dataall icon indicating copy to clipboard operation
dataall copied to clipboard

Published 20 hours ago verified publisher icon data-dot-all

Remove access without constraints on the cdk custom execution policy

Open zsaltys opened this issue 1 year ago • 2 comments

The cdk custom execution policy installed on AWS accounts has policies which are picked up by Checkov scanner where the policy has unrestricted access. By unrestricted I mean granting actions on resource '*'

This is the list of these actions picked up:

CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /deploy/cdk_exec_policy/cdkExecPolicy.yaml:12-269
Resource	: AWS::IAM::ManagedPolicy.CDKCustomExecutionPolicy0
Guideline	: CKV_AWS_111

Expected resolution

Please ensure that the cdk execution policy never grants an action which is completely unrestricted. Ideally everything should be restricted by asking for dataall prefix.

zsaltys avatar Nov 16 '23 17:11 zsaltys

Thanks for raising this issue @zsaltys, I think we need to evaluate how best to format this CDK Execution Policy to be as strict as possible while also not impacting any of the functionality of data.all. For now we provide this execution policy as an alternative to the default AdministratorAccess policy that CDK will use to deploy infra, but there is still room to optimize on the above

We will do some further investigation on the above and report back with our findings

noah-paige avatar Nov 24 '23 18:11 noah-paige

I was looking a bit more into this. Effectively the CDK policy gets attached to cdk-exec-role which is used by cloudformation only. This logically tells us that this is will only be used to manage resources that data.all itself created.. It would never use these permissions on existing resources.. However!

In theory it is still possible to run lambdas in CloudFormation as custom resources so technically you COULD delete existing roles or modify existing roles not created by data.all. When we ask users to onboard data.all when they see permissions like this:

- Sid: IAM
        Effect: Allow
        Action:
          - 'iam:CreatePolicy*'
          - 'iam:DeletePolicy*'
          - 'iam:DetachRolePolicy'
          - 'iam:DeleteRole'
          - 'iam:CreateRole'
          - 'iam:DeleteRolePolicy'
          - 'iam:*Tag*'
          - 'iam:PassRole'
          - 'iam:AttachRolePolicy'
          - 'iam:*ServiceLinkedRole'
          - 'iam:Get*'
          - 'iam:List*'
          - 'iam:UpdateAssumeRolePolicy'
          - 'iam:PutRolePolicy'
        Resource:
          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/*'
          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/*'

It scares the daylights out of them. Id rather avoid the explaining that it is very unlikely that anyone could use this role to do anything to their existing resources. Logically it seems to me it should be entirely possible to require that everything in this policy uses a resource prefix because all of the resources managed by CDK-exec-role should have been created by data.all itself.

zsaltys avatar Jan 26 '24 16:01 zsaltys

@mourya-33 can we close this ? does checkov still complain on this ?

zsaltys avatar Jun 06 '24 09:06 zsaltys

This can be closed as well @zsaltys

mourya-33 avatar Jun 07 '24 03:06 mourya-33