-
Notifications
You must be signed in to change notification settings - Fork 108
[BUG][FG_R00276] - It doesn't fail if we didn't set the source_account #200
Comments
BTW, we don't know how to read properly rego code. The rule FG_R00276 is described in here: https://github.com/fugue/regula/blob/master/rego/rules/tf/aws/lambda/function_not_public.rego |
Hi, @rsareth! Thank you so much again for using Regula and opening these issues. It's incredibly helpful for us! There's definitely a discrepancy between our interpretation of "publicly accessible" and Security Hub's. Right now, we're just checking for From the Security Hub docs, it looks like |
We think this might be a bug in that Security Hub rule or, at the very least, a discrepancy between their docs and their rules. In their remediation steps for that rule, they say:
Which sounds like the intent is to deny when After discussing this issue, we do intend to change our rule to allow If you just want to avoid triggering that alarm, you could enforce that condition with a small custom rule that you include with the package rules.lambda_permission_needs_source_account
__rego__metadoc__ := {
"custom": {
"severity": "Medium"
},
"title": "Lambda permission resources should always have a condition for AWS:SourceAccount"
}
resource_type = "aws_lambda_permission"
default allow = false
allow {
input.source_account != ""
} for example if that rule was saved as regula run --include rules/lambda_permission_needs_source_account.rego <your inputs>
# or you can just specify the parent directory
regula run --include rules <your inputs> |
Sorry to keep spamming on this ticket: after discussing this issue more, it does seem like we should have a rule that enforces |
Hi @jason-fugue Thank you for your answer. But if we understand it properly, this situation annoys us a little bit. If you are right, AWS needs to fix their managed rule, lambda-function-public-access-prohibited, and/or update their documentation. In that case, your rego rule looks like a temporary technical workaround. How can we notify AWS to do something properly ? Have you ever talk to them about a discrepancy between their rules and their docs ? Can they fix quickly ? In our case, those rules are activated by another team that creates AWS subscriptions for us. The subscriptions are pre-configured / pre-provisionned with mandatory stuff that we can't say anything about them. Anyway, having this rule will make us to think of how to integrate custom rules in our ci/cd workflows. Regards, |
So, we posted a response at the same time. Don't read that much my response but I prefer to let it be for transparency. Thank you again Rasmey |
Hi, @rsareth! We added a new rule ( |
Hi @jason-fugue, Thank you for the new release. I've tried the release with the same test provided previously but it didn't raise the error for the rule Also, I wanted to run the make command on the tag $ make test
go test -v -cover ./...
? github.com/fugue/regula [no test files]
? github.com/fugue/regula/cmd [no test files]
? github.com/fugue/regula/pkg/git [no test files]
=== RUN TestCfnDetector
--- PASS: TestCfnDetector (0.00s)
=== RUN TestCfnDetectorNotCfnContents
--- PASS: TestCfnDetectorNotCfnContents (0.00s)
[...]
=== RUN TestTf
tf_test.go:54:
[...]
--- FAIL: TestTf (0.06s)
[...]
--- FAIL: TestTfResourceLocation (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0x14003c0]
goroutine 9 [running]:
testing.tRunner.func1.2({0x146a040, 0x190c9d0})
/usr/local/Cellar/go/1.17.2/libexec/src/testing/testing.go:1209 +0x24e
[...]
coverage: 97.1% of statements
ok github.com/fugue/regula/pkg/topsort (cached) coverage: 97.1% of statements
? github.com/fugue/regula/pkg/version [no test files]
? github.com/fugue/regula/rego [no test files]
FAIL
make: *** [test] Error 1 I'm not really sure if it is my mac. But the |
Hi, @rsareth! The reason your configuration still did not trigger a failure is because of a deficiency in how we relate lambda functions and permissions. It would trigger a failure if you changed the resource "aws_lambda_permission" "lambda_a" { # <---- We should get an error detected on this resource
statement_id = "AllowExecutionFromS3Bucket"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.lambda_a.function_name
principal = "s3.amazonaws.com"
source_arn = aws_s3_bucket.bucket_a.arn
#source_account = data.aws_caller_identity.current.account_id # <--- Following the AWS best practices, we need to set the source_account
} Using an ARN there is valid and there are some other ways to specify For your build failure - there's a git submodule that we use in one of the test suites. You'll need to run this first to fetch it: git submodule update --init --recursive Our current |
Hi @jason-fugue, Thank you for the quick answer. First, I can confirm that I was able to rebuild from the source code. I hope you will provide a contributor markdown file. Second, after your explanation, I can confirm that everything is ok. I check in our source code, we can see that we are using the arn instead of the function name. I guess in a previous version of the provider, it was the arn that was needed to set. We hope that you can provide a fix that can handle both the arn and the function name of the lambda. BTW, you don't provide the link to your rule web page. I didn't see the web page. I saw a 404 page. When do you think you can publish this web page ? Do you want me to close the ticket or should we let open ? Thank you again, |
Hi, @rsareth! I think it makes sense to leave this issue open until we make the change to accommodate function ARNs and the other valid values in the lambda permission function name field. I'll reply back once I've got an time estimate for adding documentation for this rule. |
Hi again, @rsareth! Sorry for the very long turnaround on this issue. The latest release (v2.1.0) has a fix to support the use of other function properties (like |
Hi @jason-fugue, I can confirm that the 2 issues are solved with regula v2.1.0. Thank you for the fixes! Rasmey |
Hi,
We are still testing regula on a huge amount of repositories. So we have so many lines of code and problems detected to analyze. That's why we are creating issues by analyzing the regula results.
A - Description
We think there might a bug in the rule FG_R00276 - Lambda function policies should not allow global access. Regula doesn't fail when it applies the rule but in our AWS Config console, we are seeing an alarm: securityhub-lambda-function-public-access-prohibited The description is there: [Lambda.1] Lambda function policies should prohibit public access Of course, we might be wrong on the understanding of both rules.
B - Context
In the same AWS subscription, we have created a s3 bucket that invokes our lambda. Both resources are created in the same repository. But in our aws_lambda_permission resource, we have only set the source_arn and we haven't set the source_account.
C - Version
D - Test
Put the below code in the file lambda_a.tf
Command to run and the output:
We expected to see a problem for the rule FG_R00276 but nothing.
E - AWS Web Console
And in the console, the bad policy looks like this:
instead of:
What do you think ?
Thank you in advance.
Regards,
Rasmey
The text was updated successfully, but these errors were encountered: