Restrict IAM policy to not allow write access without constraints
dgregan-flutter opened this issue · 1 comments
Feature scope
BitmapWidget
Describe your suggested feature
Hello,
When creating a dynamic dashboard factory as per Custom dashboards section it seems that behind the scenes an IAM policy that allows write access without constraint (logs:PutRetentionPolicy, logs:DeleteRetentionPolicy) is created which fails a Checkov static code analysis check (CKV_AWS_111) 'Ensure IAM policies does not allow write access without constraints'. This policy can be seen in BitmapWidget.test.ts.snap
ASK:
- Limit the scope of this Log retention IAM policy to just affect the Lambda function log groups (which I assume its interacting with) for better security compliance / enable passing of Checkov static code analysis checks
Partial Checkov Output
{
"check_type": "cloudformation",
"results": {
"failed_checks": [
{
"check_id": "CKV_AWS_111",
"bc_check_id": "BC_AWS_IAM_57",
"check_name": "Ensure IAM policies does not allow write access without constraints",
"check_result": {
"result": "FAILED",
"evaluated_keys": []
},
"code_block": [
[
221,
" \"LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB\": {\n"
],
[
...
"resource": "AWS::IAM::Policy.LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB",
...
"check_class": "checkov.cloudformation.checks.resource.aws.IAMWriteAccess",
"guideline": "https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint",
...
}
Thanks!
Hi, bitmap widgets rely on a Lambda function to do the rendering, and Lambda functions have these roles automatically created by AWS CDK.
You can refer to aws/aws-cdk#11878 and the other linked issues there to learn more about why they're as permissive as they are.