Add dataall IAM AssetsFileRole to checkov baseline

[mourya-33]

Describe the bug

CDK automatically creates an IAM Role - AssetsFileRole for managing the Assets stage in the main cicd code pipeline. However, this role has a default policy with the following unrestricted IAM permissions that are flagged by checkov scans.

{ "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild" ], "Effect": "Allow", "Resource": "*" }

This needs to be added to the checkov baseline until remediated.

How to Reproduce

While deploying dataall to AWS, after the cdk synth, scan the file - cdk.out/dataall-main-cicd-stack.template.json with checkov. Checkov will have a FAILURE with the following message

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: AWS::IAM::Policy.dataallmaincdkpipelineAssetsFileRoleDefaultPolicy{Hash} File: /dataall-main-cicd-stack.template.json: {line number} Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

Expected behavior

Once the role is added to checkov baseline, the checkov scan should no longer have a FAILURE message for the AssetsFileRole.

Your project

No response

Screenshots

No response

OS

Mac

Python version

3.10

AWS data.all version

2.3

Additional context

This issue is related to https://github.com/data-dot-all/dataall/issues/877

[dlpzx]

Thanks for opening an issue @mourya-33. I assigned you to the issue, let us know if you need any support

[mourya-33]

Thanks Adriana