Exposure of Sensitive Information to an Unauthorized Actor
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The IAM policy grants broad permissions (like reading from S3, Secrets Manager, or RDS) to all resources (’*’) without restricting access to specific resources. This means users may access sensitive data they shouldn’t be allowed to view.
Impact#
If exploited, attackers or unauthorized users could read or copy confidential data from any S3 bucket, secret, or database in your AWS account, leading to data breaches, regulatory violations, or exposure of intellectual property.