data-dot-all/dataall

Overly permissive policy for dataset environment roles

Opened this issue · 0 comments

mourya-33 commented

Describe the bug

The dataset environment admin policy contains overly permissive permissions that needs to be restricted only to the required resources. The following are flagged by CHECKOV

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints"
Permissions to address:
"iam:CreatePolicy",
"iam:CreateServiceLinkedRole"
FAILED for resource: AWS::IAM::ManagedPolicy.dataalltestproducerenvadmin2m7oljdeservicespolicy1DD4CBB4
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
Permissions to address:
"cloudformation:Cancel*",
"cloudformation:Continue*",
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
FAILED for resource: AWS::IAM::ManagedPolicy.dataalltestproducerenvadmin2m7oljdeservicespolicy11D6FB542
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints"
Permissions to address:
"glue:List*"
FAILED for resource: AWS::IAM::ManagedPolicy.dataalltestproducerenvadmin2m7oljdeservicespolicy34FD1AA7D
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

How to Reproduce

Create a dataset environment and run checkov against the environment stack cloudformation template to get the list of resources flagged for overly permissive permissions.

Expected behavior

The dataset environment role/policy should follow the least privileges principle that restricts permissions only to the required resources.

Your project

No response

Screenshots

No response

OS

Mac

Python version

3.10

AWS data.all version

2.6

Additional context

No response