Created
October 13, 2025 12:13
-
-
Save andoniaf/aa07a973cb583405d9c6fa6a9bed0cd0 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| terraform { | |
| required_providers { | |
| aws = { | |
| source = "hashicorp/aws" | |
| version = "~> 5.0" | |
| } | |
| } | |
| } | |
| provider "aws" { | |
| region = var.aws_region | |
| default_tags { | |
| tags = { | |
| Owner = "Andoni" | |
| Environment = "demo-blog-post" | |
| } | |
| } | |
| } | |
| # Read-only S3 access | |
| resource "aws_iam_role" "regular_s3_reader" { | |
| name = "prowler-blog-regular-s3-reader" | |
| assume_role_policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Action = "sts:AssumeRole" | |
| Effect = "Allow" | |
| Principal = { | |
| Service = "ec2.amazonaws.com" | |
| } | |
| } | |
| ] | |
| }) | |
| } | |
| resource "aws_iam_role_policy" "s3_reader_policy" { | |
| name = "s3-read-only-policy" | |
| role = aws_iam_role.regular_s3_reader.id | |
| policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Effect = "Allow" | |
| Action = [ | |
| "s3:GetObject", | |
| "s3:ListBucket" | |
| ] | |
| Resource = "*" | |
| } | |
| ] | |
| }) | |
| } | |
| # CloudWatch Logs writer | |
| resource "aws_iam_role" "regular_logs_writer" { | |
| name = "prowler-blog-regular-logs-writer" | |
| assume_role_policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Action = "sts:AssumeRole" | |
| Effect = "Allow" | |
| Principal = { | |
| Service = "lambda.amazonaws.com" | |
| } | |
| } | |
| ] | |
| }) | |
| } | |
| resource "aws_iam_role_policy" "logs_writer_policy" { | |
| name = "cloudwatch-logs-writer-policy" | |
| role = aws_iam_role.regular_logs_writer.id | |
| policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Effect = "Allow" | |
| Action = [ | |
| "logs:CreateLogGroup", | |
| "logs:CreateLogStream", | |
| "logs:PutLogEvents" | |
| ] | |
| Resource = "arn:aws:logs:*:*:*" | |
| } | |
| ] | |
| }) | |
| } | |
| # Ops role with access to RDS, S3 and EC2 | |
| # TODO: Assign more granular permissions to the role | |
| resource "aws_iam_role" "vulnerable_admin" { | |
| name = "prowler-blog-vulnerable-admin-role" | |
| assume_role_policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Action = "sts:AssumeRole" | |
| Effect = "Allow" | |
| Principal = { | |
| Service = "ec2.amazonaws.com" | |
| } | |
| }, | |
| { | |
| Action = "sts:AssumeRole" | |
| Effect = "Allow" | |
| Principal = { | |
| AWS = "*" | |
| } | |
| } | |
| ] | |
| }) | |
| } | |
| # Attach AWS managed AdministratorAccess | |
| resource "aws_iam_role_policy_attachment" "vulnerable_admin_policy" { | |
| role = aws_iam_role.vulnerable_admin.name | |
| policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" | |
| } | |
| # Additional inline policy with wildcards | |
| resource "aws_iam_role_policy" "vulnerable_wildcard_policy" { | |
| name = "dangerous-wildcard-policy" | |
| role = aws_iam_role.vulnerable_admin.id | |
| policy = jsonencode({ | |
| Version = "2012-10-17" | |
| Statement = [ | |
| { | |
| Effect = "Allow" | |
| Action = "*" | |
| Resource = "*" | |
| } | |
| ] | |
| }) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment