Risk Level: High
Cloud Entity: Amazon Elastic Container Service
CloudGuard Rule ID: D9.AWS.IAM.110
Covered by Spectral: No
Category: Compute

GSL LOGIC

EcsService where not role.path regexMatch /service-role/ should not have role.combinedPolicies contain [ relationType!='AssumeRole' and policyDocument.Statement contain [Effect='Allow' and (Resource contain [$ regexMatch /^(?!arn).*\*$/] or Resource regexMatch /^(?!arn).*\*$/) ]]]

REMEDIATION

Note: The provided rule covers managed IAM Roles only, AWS service roles are excluded.

From Portal

Go to 'IAM'
In the menu, under 'Access management', choose 'Roles'
Select the overly permissive IAM Role
Select the relevant policy
Redefine its permissions based on the principle of least privilege

From TF
To update an IAM policy, edit the 'Action' argument:

resource "aws_iam_policy" "example_iam_policy" {
	..
	policy = jsonencode({
		..
		Statement = [
		{
			..
			Resource = RESOURCES-LIST
			..
		},
		]
	})
}

From Command Line
To update a managed policy, use:

aws iam create-policy-version --policy-arn POLICY-ARN --policy-document POLICY-DOCUMENT --set-as-default

References

Amazon Elastic Container Service

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, high-performance container orchestration service that supports Docker containers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST v11.0.0
AWS PCI-DSS 4.0
AWS Security Risk Management
CloudGuard AWS All Rules Ruleset