Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Sensitive Data Exposure |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
The IAM policy for GitHub OpenID Connect (OIDC) integration is missing a ‘condition’ block that restricts access to specific GitHub repositories. Without this, any GitHub user can potentially assume the associated AWS role.
Impact#
If exploited, attackers could use their own GitHub repositories to obtain AWS credentials via OIDC, leading to unauthorized access to sensitive AWS resources. This can result in data breaches, resource manipulation, or compromise of your AWS environment.