checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

Properties in AWS SAM Globals section not merged with associated resources

Open subnova opened this issue 3 years ago • 5 comments

Describe the issue AWS SAM extends CloudFormation to include a Globals section (https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-template-anatomy-globals.html) that provides default values for various different types of SAM/CloudFormation resources.

Checkov should merge these values with the associated resources prior to running a check.

Example Value

The template:

Transform:
  - AWS::Serverless-2016-10-31

Globals:
  Function:
    KmsKeyArn: !GetAtt KmsKey.Arn

Resources:
  KmsKey:
    Type: AWS::KMS::Key
    Properties:
      EnableKeyRotation: true
      KeyPolicy:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              AWS: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
            Action:
              - "kms:*"
            Resource:
              - "*"

  SomeLambda:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: src
      Policies:
        - AWSLambdaBasicExecutionRole
      Environment:
        Variables:
          MY_VARIABLE: "This is the variable value"

Should not trigger CKV_AWS_173 for SomeLambda as the KmsKeyArn is specified in the Globals section.

subnova avatar Apr 04 '22 16:04 subnova

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Oct 02 '22 00:10 stale[bot]

Any ETA on fixing this issue?

agilesrcmh avatar Mar 16 '23 17:03 agilesrcmh

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Sep 13 '23 22:09 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Oct 08 '23 00:10 stale[bot]

Thanks @Saarett - much appreciated

TaherKapasi avatar Jun 24 '24 08:06 TaherKapasi

Hey @subnova @agilesrcmh @TaherKapasi , if any of you are able to a PR to fix this, it would be highly appreciated and it would help us get to this.

Thank you!

arielkru avatar Jul 11 '24 09:07 arielkru