Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

false positive AVD-AWS-0057 for actions that apply only to all resources #5040

Closed
nikpivkin opened this issue Aug 25, 2023 · 4 comments
Closed

false positive AVD-AWS-0057 for actions that apply only to all resources #5040

nikpivkin opened this issue Aug 25, 2023 · 4 comments
Assignees
@simar7 @nikpivkin
Labels
scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.50.0

Comments

@nikpivkin
Copy link
Contributor

nikpivkin commented Aug 25, 2023
edited

Source: https://github.com/aquasecurity/tfsec/issues/1962

There are IAM policy actions that apply only to all resources (*). Quote from AWS documentation:

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action.

Example config:

data "aws_iam_policy_document" "test" {
  statement {
    actions = [
      "logs:ListLogDeliveries",
      "logs:CreateLogDelivery",
      "logs:GetLogDelivery",
      "logs:UpdateLogDelivery",
      "logs:DeleteLogDelivery",
    ]
    resources = [
      "*"
    ]
  }
}

resource "aws_iam_policy" "test" {
  name   = "test"
  policy = data.aws_iam_policy_document.test.json
}

Trivy output:

trivy config .
2023-08-25T15:26:01.677+0700    INFO    Misconfiguration scanning is enabled
2023-08-25T15:26:02.045+0700    INFO    Detected config files: 2

main.tf (terraform)

Tests: 2 (SUCCESSES: 1, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: IAM policy document uses sensitive action 'logs:ListLogDeliveries' on wildcarded resource '*'
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.

See https://avd.aquasec.com/misconfig/avd-aws-0057
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:10-12
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   data "aws_iam_policy_document" "test" {
   .   
  10 ┌     resources = [
  11 │       "*"
  12 └     ]
  ..   
  14   }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@nikpivkin nikpivkin added the scan/misconfiguration Issues relating to misconfiguration scanning label Aug 25, 2023
This was referenced Oct 30, 2023
Merged
Closed
@nikpivkin
Copy link
Contributor Author

I have prepared PR in defsec to generate actions, but it doesn't use the API, which may not be reliable.

@simar7
Copy link
Member

simar7 commented Dec 8, 2023

I have prepared PR in defsec to generate actions, but it doesn't use the API, which may not be reliable.

Is the PR ready? I still see it is marked as draft.

@nikpivkin
Copy link
Contributor Author

I left comment

@nikpivkin nikpivkin mentioned this issue Dec 11, 2023
Closed
@simar7
Copy link
Member

simar7 commented Mar 5, 2024

Fixed via https://github.com/aquasecurity/trivy/blob/main/magefiles/cloud_actions.go

@simar7 simar7 closed this as completed Mar 5, 2024
@simar7 simar7 added this to the v0.50.0 milestone Mar 5, 2024
@simar7 simar7 self-assigned this Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

@nikpivkin nikpivkin

Labels
scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.50.0
Development

Successfully merging a pull request may close this issue.

feat(rule): improve wildcard checking in policies nikpivkin/trivy-policies
2 participants
@simar7 @nikpivkin