assets/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/query.rego

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,20 +3,21 @@ package Cx @@
     import data.generic.common as common_lib
     import data.generic.cloudformation as cf_lib
-    ilegal_actions := ["s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue","*","s3:*"]
+    ilegal_actions := ["s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue","*","s3:*"]
     CxPolicy[result] {
     	types := ["AWS::IAM::Group", "AWS::IAM::Role", "AWS::IAM::User"]
     	resource := input.document[i].Resources[name]
     	resource.Type == types[_]
     	policy := resource.Properties.Policies[i2].PolicyDocument
     	st := common_lib.get_statement(common_lib.get_policy(policy))
     	statement := st[st_index]
     	common_lib.is_allow_effect(statement)
     	ilegal_action := is_ilegal(statement.Action)
+    	common_lib.equalsOrInArray(statement.Resource, "*")
     	result := {
     		"documentId": input.document[i].id,
@@ Expand All / @@ -41,6 +42,7 @@ CxPolicy[result] { @@
     	common_lib.is_allow_effect(statement)
     	ilegal_action := is_ilegal(statement.Action)
+    	common_lib.equalsOrInArray(statement.Resource, "*")
     	result := {
     		"documentId": input.document[i].id,
@@ Expand Down @@

...s/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative11.json

-Original file line number
+Diff line change
@@ -0,0 +1,30 @@
+    {
+      "Resources": {
+        "CFNUser": {
+          "Type": "AWS::IAM::User",
+          "Properties": {
+            "LoginProfile": {
+              "Password": "Password",
+              "PasswordResetRequired": false
+            },
+            "Policies": [
+              {
+                "PolicyName": "root",
+                "PolicyDocument": {
+                  "Version": "2012-10-17",
+                  "Statement": [
+                    {
+                      "Effect": "Allow",
+                      "Action": [
+                        "*"
+                      ],
+                      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
+                    }
+                  ]
+                }
+              }
+            ]
+          }
+        }
+      }
+    }

...s/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/negative12.yaml

-Original file line number
+Diff line change
@@ -0,0 +1,16 @@
+    Resources:
+      CFNUser:
+        Type: AWS::IAM::User
+        Properties:
+          LoginProfile:
+             Password: 'Password'
+             PasswordResetRequired: false
+          Policies:
+            - PolicyName: root
+              PolicyDocument:
+                Version: "2012-10-17"
+                Statement:
+                  - Effect: Allow
+                    Action:
+                      - '*'
+                    Resource: 'arn:aws:dynamodb:us-east-1:123456789012:table/Users'

...s/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive12.json

-Original file line number
+Diff line change
@@ Expand Up / @@ -11,7 +11,7 @@ @@
                 {
                   "Effect": "Allow",
                   "Action": "secretsmanager:GetSecretValue",
-                  "Resource": "*"
+                  "Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/Users", "*"]
                 }
               ]
             }
@@ Expand Down @@

...ts/queries/cloudFormation/aws/iam_policy_allows_for_data_exfiltration/test/positive5.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -7,7 +7,9 @@ Resources: @@
             Statement:
               - Effect: Allow
                 Action: "s3:*"
-                Resource: "*"
+                Resource:
+                 - "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
+                 - "*"
           Users:
             - TestUser
           Description: "Policy for creating a test database"

assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/query.rego

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,7 @@ CxPolicy[result] { # resources @@
     	statement := st[st_index]
     	common_lib.is_allow_effect(statement)
         illegal_action := is_illegal(statement.Action)
+    	common_lib.equalsOrInArray(statement.Resource, "*")
     	result := {
     		"documentId": input.document[i].id,
@@ Expand All / @@ -37,6 +38,7 @@ CxPolicy[result] { # modules @@
     	statement := st[st_index]
     	common_lib.is_allow_effect(statement)
     	illegal_action := is_illegal(statement.Action)
+    	common_lib.equalsOrInArray(statement.Resource, "*")
     	result := {
     		"documentId": input.document[i].id,
@@ Expand Down Expand Up @@
     	not is_unique_element
     	common_lib.is_allow_effect(statement)
         illegal_action := is_illegal(statement.actions)
+    	common_lib.equalsOrInArray(statement.resources, "*")
     	res := {
     		"sk": sprintf("aws_iam_policy_document[%s].statement[%d].actions", [name, index]),
@@ Expand All @@
     	is_unique_element
     	common_lib.is_allow_effect(statement)
     	illegal_action := is_illegal(statement.actions)
+    	common_lib.equalsOrInArray(statement.resources, "*")
     	res := {
     		"sk": sprintf("aws_iam_policy_document[%s].statement.actions", [name]),
@@ Expand Down @@

assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/negative13.tf

-Original file line number
+Diff line change
@@ -0,0 +1,31 @@
+    resource "aws_iam_policy" "positive1" {
+      name        = "positive1_${var.environment}"
+      description = "Kai Monkey SSM Secrets Policy"
+      policy = <<EOF
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "KaiMonkeySSMSecretsPolicyGet",
+                "Effect": "Allow",
+                "Action": "secretsmanager:GetSecretValue",
+                "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
+            },
+            {
+                "Sid": "KaiMonkeySSMSecretsPolicyGetDecrypt",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:Decrypt",
+                    "ssm:GetParameters",
+                    "ssm:GetParameter",
+                    "s3:GetObject",
+                    "ssm:GetParametersByPath",
+                    "secretsmanager:GetSecretValue"
+                ],
+                "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
+            }
+        ]
+    }
+    EOF
+    }

assets/queries/terraform/aws/iam_policy_allows_for_data_exfiltration/test/positive7.tf

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,7 +14,7 @@ module "iam_policy" { @@
                 "secretsmanager:GetSecretValue"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/Users", "*"]
             }
           ]
         }
@@ Expand Down @@

fix(query): fix FP results on "IAM policy allows for data exfiltration" CloudFormation and Terraform queries #8030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

cx-andre-pereira wants to merge 4 commits into Checkmarx:master from cx-andre-pereira:AST-145579_FP_on_IAM_Policy_Allows_For_Data_Exfiltration

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,20 +3,21 @@ package Cx @@
     import data.generic.common as common_lib
     import data.generic.cloudformation as cf_lib
-    ilegal_actions := ["s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue","*","s3:*"]
+    ilegal_actions := ["s3:GetObject", "ssm:GetParameter", "ssm:GetParameters", "ssm:GetParametersByPath", "secretsmanager:GetSecretValue","*","s3:*"]
     CxPolicy[result] {
     	types := ["AWS::IAM::Group", "AWS::IAM::Role", "AWS::IAM::User"]
     	resource := input.document[i].Resources[name]
     	resource.Type == types[_]
     	policy := resource.Properties.Policies[i2].PolicyDocument
     	st := common_lib.get_statement(common_lib.get_policy(policy))
     	statement := st[st_index]
     	common_lib.is_allow_effect(statement)
     	ilegal_action := is_ilegal(statement.Action)
+    	common_lib.equalsOrInArray(statement.Resource, "*")
     	result := {
     		"documentId": input.document[i].id,
@@ Expand All / @@ -41,6 +42,7 @@ CxPolicy[result] { @@
     	common_lib.is_allow_effect(statement)
     	ilegal_action := is_ilegal(statement.Action)
+    	common_lib.equalsOrInArray(statement.Resource, "*")
     	result := {
     		"documentId": input.document[i].id,
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -0,0 +1,30 @@
+    {
+      "Resources": {
+        "CFNUser": {
+          "Type": "AWS::IAM::User",
+          "Properties": {
+            "LoginProfile": {
+              "Password": "Password",
+              "PasswordResetRequired": false
+            },
+            "Policies": [
+              {
+                "PolicyName": "root",
+                "PolicyDocument": {
+                  "Version": "2012-10-17",
+                  "Statement": [
+                    {
+                      "Effect": "Allow",
+                      "Action": [
+                        "*"
+                      ],
+                      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
+                    }
+                  ]
+                }
+              }
+            ]
+          }
+        }
+      }
+    }

-Original file line number
+Diff line change
@@ -0,0 +1,16 @@
+    Resources:
+      CFNUser:
+        Type: AWS::IAM::User
+        Properties:
+          LoginProfile:
+             Password: 'Password'
+             PasswordResetRequired: false
+          Policies:
+            - PolicyName: root
+              PolicyDocument:
+                Version: "2012-10-17"
+                Statement:
+                  - Effect: Allow
+                    Action:
+                      - '*'
+                    Resource: 'arn:aws:dynamodb:us-east-1:123456789012:table/Users'

-Original file line number
+Diff line change
@@ Expand Up / @@ -11,7 +11,7 @@ @@
                 {
                   "Effect": "Allow",
                   "Action": "secretsmanager:GetSecretValue",
-                  "Resource": "*"
+                  "Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/Users", "*"]
                 }
               ]
             }
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -7,7 +7,9 @@ Resources: @@
             Statement:
               - Effect: Allow
                 Action: "s3:*"
-                Resource: "*"
+                Resource:
+                 - "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
+                 - "*"
           Users:
             - TestUser
           Description: "Policy for creating a test database"

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,6 +14,7 @@ CxPolicy[result] { # resources @@
     	statement := st[st_index]
     	common_lib.is_allow_effect(statement)
         illegal_action := is_illegal(statement.Action)
+    	common_lib.equalsOrInArray(statement.Resource, "*")
     	result := {
     		"documentId": input.document[i].id,
@@ Expand All / @@ -37,6 +38,7 @@ CxPolicy[result] { # modules @@
     	statement := st[st_index]
     	common_lib.is_allow_effect(statement)
     	illegal_action := is_illegal(statement.Action)
+    	common_lib.equalsOrInArray(statement.Resource, "*")
     	result := {
     		"documentId": input.document[i].id,
@@ Expand Down Expand Up @@
     	not is_unique_element
     	common_lib.is_allow_effect(statement)
         illegal_action := is_illegal(statement.actions)
+    	common_lib.equalsOrInArray(statement.resources, "*")
     	res := {
     		"sk": sprintf("aws_iam_policy_document[%s].statement[%d].actions", [name, index]),
@@ Expand All @@
     	is_unique_element
     	common_lib.is_allow_effect(statement)
     	illegal_action := is_illegal(statement.actions)
+    	common_lib.equalsOrInArray(statement.resources, "*")
     	res := {
     		"sk": sprintf("aws_iam_policy_document[%s].statement.actions", [name]),
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -0,0 +1,31 @@
+    resource "aws_iam_policy" "positive1" {
+      name        = "positive1_${var.environment}"
+      description = "Kai Monkey SSM Secrets Policy"
+      policy = <<EOF
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "KaiMonkeySSMSecretsPolicyGet",
+                "Effect": "Allow",
+                "Action": "secretsmanager:GetSecretValue",
+                "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
+            },
+            {
+                "Sid": "KaiMonkeySSMSecretsPolicyGetDecrypt",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:Decrypt",
+                    "ssm:GetParameters",
+                    "ssm:GetParameter",
+                    "s3:GetObject",
+                    "ssm:GetParametersByPath",
+                    "secretsmanager:GetSecretValue"
+                ],
+                "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Users"
+            }
+        ]
+    }
+    EOF
+    }

-Original file line number
+Diff line change
@@ Expand Up / @@ -14,7 +14,7 @@ module "iam_policy" { @@
                 "secretsmanager:GetSecretValue"
               ],
               "Effect": "Allow",
-              "Resource": "*"
+              "Resource": ["arn:aws:dynamodb:us-east-1:123456789012:table/Users", "*"]
             }
           ]
         }
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(query): fix FP results on "IAM policy allows for data exfiltration" CloudFormation and Terraform queries #8030

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

fix(query): fix FP results on "IAM policy allows for data exfiltration" CloudFormation and Terraform queries #8030

Are you sure you want to change the base?

Uh oh!

fix(query): fix FP results on "IAM policy allows for data exfiltration" CloudFormation and Terraform queries #8030

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!