checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Add support for JSON structures inside TF resources

Open tsmithv11 opened this issue 2 years ago • 2 comments

Describe the issue Would like to add graph connection checks for JSON https://codifiedsecurity.slack.com/archives/C012JP8DS5T/p1651393864759659

Example to be added later

tsmithv11 avatar May 02 '22 06:05 tsmithv11

To be more accurate - this is a FR to add support for the JSON structures, such as IAM policies, which are inside some of the terraform resources

nimrodkor avatar May 02 '22 06:05 nimrodkor

The rule has to fail on "aws_iam_policy" that has "*" in Action, "*" in Resource, and no connected users, groups or roles. In the attached tf file such a policy is "policy_no_user_too_permissive"

provider "aws" {
  profile    = "default"
  region     = "us-east-1"
}

resource "aws_iam_user" "user_with_internal_policy" {
  name = "user_with_internal_policy"
  permissions_boundary = aws_iam_policy.internal_policy_with_user.arn
}

resource "aws_iam_user" "user_with_managed_policy" {
  name = "user_with_managed_policy"
}

resource "aws_iam_policy" "policy_no_user" {
  name        = "policy_no_user"
  description = "Policy not attached to users"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "Abc"
      ],
      "Effect": "Allow",
      "Resource": "LB"
    }
  ]
}
EOF
}

resource "aws_iam_policy" "policy_no_user_too_permissive" {
  name        = "policy_no_user"
  description = "Policy not attached to users"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_policy" "internal_policy_with_user" {
  name        = "internal_policy_with_user"
  description = "An internal policy attached to user"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_policy" "managed_policy_with_user" {
  name        = "managed_policy_with_user"
  description = "A managed policy attached to user"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_policy_attachment" "attach_user" {
  name       = "managed_policy_attachment_to_user"
  users      = [aws_iam_user.user_with_managed_policy.name]
  policy_arn = aws_iam_policy.managed_policy_with_user.arn
}

tsmithv11 avatar May 04 '22 19:05 tsmithv11

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Oct 31 '22 20:10 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Nov 15 '22 02:11 stale[bot]