AWS policy suggests denial but allows actions
Description
AlphaSOC detected an AWS policy that suggests denial but allows actions. The
policy includes a statement with "Effect": "Allow" but contains denial-related
keywords in the AWS Statement ID (SID), such as deny, denied, block,
restrict, and prevent. This creates a false sense of security, as the SID
does not enforce restrictions; only an explicit "Effect": "Deny" in the policy
ensures proper access control.
Impact
This misconfiguration can grant excessive permissions, potentially leading to unauthorized access to sensitive data or resources. Threat actors may exploit this policy to read or modify data, manipulate resources, or escalate privileges within the AWS environment. This vulnerability could result in data breaches, resource misuse, or provide a foothold for further attacks.
Severity
| Severity | Condition |
|---|---|
Medium | AWS policy suggests denial but allows actions |
Investigation and Remediation
Review the identified AWS policy to ensure its permissions align with the
intended access controls. If it grants excessive permissions, update the
configuration by explicitly setting "Effect": "Deny" where necessary. After
making changes, test the policy to ensure the restrictions are properly
enforced. To prevent future misconfigurations, regularly audit and review AWS
policies.