dataall icon indicating copy to clipboard operation
dataall copied to clipboard

Published 20 hours ago verified publisher icon data-dot-all

Restrict RAM IAM permissions in pivot role

Open mourya-33 opened this issue 10 months ago • 4 comments

Describe the bug

Pivot Role (auto created and custom) has the following unrestricted permissions on KMS and RAM shares. This role needs to be added as an exception until the following are remediated.

  • Sid: RamInvitations Effect: Allow Action: - "ram:AcceptResourceShareInvitation" - "ram:RejectResourceShareInvitation" - "ram:EnableSharingWithAwsOrganization" Resource: '*'

How to Reproduce

Run checkov scan for auto created pivot role or custom pivot role - deploy/pivot_role/pivotRole.yaml. The scan will FAIL with the following message.

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy0 File: /deploy/pivot_role/pivotRole.yaml:{line numbers} Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

	Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy0 File: /deploy/pivot_role/pivotRole.yaml:{line numbers} Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

Expected behavior

Once remediated, the checkov scan should not contain the above mentioned failures.

Your project

No response

Screenshots

No response

OS

Mac

Python version

3.10

AWS data.all version

2.3

Additional context

No response

mourya-33 avatar Apr 19 '24 03:04 mourya-33

Hi @mourya-33 thanks for opening an issue. I have quickly looked into the docs and actions such as ram:AcceptResourceShareInvitation can only be limited to ram:ShareOwnerAccountId and ram:ResourceShareName.

So, we cannot restrict permissions based on tags, but we can use the Resource share name, because all data.all RAM shares will be using Lake Formation and will have a name such as LakeFormation-VX-UNIQUEIDENTIFIER. Is that what you are looking for? Or do you just need to include the policy as an exception in checkov?

dlpzx avatar Apr 24 '24 07:04 dlpzx

@mourya-33 Any updates on this?

anmolsgandhi avatar May 23 '24 20:05 anmolsgandhi

@dlpzx @mourya-33 @anmolsgandhi I think we just put this as a checkov exception. I don't think this one is worth solving.

zsaltys avatar Jun 06 '24 09:06 zsaltys

@zsaltys if we can add this to checkov exceptions, shall I close this?

mourya-33 avatar Jun 07 '24 04:06 mourya-33