AWS_IAM_003 false negative #77
Description
The plugin says users can elevate rights, because it assumes that the permission iam:CreateAccessKey is enough to elevate rights.
However, this permission only allows for privilege escalation if its scope is not restricted to the users' access keys. For example, the following IAM policy does not allow for privilege escalation :
{
"Statement": [
{
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
],
"Version": "2012-10-17"
}Should we improve this check to be more precise ?