checkov
checkov copied to clipboard
Add support for JSON structures inside TF resources
Describe the issue Would like to add graph connection checks for JSON https://codifiedsecurity.slack.com/archives/C012JP8DS5T/p1651393864759659
Example to be added later
To be more accurate - this is a FR to add support for the JSON structures, such as IAM policies, which are inside some of the terraform resources
The rule has to fail on "aws_iam_policy" that has "*" in Action, "*" in Resource, and no connected users, groups or roles. In the attached tf file such a policy is "policy_no_user_too_permissive"
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "aws_iam_user" "user_with_internal_policy" {
name = "user_with_internal_policy"
permissions_boundary = aws_iam_policy.internal_policy_with_user.arn
}
resource "aws_iam_user" "user_with_managed_policy" {
name = "user_with_managed_policy"
}
resource "aws_iam_policy" "policy_no_user" {
name = "policy_no_user"
description = "Policy not attached to users"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"Abc"
],
"Effect": "Allow",
"Resource": "LB"
}
]
}
EOF
}
resource "aws_iam_policy" "policy_no_user_too_permissive" {
name = "policy_no_user"
description = "Policy not attached to users"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_policy" "internal_policy_with_user" {
name = "internal_policy_with_user"
description = "An internal policy attached to user"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_policy" "managed_policy_with_user" {
name = "managed_policy_with_user"
description = "A managed policy attached to user"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "attach_user" {
name = "managed_policy_attachment_to_user"
users = [aws_iam_user.user_with_managed_policy.name]
policy_arn = aws_iam_policy.managed_policy_with_user.arn
}
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!