Challenge type: cloud security review
Original code: found here
This week we broke away from pure play application code review and looked at some AWS configuration. Specifically the snippet of configuration provided was for an IAM policy which are codified policies that get attached to users, resources, or just about anything within AWS. IAM policies are there to control what something in AWS can do and under what conditions, it's an extremely important security measure.
The issue with the originally posted policy was that it was supposed to restrict Pipeline resources to the user that created them. This was even called out in the name of the policy. The effect of the policy was the exact opposite though, instead of denying non-creators access, the policy allowed it.
This is something that could slip through into real world policies either accidentally or as a possible backdoor. It's very subtle for the human eye to catch because we tend to place more faith in commented code, well named functions, and in this case a well named policy.
The solution to this is really simple, fortunately. We need to change the effect of the policy from "Allow" to "Deny" as seen in the snippet below.
If you're interested in keeping up on Coffee With A Splash Of Cyber each week, subscribe by entering your email address below.