From b5c4a3d051c9fbf0532bf0aedcddfafd3b363f1e Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 16:09:41 +0100 Subject: [PATCH 1/2] Added missing check/associated tests to cloudFormation and Terraform iam_policy data exfiltration queries --- .../query.rego | 6 ++-- .../test/negative10.json | 34 +++++++++++-------- .../test/negative11.json | 21 ++++++++++++ .../test/{negative6.json => negative12.json} | 4 +-- .../test/negative6.yaml | 16 +++++++++ .../test/negative7.json | 9 +++-- .../test/negative8.json | 32 +++++++++-------- .../test/negative9.json | 32 ++++++++--------- .../test/positive12.json | 2 +- .../test/positive5.yaml | 4 ++- .../query.rego | 4 +++ .../test/negative13.tf | 31 +++++++++++++++++ .../test/positive7.tf | 2 +- 13 files changed, 141 insertions(+), 56 deletions(-) create mode 100644 assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json rename assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/{negative6.json => negative12.json} (83%) create mode 100644 assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.yaml create mode 100644 assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/negative13.tf diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego index ee51226065e..6151f5ba665 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego @@ -3,20 +3,21 @@ package Cx import data.generic.common as common_lib import data.generic.cloudformation as cf_lib -ilegal_actions := ["s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue","*","s3:*"] +ilegal_actions := ["s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue","*","s3:*"] CxPolicy[result] { types := ["AWS::IAM::Group", "AWS::IAM::Role", "AWS::IAM::User"] resource := input.document[i].Resources[name] resource.Type == types[_] - + policy := resource.Properties.Policies[i2].PolicyDocument st := common_lib.get_statement(common_lib.get_policy(policy)) statement := st[st_index] common_lib.is_allow_effect(statement) ilegal_action := is_ilegal(statement.Action) + common_lib.equalsOrInArray(statement.Resource, "*") result := { "documentId": input.document[i].id, @@ -41,6 +42,7 @@ CxPolicy[result] { common_lib.is_allow_effect(statement) ilegal_action := is_ilegal(statement.Action) + common_lib.equalsOrInArray(statement.Resource, "*") result := { "documentId": input.document[i].id, diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative10.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative10.json index 13c7c23e17f..08e3987282e 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative10.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative10.json @@ -1,20 +1,26 @@ { + "AWSTemplateFormatVersion": "2010-09-09", "Resources": { - "CreateTestDBPolicy": { - "Type": "AWS::IAM::ManagedPolicy", + "RootRole": { + "Type": "AWS::IAM::Role", "Properties": { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "safe_action", - "Resource": "*" - } - ] - }, - "Users": ["TestUser"], - "Description": "Policy for creating a test database" + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "safe_action" + ], + "Resource": "*" + } + ] + } + } + ] } } } diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json new file mode 100644 index 00000000000..13c7c23e17f --- /dev/null +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json @@ -0,0 +1,21 @@ +{ + "Resources": { + "CreateTestDBPolicy": { + "Type": "AWS::IAM::ManagedPolicy", + "Properties": { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "safe_action", + "Resource": "*" + } + ] + }, + "Users": ["TestUser"], + "Description": "Policy for creating a test database" + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.json similarity index 83% rename from assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.json rename to assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.json index 4c1933eee67..97f26692765 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.json @@ -16,9 +16,9 @@ { "Effect": "Allow", "Action": [ - "safe_action" + "*" ], - "Resource": "*" + "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users" } ] } diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.yaml b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.yaml new file mode 100644 index 00000000000..cc96d96f08c --- /dev/null +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.yaml @@ -0,0 +1,16 @@ +Resources: + CFNUser: + Type: AWS::IAM::User + Properties: + LoginProfile: + Password: 'Password' + PasswordResetRequired: false + Policies: + - PolicyName: root + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - '*' + Resource: 'arn:aws:dynamodb:us-east-1:123456789012:table/Users' diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative7.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative7.json index 0546258f695..4c1933eee67 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative7.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative7.json @@ -1,9 +1,12 @@ { - "AWSTemplateFormatVersion": "2010-09-09", "Resources": { - "RootGroup": { - "Type": "AWS::IAM::Group", + "CFNUser": { + "Type": "AWS::IAM::User", "Properties": { + "LoginProfile": { + "Password": "Password", + "PasswordResetRequired": false + }, "Policies": [ { "PolicyName": "root", diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative8.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative8.json index 13fc4fad693..0546258f695 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative8.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative8.json @@ -1,22 +1,26 @@ { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { - "MyPolicy": { - "Type": "AWS::IAM::Policy", + "RootGroup": { + "Type": "AWS::IAM::Group", "Properties": { - "PolicyName": "CFNUsers", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "safe_action" - ], - "Resource": "*" + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "safe_action" + ], + "Resource": "*" + } + ] } - ] - } + } + ] } } } diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative9.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative9.json index 08e3987282e..13fc4fad693 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative9.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative9.json @@ -1,26 +1,22 @@ { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { - "RootRole": { - "Type": "AWS::IAM::Role", + "MyPolicy": { + "Type": "AWS::IAM::Policy", "Properties": { - "Policies": [ - { - "PolicyName": "root", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "safe_action" - ], - "Resource": "*" - } - ] + "PolicyName": "CFNUsers", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "safe_action" + ], + "Resource": "*" } - } - ] + ] + } } } } diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive12.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive12.json index 867b538b36a..fd6bd04e328 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive12.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive12.json @@ -11,7 +11,7 @@ { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", - "Resource": "*" + "Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/Users", "*"] } ] } diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive5.yaml b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive5.yaml index 3fa4b4a66ef..e150b377c5d 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive5.yaml +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive5.yaml @@ -7,7 +7,9 @@ Resources: Statement: - Effect: Allow Action: "s3:*" - Resource: "*" + Resource: + - "arn:aws:dynamodb:us-east-1:123456789012:table/Users" + - "*" Users: - TestUser Description: "Policy for creating a test database" diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego index c89da5d0a12..02330a64d7b 100644 --- a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego @@ -14,6 +14,7 @@ CxPolicy[result] { # resources statement := st[st_index] common_lib.is_allow_effect(statement) illegal_action := is_illegal(statement.Action) + common_lib.equalsOrInArray(statement.Resource, "*") result := { "documentId": input.document[i].id, @@ -37,6 +38,7 @@ CxPolicy[result] { # modules statement := st[st_index] common_lib.is_allow_effect(statement) illegal_action := is_illegal(statement.Action) + common_lib.equalsOrInArray(statement.Resource, "*") result := { "documentId": input.document[i].id, @@ -74,6 +76,7 @@ prepare_issue_data_source(statement, name, index, is_unique_element) = res { not is_unique_element common_lib.is_allow_effect(statement) illegal_action := is_illegal(statement.actions) + common_lib.equalsOrInArray(statement.resources, "*") res := { "sk": sprintf("aws_iam_policy_document[%s].statement[%d].actions", [name, index]), @@ -86,6 +89,7 @@ prepare_issue_data_source(statement, name, index, is_unique_element) = res { is_unique_element common_lib.is_allow_effect(statement) illegal_action := is_illegal(statement.actions) + common_lib.equalsOrInArray(statement.resources, "*") res := { "sk": sprintf("aws_iam_policy_document[%s].statement.actions", [name]), diff --git a/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/negative13.tf b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/negative13.tf new file mode 100644 index 00000000000..ac34b923165 --- /dev/null +++ b/assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/negative13.tf @@ -0,0 +1,31 @@ +resource "aws_iam_policy" "positive1" { + name = "positive1_${var.environment}" + description = "Kai Monkey SSM Secrets Policy" + + policy = < Date: Wed, 8 Apr 2026 17:04:52 +0100 Subject: [PATCH 2/2] Trying to make file changes clearer on gitdiff --- .../test/negative10.json | 34 ++++++++---------- .../test/negative11.json | 35 ++++++++++++------- .../test/{negative6.yaml => negative12.yaml} | 0 .../test/{negative12.json => negative6.json} | 4 +-- .../test/negative7.json | 9 ++--- .../test/negative8.json | 32 ++++++++--------- .../test/negative9.json | 32 +++++++++-------- 7 files changed, 73 insertions(+), 73 deletions(-) rename assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/{negative6.yaml => negative12.yaml} (100%) rename assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/{negative12.json => negative6.json} (83%) diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative10.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative10.json index 08e3987282e..13c7c23e17f 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative10.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative10.json @@ -1,26 +1,20 @@ { - "AWSTemplateFormatVersion": "2010-09-09", "Resources": { - "RootRole": { - "Type": "AWS::IAM::Role", + "CreateTestDBPolicy": { + "Type": "AWS::IAM::ManagedPolicy", "Properties": { - "Policies": [ - { - "PolicyName": "root", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "safe_action" - ], - "Resource": "*" - } - ] - } - } - ] + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "safe_action", + "Resource": "*" + } + ] + }, + "Users": ["TestUser"], + "Description": "Policy for creating a test database" } } } diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json index 13c7c23e17f..97f26692765 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json @@ -1,20 +1,29 @@ { "Resources": { - "CreateTestDBPolicy": { - "Type": "AWS::IAM::ManagedPolicy", + "CFNUser": { + "Type": "AWS::IAM::User", "Properties": { - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "safe_action", - "Resource": "*" - } - ] + "LoginProfile": { + "Password": "Password", + "PasswordResetRequired": false }, - "Users": ["TestUser"], - "Description": "Policy for creating a test database" + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users" + } + ] + } + } + ] } } } diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.yaml b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.yaml similarity index 100% rename from assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.yaml rename to assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.yaml diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.json similarity index 83% rename from assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.json rename to assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.json index 97f26692765..4c1933eee67 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative6.json @@ -16,9 +16,9 @@ { "Effect": "Allow", "Action": [ - "*" + "safe_action" ], - "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users" + "Resource": "*" } ] } diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative7.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative7.json index 4c1933eee67..0546258f695 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative7.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative7.json @@ -1,12 +1,9 @@ { + "AWSTemplateFormatVersion": "2010-09-09", "Resources": { - "CFNUser": { - "Type": "AWS::IAM::User", + "RootGroup": { + "Type": "AWS::IAM::Group", "Properties": { - "LoginProfile": { - "Password": "Password", - "PasswordResetRequired": false - }, "Policies": [ { "PolicyName": "root", diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative8.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative8.json index 0546258f695..13fc4fad693 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative8.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative8.json @@ -1,26 +1,22 @@ { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { - "RootGroup": { - "Type": "AWS::IAM::Group", + "MyPolicy": { + "Type": "AWS::IAM::Policy", "Properties": { - "Policies": [ - { - "PolicyName": "root", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "safe_action" - ], - "Resource": "*" - } - ] + "PolicyName": "CFNUsers", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "safe_action" + ], + "Resource": "*" } - } - ] + ] + } } } } diff --git a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative9.json b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative9.json index 13fc4fad693..08e3987282e 100644 --- a/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative9.json +++ b/assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative9.json @@ -1,22 +1,26 @@ { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { - "MyPolicy": { - "Type": "AWS::IAM::Policy", + "RootRole": { + "Type": "AWS::IAM::Role", "Properties": { - "PolicyName": "CFNUsers", - "PolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "safe_action" - ], - "Resource": "*" + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "safe_action" + ], + "Resource": "*" + } + ] } - ] - } + } + ] } } }