dataall icon indicating copy to clipboard operation
dataall copied to clipboard

Published 20 hours ago verified publisher icon data-dot-all

Overly permissive cdkExecRolePolicy

Open mourya-33 opened this issue 4 months ago • 0 comments

Describe the bug

cdkExecPolicy.yaml has overly permissive statements that are flagged by checkov scan.

KMS: Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.CDKCustomExecutionPolicy0 File: /deploy/cdk_exec_policy/cdkExecPolicy.yaml:42-144 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.CDKCustomExecutionPolicy0 File: /deploy/cdk_exec_policy/cdkExecPolicy.yaml:42-144 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

SID: LF Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.CDKCustomExecutionPolicy0 File: /deploy/cdk_exec_policy/cdkExecPolicy.yaml:42-261 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.CDKCustomExecutionPolicy0 File: /deploy/cdk_exec_policy/cdkExecPolicy.yaml:42-261 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation" FAILED for resource: AWS::IAM::ManagedPolicy.CDKCustomExecutionPolicy0 File: /deploy/cdk_exec_policy/cdkExecPolicy.yaml:42-261 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

SID: EC2 Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.CDKCustomExecutionPolicy0 File: /deploy/cdk_exec_policy/cdkExecPolicy.yaml:42-280 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure" FAILED for resource: AWS::IAM::ManagedPolicy.CDKCustomExecutionPolicy0 File: /deploy/cdk_exec_policy/cdkExecPolicy.yaml:42-280 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.CDKCustomExecutionPolicy0 File: /deploy/cdk_exec_policy/cdkExecPolicy.yaml:42-280 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

            Code lines for this resource are too many. Please use IDE of your choice to review the file.

How to Reproduce

checkov -f deploy/cdk_exec_policy/cdkExecPolicy.yaml

Execute the above statement to run a checkov scan on the policy to identify the checkov FAILURES.

Expected behavior

The policy must not contain overly permissive IAM statements and all checkov scans should PASS

Your project

No response

Screenshots

No response

OS

Mac

Python version

3.10

AWS data.all version

2.6

Additional context

No response

mourya-33 avatar Oct 04 '24 04:10 mourya-33