CKV_AWS_111 Fails on IAM write actions that cannot be restricted.

Question

CKV_AWS_111 Fails on IAM write actions that cannot be restricted.

caruso-billfire opened this issue 4 years ago · 2 comments

caruso-billfire commented 4 years ago

Original issue was posted to checkov bridgecrewio/checkov#1173

But it seems like for cloudformation this issue needs to be reported here as well.

Describe the bug
There are IAM write actions that you cannot restrict via "resource"

To Reproduce
Add any of the following IAM actions to an IAM Policy Document

Write Actions:
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",

Expected behavior
Checkov (Cloudsplaining) should allow these actions to have "unrestricted write access".

Do you guys know if I need to add this issue to https://github.com/salesforce/cloudsplaining ?
We are using cloudformation, I know checkov uses an integration with them.

Screenshots

Another Screenshot from the docs (linked below) note how these 2 iam actions have to have unrestricted write

Desktop (please complete the following information):

linux
checkov version: 2.0.113

I am not sure what version of cloudsplaining they are using.

Additional context
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html

Answer 1 · 2021-05-15T04:32:58.000Z

I think this was a bug introduced in #156. Specifically here:
7d9a157#diff-a9f7ff6c5207166473df8d0daad72979f4ce6209200844fc2f99e0f496e01ac9R275-R285

The _has_resource_constraints method isn't querying Policy Sentry to see if there are resource constraints - it's just checking to see if * is being used.

It should probably be modified to leverage cloudsplaining.shared.utils.remove_wildcard_only_actions() instead, similar to here:

https://github.com/salesforce/cloudsplaining/blob/master/cloudsplaining/scan/statement_detail.py#L219-L232

I am currently OOO until June so I can't address this right now, but thought I would outline the solution in case anyone wants to address this.

Answer 2 · 2021-05-15T04:36:55.000Z

For anyone who might pick this up - here's a unit test that will pass on success:

    def test_gh_190_xray_permissions(self):
        test_policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "xray:PutTraceSegments",
                        "xray:PutTelemetryRecords"
                    ],
                    "Resource": "*"
                }
            ]
        }
        policy_document = PolicyDocument(test_policy)
        results = policy_document.write_actions_without_constraints
        self.assertListEqual(results, [])