Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(terraform): Add Condition exceptions CKV_AWS_70 #6044

Merged
merged 7 commits into from
Feb 28, 2024
Merged

fix(terraform): Add Condition exceptions CKV_AWS_70 #6044

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
9a2658d
Add Condition exceptions
tsmithv11 Feb 23, 2024
1c2bb2c
Refactor
tsmithv11 Feb 23, 2024
58fbb00
Update S3AllowsAnyPrincipal.py
tsmithv11 Feb 23, 2024
5e5ca8e
Fix tests
tsmithv11 Feb 23, 2024
a55617c
Fix bug
tsmithv11 Feb 23, 2024
aaa881c
reopen tests
tsmithv11 Feb 23, 2024
1e0bb3d
Merge branch 'main' into ts-fix-ckv-aws-70
tsmithv11 Feb 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 43 additions & 2 deletions checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from json import JSONDecodeError
import re

from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
Expand All @@ -7,9 +8,46 @@
from typing import List


def check_conditions(statement) -> bool:
# Check if 'Condition' key exists
if 'Condition' not in statement:
return False

condition = statement['Condition']

# Pass if they define bad ARNs. Assumes they are not too narrow
if any(key in condition for key in ['ArnNotEquals', 'ArnNotLike']):
return True

# Handling 'ArnEquals' and 'ArnLike'
for arn_key in ['ArnEquals', 'ArnLike']:
if arn_key in condition:
# Pass unless it is for all IAM ARNs
for principal_key in ['aws:PrincipalArn', 'aws:SourceArn']:
if principal_key in condition[arn_key]:
principal_arn = condition[arn_key][principal_key]
# Fail if the Condition is for all ARNs of any resource
if re.match(r'^arn:aws:[a-z0-9-]+::\*.*$', principal_arn):
return False
# Passed if 'aws:PrincipalArn' or 'aws:SourceArn' do not match because then they are specific
return True

# Handle VPC sources. Other sources not specific enough
# Leaves out the NOT conditions as too broad ('StringNotEquals', 'StringNotEqualsIgnoreCase', 'StringNotLike')
string_conditions = ['StringEquals', 'StringEqualsIgnoreCase', 'StringLike']
if any(condition_type in condition for condition_type in string_conditions):
for condition_type in string_conditions:
if condition_type in condition:
if any(source in condition[condition_type] for source in ['aws:sourceVpce', 'aws:SourceVpc']):
return True

# Default fail if none of the above conditions are met
return False


class S3AllowsAnyPrincipal(BaseResourceCheck):

def __init__(self):
def __init__(self) -> None:
name = "Ensure S3 bucket does not allow an action with any Principal"
id = "CKV_AWS_70"
supported_resources = ['aws_s3_bucket', 'aws_s3_bucket_policy']
Expand All @@ -36,13 +74,16 @@ def scan_resource_conf(self, conf):
continue
principal = statement['Principal']
if principal == '*':
if check_conditions(statement):
return CheckResult.PASSED
return CheckResult.FAILED
if 'AWS' in statement['Principal']:
# Can be a string or an array of strings
aws = statement['Principal']['AWS']
if (isinstance(aws, str) and aws == '*') or (isinstance(aws, list) and '*' in aws):
if check_conditions(statement):
return CheckResult.PASSED
return CheckResult.FAILED

return CheckResult.PASSED

def get_evaluated_keys(self) -> List[str]:
Expand Down
276 changes: 276 additions & 0 deletions tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,3 +183,279 @@ data "aws_iam_policy_document" "test" {
resources = ["${aws_s3_bucket.b.arn}/*"]
}
}


resource "aws_s3_bucket_policy" "pass_w_condition" {
bucket = "bucket"

policy = <<POLICY
{
"Id": "Policy1597273448050",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1597273446725",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
}
}
}
]
}
POLICY
}

resource "aws_s3_bucket" "pass_w_condition" {
bucket = "bucket"

policy = <<POLICY
{
"Id": "Policy1597273448050",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1597273446725",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
}
}
}
]
}
POLICY
}

# BAD:
resource "aws_s3_bucket_policy" "pass_w_condition2" {
bucket = "bucket"

policy = <<POLICY
{
"Id": "Policy1597273448050",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1597273446725",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
}
}
}
]
}
POLICY
}

resource "aws_s3_bucket" "pass_w_condition2" {
bucket = "bucket"

policy = <<POLICY
{
"Id": "Policy1597273448050",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1597273446725",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
}
}
}
]
}
POLICY
}

resource "aws_s3_bucket_policy" "fail_w_condition" {
bucket = "bucket"

policy = <<POLICY
{
"Id": "Policy1597273448050",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1597273446725",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::*"
}
}
}
]
}
POLICY
}

resource "aws_s3_bucket" "fail_w_condition" {
bucket = "bucket"

policy = <<POLICY
{
"Id": "Policy1597273448050",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1597273446725",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::*"
}
}
}
]
}
POLICY
}

resource "aws_s3_bucket_policy" "fail_w_condition" {
bucket = "bucket"

policy = <<POLICY
{
"Id": "Policy1597273448050",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1597273446725",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": "*"
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::*"
}
}
}
]
}
POLICY
}

resource "aws_s3_bucket" "pass_w_condition3" {
bucket = "bucket"

policy = <<POLICY
{
"Id": "Policy1597273448050",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1597273446725",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": "*",
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::12345555555555:user/username"
}
}
}
]
}
POLICY
}

resource "aws_s3_bucket" "pass_w_condition4" {
bucket = "bucket"

policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessFromSpecificVpcEndpoint",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-123abc456def7890g"
}
}
}
]
}
POLICY
}

resource "aws_s3_bucket" "pass_w_condition5" {
bucket = "bucket"

policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessFromSpecificVpcEndpoint",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {"ArnLike": {"aws:SourceArn": "arn:aws:cloudtrail:*:111122223333:trail/*"}}
}
]
}
POLICY
}
9 changes: 9 additions & 0 deletions tests/terraform/checks/resource/aws/test_S3AllowsAnyPrincipal.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,21 @@ def test(self):
"aws_s3_bucket.pass",
"aws_s3_bucket.pass2",
"aws_s3_bucket_policy.pass",
"aws_s3_bucket_policy.pass_w_condition",
"aws_s3_bucket.pass_w_condition",
"aws_s3_bucket_policy.pass_w_condition2",
"aws_s3_bucket.pass_w_condition2",
"aws_s3_bucket.pass_w_condition3",
"aws_s3_bucket.pass_w_condition4",
"aws_s3_bucket.pass_w_condition5",
}
failing_resources = {
"aws_s3_bucket.fail",
"aws_s3_bucket.fail2",
"aws_s3_bucket.fail3",
"aws_s3_bucket_policy.fail",
"aws_s3_bucket.fail_w_condition",
"aws_s3_bucket_policy.fail_w_condition",
}

passed_check_resources = set([c.resource for c in report.passed_checks])
Expand Down
Loading