Skip to content

bug(terraform): iam_policy_allows_for_data_exfiltration is too restrictive #7960

New issue
New issue
Open
Open
bug(terraform): iam_policy_allows_for_data_exfiltration is too restrictive#7960
Labels
awsPR related with AWS CloudbugSomething isn't workingcommunityCommunity contributionterraformTerraform query
@david-mnz

Description

@david-mnz
david-mnz
opened on Feb 9, 2026

iam_policy_allows_for_data_exfiltration is too restrictive, The is_illegal() function only evaluates the Action, not the Resource. So any IAM statement containing secretsmanager:GetSecretValue will trigger a violation, regardless of whether you specify:
• A specific secret ARN
• A wildcard resource
• Condition keys

Actual Behavior

This should comply but it doesn’t

data "aws_iam_policy_document" "compliant" {
statement {
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
]
resources = [
"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app-secret-abc123",
"arn:aws:secretsmanager:us-east-1:123456789012:secret:my-db-password-xyz789"
]
}
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    awsPR related with AWS CloudbugSomething isn't workingcommunityCommunity contributionterraformTerraform query

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions