query(terraform): iam role without permission boundary

[balaakasam]

Platform

Terraform

Provider

AWS

Description

AWS IAM permission boundaries are a critical enterprise security
control that limit the maximum permissions an IAM role can have,
even if broader policies are attached. Without a permission boundary,
IAM roles can potentially be exploited to escalate privileges beyond
intended scope.

Currently KICS does not check whether aws_iam_role resources have
a permissions_boundary attribute set. This is a common misconfiguration
in enterprise AWS environments where IAM governance policies require
all roles to have permission boundaries defined.

Positive Case (should trigger):

resource "aws_iam_role" "example" {
  name = "example_role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "ec2.amazonaws.com"
      }
    }]
  })
}

Negative Case (should not trigger):

resource "aws_iam_role" "example" {
  name = "example_role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = {
        Service = "ec2.amazonaws.com"
      }
    }]
  })
  permissions_boundary = "arn:aws:iam::123456789012:policy/BoundaryPolicy"
}

References:

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#permissions_boundary
• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
• CWE-269: Improper Privilege Management