy¶
Ensure that the resource policy is not set to public
When specifying a resource-level policy, make sure not to use a wildcard for the Principal as it would basically mean that anybody on the public Internet can access / manage the resource.
The rule applies to the following services:
- ECR
- KMS
Examples¶
Insecure Example
resource "aws_ecr_repository_policy" "foopolicy" {
repository = aws_ecr_repository.foo.name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new policy",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
...
]
}
]
}
EOF
}
"RepositoryPolicyText" : {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}
Secure Example
resource "aws_ecr_repository_policy" "foopolicy" {
repository = aws_ecr_repository.foo.name
policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "new policy",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/Bob",
"arn:aws:iam::123456789012:user/Alice"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
...
]
}
]
}
EOF
}
"RepositoryPolicyText" : {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPushPull",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/Bob",
"arn:aws:iam::123456789012:user/Alice"
]
},
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload"
]
}
]
}