Skip to content

Commit 600c046

Browse files
cx-andre-pereiracx-artur-ribeiro
cx-andre-pereira
and
cx-artur-ribeiro
authored
fix(query): fix FP results on "IAM policy allows for data exfiltration" CloudFormation and Terraform queries (#8030)
* Added missing check/associated tests to cloudFormation and Terraform iam_policy data exfiltration queries --------- Co-authored-by: Artur Ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com>
1 parent b7d18d7 commit 600c046

8 files changed

Lines changed: 90 additions & 5 deletions

File tree

assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,20 +3,21 @@ package Cx
33
import data.generic.common as common_lib
44
import data.generic.cloudformation as cf_lib
55

6-
ilegal_actions := ["s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue","*","s3:*"]
6+
ilegal_actions := ["s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue","*","s3:*"]
77

88
CxPolicy[result] {
99
types := ["AWS::IAM::Group", "AWS::IAM::Role", "AWS::IAM::User"]
1010

1111
resource := input.document[i].Resources[name]
1212
resource.Type == types[_]
13-
13+
1414
policy := resource.Properties.Policies[i2].PolicyDocument
1515
st := common_lib.get_statement(common_lib.get_policy(policy))
1616
statement := st[st_index]
1717

1818
common_lib.is_allow_effect(statement)
1919
ilegal_action := is_ilegal(statement.Action)
20+
common_lib.equalsOrInArray(statement.Resource, "*")
2021

2122
result := {
2223
"documentId": input.document[i].id,
@@ -41,6 +42,7 @@ CxPolicy[result] {
4142

4243
common_lib.is_allow_effect(statement)
4344
ilegal_action := is_ilegal(statement.Action)
45+
common_lib.equalsOrInArray(statement.Resource, "*")
4446

4547
result := {
4648
"documentId": input.document[i].id,

assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
{
2+
"Resources": {
3+
"CFNUser": {
4+
"Type": "AWS::IAM::User",
5+
"Properties": {
6+
"LoginProfile": {
7+
"Password": "Password",
8+
"PasswordResetRequired": false
9+
},
10+
"Policies": [
11+
{
12+
"PolicyName": "root",
13+
"PolicyDocument": {
14+
"Version": "2012-10-17",
15+
"Statement": [
16+
{
17+
"Effect": "Allow",
18+
"Action": [
19+
"*"
20+
],
21+
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
22+
}
23+
]
24+
}
25+
}
26+
]
27+
}
28+
}
29+
}
30+
}

assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.yaml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
Resources:
2+
CFNUser:
3+
Type: AWS::IAM::User
4+
Properties:
5+
LoginProfile:
6+
Password: 'Password'
7+
PasswordResetRequired: false
8+
Policies:
9+
- PolicyName: root
10+
PolicyDocument:
11+
Version: "2012-10-17"
12+
Statement:
13+
- Effect: Allow
14+
Action:
15+
- '*'
16+
Resource: 'arn:aws:dynamodb:us-east-1:123456789012:table/Users'

assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive12.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
{
1212
"Effect": "Allow",
1313
"Action": "secretsmanager:GetSecretValue",
14-
"Resource": "*"
14+
"Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/Users", "*"]
1515
}
1616
]
1717
}

assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive5.yaml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,9 @@ Resources:
77
Statement:
88
- Effect: Allow
99
Action: "s3:*"
10-
Resource: "*"
10+
Resource:
11+
- "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
12+
- "*"
1113
Users:
1214
- TestUser
1315
Description: "Policy for creating a test database"

assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ CxPolicy[result] { # resources
1414
statement := st[st_index]
1515
common_lib.is_allow_effect(statement)
1616
illegal_action := is_illegal(statement.Action)
17+
common_lib.equalsOrInArray(statement.Resource, "*")
1718

1819
result := {
1920
"documentId": input.document[i].id,
@@ -37,6 +38,7 @@ CxPolicy[result] { # modules
3738
statement := st[st_index]
3839
common_lib.is_allow_effect(statement)
3940
illegal_action := is_illegal(statement.Action)
41+
common_lib.equalsOrInArray(statement.Resource, "*")
4042

4143
result := {
4244
"documentId": input.document[i].id,
@@ -74,6 +76,7 @@ prepare_issue_data_source(statement, name, index, is_unique_element) = res {
7476
not is_unique_element
7577
common_lib.is_allow_effect(statement)
7678
illegal_action := is_illegal(statement.actions)
79+
common_lib.equalsOrInArray(statement.resources, "*")
7780

7881
res := {
7982
"sk": sprintf("aws_iam_policy_document[%s].statement[%d].actions", [name, index]),
@@ -86,6 +89,7 @@ prepare_issue_data_source(statement, name, index, is_unique_element) = res {
8689
is_unique_element
8790
common_lib.is_allow_effect(statement)
8891
illegal_action := is_illegal(statement.actions)
92+
common_lib.equalsOrInArray(statement.resources, "*")
8993

9094
res := {
9195
"sk": sprintf("aws_iam_policy_document[%s].statement.actions", [name]),

assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/negative13.tf

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
resource "aws_iam_policy" "positive1" {
2+
name = "positive1_${var.environment}"
3+
description = "Kai Monkey SSM Secrets Policy"
4+
5+
policy = <<EOF
6+
{
7+
"Version": "2012-10-17",
8+
"Statement": [
9+
{
10+
"Sid": "KaiMonkeySSMSecretsPolicyGet",
11+
"Effect": "Allow",
12+
"Action": "secretsmanager:GetSecretValue",
13+
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
14+
},
15+
{
16+
"Sid": "KaiMonkeySSMSecretsPolicyGetDecrypt",
17+
"Effect": "Allow",
18+
"Action": [
19+
"kms:Decrypt",
20+
"ssm:GetParameters",
21+
"ssm:GetParameter",
22+
"s3:GetObject",
23+
"ssm:GetParametersByPath",
24+
"secretsmanager:GetSecretValue"
25+
],
26+
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
27+
}
28+
]
29+
}
30+
EOF
31+
}

assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive7.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ module "iam_policy" {
1414
"secretsmanager:GetSecretValue"
1515
],
1616
"Effect": "Allow",
17-
"Resource": "*"
17+
"Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/Users", "*"]
1818
}
1919
]
2020
}

0 commit comments

Comments
 (0)