awslabs/aws-cloudformation-iam-policy-validator

Throwing errors on Resolved findings

Closed this issue · 2 comments

When validating policy with CFN template, I see that it still throws errors on resolved findings.

{
            "findingType": "SECURITY_WARNING",
            "code": "EXTERNAL_PRINCIPAL",
            "message": "Resource policy allows access from external principals.",
            "resourceName": "iconnector-logs",
            "policyName": "BucketPolicy",
            "details": {
                "action": [
                    "s3:PutObject",
                    "s3:PutObjectAcl"
                ],
                "changeType": "UNCHANGED",
                "condition": {
                    "aws:PrincipalArn": "arn:aws:iam::123456789:role/eksctl-*"
                },
                "createdAt": "2022-03-10T12:00:07+00:00",
                "existingFindingId": "2b601f5e-10c5-4728-8550-xxxxxx",
                "existingFindingStatus": "RESOLVED",
                "id": "e4e000fd-e87e-4b76-9239-7xxxxxxx",
                "isPublic": false,
                "principal": {
                    "AWS": "*"
                },
                "resource": "arn:aws:s3:::connector-logs",
                "resourceOwnerAccount": "123456789",
                "resourceType": "AWS::S3::Bucket",
                "sources": [
                    {
                        "type": "POLICY"
                    }
                ],
                "status": "RESOLVED"
            }
        }

Its resolved but it return exist status 2.

Hi - thanks for opening this issue. I agree that only active findings should be returned in this case. I'll add this to the backlog to be updated.

This should be resolved in release 0.0.12: https://github.com/awslabs/aws-cloudformation-iam-policy-validator/releases/tag/v0.0.12

Please let me know if that doesn't resolve your issue and I'll reopen.