Skip to content

v0.47.2
Compare
Choose a tag to compare
@cloudpossebot cloudpossebot released this 24 Oct 20:12
0.47.2
87808f7
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

🚀 Enhancements

Fixed potential self-escalation from iam:PassRole @comrumino (#215)

What I did

  • Moved iam:PassRole from AllowOperations to a new statement named AllowPassRole and limited the resources/roles that can be passed to aws_iam_role.ec2 and aws_iam_role.service

Why I did it

  • The current default policy document is overly permissive and was reported by our security tooling as a having the potential for privilege escalation. Without restricting which roles can be passed, a role with elevated privileges could be passed.
  • Splitting actions into smaller statements make overriding resources or specific statements less unwieldy.

Contributors

comrumino
Assets 2
Loading