dataall icon indicating copy to clipboard operation
dataall copied to clipboard

Published 20 hours ago verified publisher icon data-dot-all

Remove access without constraints on various policies

Open zsaltys opened this issue 1 year ago • 2 comments

There are various policies installed by data.all granting unrestricted access to resources. This gets picked up by Checkov security scanner. By unrestricted I mean granting actions on resource '*'.

This is the list of these actions picked up:

CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /cdk.out/dataall-cdk-template-cicd-stack.template.json:3106-3140
Resource	: AWS::IAM::Policy.dataallcdktemplatecdkpipelinePipelineBuildSynthCdkBuildProjectPolicyDocument0F8F4003
Guideline	: CKV_AWS_111 

CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /cdk.out/dataall-cdk-template-cicd-stack.template.json:3605-3639
Resource	: AWS::IAM::Policy.dataallcdktemplatecdkpipelinePipelinedataallstagingdbmigrationstageMigrateDBPolicyDocumentFD518241
Guideline	: CKV_AWS_111 

CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /cdk.out/dataall-cdk-template-cicd-stack.template.json:4630-4752
Resource	: AWS::IAM::Policy.dataallcdktemplatecdkpipelineAssetsFileRoleDefaultPolicyADA3EF5E
Guideline	: CKV_AWS_111 

CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /cdk.out/assembly-dataall-cdk-template-cicd-stack-dataall-staging-backend-stage/dataallcdktemplatecicdstackdataallstagingbackendstagebackendstackDbMigration96E13135.nested.template.json:554-585
Resource	: AWS::IAM::Policy.DBMigrationCBProjectstagingPolicyDocument690B6300
Guideline	: CKV_AWS_111 

CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /cdk.out/assembly-dataall-cdk-template-cicd-stack-dataall-staging-backend-stage/dataallcdktemplatecicdstackdataallstagingbackendstagebackendstackLambdas760AD7F8.nested.template.json:310-442
Resource	: AWS::IAM::Role.dataallstagingesproxyrole91A7EBFB
Guideline	: CKV_AWS_111 

CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /cdk.out/assembly-dataall-cdk-template-cicd-stack-dataall-staging-backend-stage/dataallcdktemplatecicdstackdataallstagingbackendstagebackendstackLambdas760AD7F8.nested.template.json:879-1011
Resource	: AWS::IAM::Role.dataallstaginggraphqlrole479A99FC
Guideline	: CKV_AWS_111 

CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /cdk.out/assembly-dataall-cdk-template-cicd-stack-dataall-staging-backend-stage/dataallcdktemplatecicdstackdataallstagingbackendstagebackendstackLambdas760AD7F8.nested.template.json:1467-1599
Resource	: AWS::IAM::Role.dataallstagingawsworkerroleFDFEE189
Guideline	: CKV_AWS_111 


CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /cdk.out/assembly-dataall-cdk-template-cicd-stack-dataall-staging-backend-stage/dataallcdktemplatecicdstackdataallstagingbackendstagebackendstackLambdas760AD7F8.nested.template.json:2925-2951
Resource	: AWS::IAM::Policy.LogRetentionaae0aa3c5b4d4f87b02d85b201efdd8aServiceRoleDefaultPolicyADDA7DEB
Guideline	: CKV_AWS_111 

CheckID		: CKV_AWS_111
CheckName	: Ensure IAM policies does not allow write access without constraints
File		: /cdk.out/assembly-dataall-cdk-template-cicd-stack-dataall-staging-cloudfront-stage/dataallcdktemplatecicdstackdataallstagingcloudfrontstagecloudfrontstackCloudFront17AF3D7E.nested.template.json:1128-1206
Resource	: AWS::IAM::Policy.S3DeploymentRolestagingDefaultPolicy4672E484
Guideline	: CKV_AWS_111

Expected resolution

Please ensure that the these policies do not grant completely unrestricted access to resources. Ideally everything should be restricted by asking for dataall prefix.

zsaltys avatar Nov 16 '23 17:11 zsaltys

Thanks for raising this issue @zsaltys, we will have to investigate which roles Checkov is reporting as non-compliant and ensure we can restrict them further, but yes theoretically every write operation should be able to be limited to at least some form of naming convention based on the type of data.all configuration

We will do some further investigation on the above and report back with our findings

noah-paige avatar Nov 24 '23 18:11 noah-paige

Created a PR - https://github.com/data-dot-all/dataall/pull/1134 for this

  1. Cloudfront changes to policy are currently in the PR.
  2. DB, lambda and main stack changes are in progress

mourya-33 avatar Mar 30 '24 07:03 mourya-33

@mourya-33 can tis be closed? Have we solved anything we can with this specific ticket?

zsaltys avatar Jun 06 '24 09:06 zsaltys

I am closing this @zsaltys , Except for the AssetFileRole and S3BucketDeployment Role, rest of them are addressed in this.

The AssetFileRole needs checkov baselining and is tracked here - https://github.com/data-dot-all/dataall/issues/1188 For the bucket deployment role, we have a separate PFR for CDK

mourya-33 avatar Jun 07 '24 02:06 mourya-33

@zsaltys i dont seem to have permissions to close this since you are the owner for this.

mourya-33 avatar Jun 07 '24 03:06 mourya-33