DP-40767 : module added to rotate credentials for specified iam users only. #256
Conversation
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| EOF | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "iam_policy_for_lambda_key_rotation" { |
There was a problem hiding this comment.
IAM policies allow exposure of credentials
Resource: aws_iam_policy.iam_policy_for_lambda_key_rotation | Checkov ID: CKV_AWS_287
How to Fix
resource "aws_iam_policy" "example" {
name = "example"
path = "/"
description = "An example policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:Describe*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "test-attach" {
role = aws_iam_role.test_role.name
policy_arn = aws_iam_policy.example.arn
}Description
This policy is used to verify if Identity and Access Management (IAM) policies are configured in a way that prevents the exposure of credentials. This is paramount for security as exposure of credentials could allow unauthorized users access to sensitive resources and operations. This includes viewing, modifying or deleting data, which can expose the organization to a range of risks, from data breaches to the potential shut down of systems. Therefore, it's crucial to ensure IAM policies are correctly configured to prevent credentials exposure.
| EOF | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "lambda_secrets_user_accesskey_rotation" { |
There was a problem hiding this comment.
IAM policies allow permissions management or resource exposure without constraints
Resource: aws_iam_policy.lambda_secrets_user_accesskey_rotation | Checkov ID: CKV_AWS_289
How to Fix
# Sample IAM Policy
resource "aws_iam_policy" "my_custom_policy" {
name = "my_custom_policy"
description = "A custom policy with only necessary permissions"
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my_bucket"
}
]
}
)
}Description
This policy is verifying that IAM (Identity and Access Management) permissions don't allow unfettered management of permissions or exposure of resources without any limitations or safeguards.
The risk associated with not adhering to this policy is quite high. If IAM policies allow unconstrained permissions management or unrestricted resource exposure, it creates an opportunity for unauthorized access or manipulation of critical resources, potentially leading to data breaches or compromising the security of the system. Therefore, it's crucial to apply constraints or conditions to manage who can do what and prevent unnecessary exposure of resources.
| EOF | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "iam_policy_for_lambda_key_rotation" { |
There was a problem hiding this comment.
IAM policies allow permissions management or resource exposure without constraints
Resource: aws_iam_policy.iam_policy_for_lambda_key_rotation | Checkov ID: CKV_AWS_289
How to Fix
# Sample IAM Policy
resource "aws_iam_policy" "my_custom_policy" {
name = "my_custom_policy"
description = "A custom policy with only necessary permissions"
policy = jsonencode(
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my_bucket"
}
]
}
)
}Description
This policy is verifying that IAM (Identity and Access Management) permissions don't allow unfettered management of permissions or exposure of resources without any limitations or safeguards.
The risk associated with not adhering to this policy is quite high. If IAM policies allow unconstrained permissions management or unrestricted resource exposure, it creates an opportunity for unauthorized access or manipulation of critical resources, potentially leading to data breaches or compromising the security of the system. Therefore, it's crucial to apply constraints or conditions to manage who can do what and prevent unnecessary exposure of resources.
| EOF | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "lambda_secrets_user_accesskey_rotation" { |
There was a problem hiding this comment.
IAM policy document allows all resources with restricted actions
Resource: aws_iam_policy.lambda_secrets_user_accesskey_rotation | Checkov ID: CKV_AWS_355
How to Fix
resource "aws_iam_policy" "example" {
name = "test_policy"
path = "/"
description = "My test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"states:CreateStateMachine",
]
Effect = "Allow"
- Resource = "*"
+ Resource = "arn:aws:<resource_type>:::<myresource>"
},
]
})
}Description
This policy checks IAM policies for statements that allow unrestricted resource access ('*') for actions that can and should be restricted to specific resources. This behavior is potentially unsafe because it broadens the scope of access controls and increases the risk of unauthorized access.
Prisma Cloud checks the AWS documentation for IAM actions that can be restricted to a resource and recommends defining a specific resource rather than '*'. For example, the s3:PutObject action can be restricted to a specific S3 bucket instead of allowing uploads to any S3 bucket using '*'. It is best security practice to define granular permissions to each user access, as unrestricted access can lead to unwanted manipulations or data breaches. Therefore, it is recommended to specify restrictions and assign minimum necessary access rights.
| EOF | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "lambda_secrets_user_accesskey_rotation" { |
There was a problem hiding this comment.
IAM policies allow write access without constraints
Resource: aws_iam_policy.lambda_secrets_user_accesskey_rotation | Checkov ID: CKV_AWS_290
How to Fix
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}
}
}
]
}
EOF
}
Description
This policy is designed to determine whether IAM (Identity and Access Management) policies within your AWS (Amazon Web Services) environment allow write access without any imposed restrictions. The violation of this policy could be potentially dangerous as the absence of constraints means that an entity with write access is capable of making unlimited changes. This can include, but is not limited to, the modification of resources or data, or the launching of instances. Particularly in a situation where the entity's credentials are compromised, unrestricted write access could lead to severe damage, such as data breaches or loss. Therefore, to enhance security and minimize risks, it is advisable to enforce appropriate constraints on IAM policies wherever possible.
For more info, visit https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/[cloudsplaning documentation].
| EOF | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "iam_policy_for_lambda_key_rotation" { |
There was a problem hiding this comment.
IAM policy document allows all resources with restricted actions
Resource: aws_iam_policy.iam_policy_for_lambda_key_rotation | Checkov ID: CKV_AWS_355
How to Fix
resource "aws_iam_policy" "example" {
name = "test_policy"
path = "/"
description = "My test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"states:CreateStateMachine",
]
Effect = "Allow"
- Resource = "*"
+ Resource = "arn:aws:<resource_type>:::<myresource>"
},
]
})
}Description
This policy checks IAM policies for statements that allow unrestricted resource access ('*') for actions that can and should be restricted to specific resources. This behavior is potentially unsafe because it broadens the scope of access controls and increases the risk of unauthorized access.
Prisma Cloud checks the AWS documentation for IAM actions that can be restricted to a resource and recommends defining a specific resource rather than '*'. For example, the s3:PutObject action can be restricted to a specific S3 bucket instead of allowing uploads to any S3 bucket using '*'. It is best security practice to define granular permissions to each user access, as unrestricted access can lead to unwanted manipulations or data breaches. Therefore, it is recommended to specify restrictions and assign minimum necessary access rights.
| EOF | ||
| } | ||
|
|
||
| resource "aws_iam_policy" "iam_policy_for_lambda_key_rotation" { |
There was a problem hiding this comment.
IAM policies allow write access without constraints
Resource: aws_iam_policy.iam_policy_for_lambda_key_rotation | Checkov ID: CKV_AWS_290
How to Fix
resource "aws_iam_policy" "policy" {
name = "test_policy"
path = "/"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "203.0.113.0/24"}
}
}
]
}
EOF
}
Description
This policy is designed to determine whether IAM (Identity and Access Management) policies within your AWS (Amazon Web Services) environment allow write access without any imposed restrictions. The violation of this policy could be potentially dangerous as the absence of constraints means that an entity with write access is capable of making unlimited changes. This can include, but is not limited to, the modification of resources or data, or the launching of instances. Particularly in a situation where the entity's credentials are compromised, unrestricted write access could lead to severe damage, such as data breaches or loss. Therefore, to enhance security and minimize risks, it is advisable to enforce appropriate constraints on IAM policies wherever possible.
For more info, visit https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/[cloudsplaning documentation].
| } | ||
| } | ||
|
|
||
| resource "aws_lambda_function" "iam_user_rotate_accesskeys" { |
There was a problem hiding this comment.
AWS Lambda function is not configured to validate code-signing
Resource: aws_lambda_function.iam_user_rotate_accesskeys | Checkov ID: CKV_AWS_272
How to Fix
resource "aws_lambda_function" "example" {
function_name = "example"
s3_bucket = aws_signer_signing_job.job.signed_object[0].s3[0].bucket
s3_key = aws_signer_signing_job.this.signed_object[0].s3[0].key
handler = "exports.test"
runtime = "nodejs12.x"
+ code_signing_config_arn = aws_lambda_code_signing_config.example.arn
}
resource "aws_lambda_code_signing_config" "example" {
allowed_publishers {
signing_profile_version_arns = [aws_signer_signing_profile.example.version_arn]
}
policies {
untrusted_artifact_on_deployment = "Enforce"
}
}Description
This policy ensures that an AWS Lambda function has been properly configured to validate code-signing. If not correctly set up, it could mean that your AWS Lambda function is running code that has not been authenticated. This lack of validation raises a significant security concern, as your service could be running code that has been tampered with or injected with malicious code. This could lead to unauthorized access, data leaks, or compromise of the service. Therefore, it is vital to check and ensure that Lambda functions are enforced to validate code-signing for security.
| arn = aws_lambda_function.remove_inactive_accesskeys.arn | ||
| } | ||
|
|
||
| resource "aws_lambda_function" "remove_inactive_accesskeys" { |
There was a problem hiding this comment.
AWS Lambda function is not configured to validate code-signing
Resource: aws_lambda_function.remove_inactive_accesskeys | Checkov ID: CKV_AWS_272
How to Fix
resource "aws_lambda_function" "example" {
function_name = "example"
s3_bucket = aws_signer_signing_job.job.signed_object[0].s3[0].bucket
s3_key = aws_signer_signing_job.this.signed_object[0].s3[0].key
handler = "exports.test"
runtime = "nodejs12.x"
+ code_signing_config_arn = aws_lambda_code_signing_config.example.arn
}
resource "aws_lambda_code_signing_config" "example" {
allowed_publishers {
signing_profile_version_arns = [aws_signer_signing_profile.example.version_arn]
}
policies {
untrusted_artifact_on_deployment = "Enforce"
}
}Description
This policy ensures that an AWS Lambda function has been properly configured to validate code-signing. If not correctly set up, it could mean that your AWS Lambda function is running code that has not been authenticated. This lack of validation raises a significant security concern, as your service could be running code that has been tampered with or injected with malicious code. This could lead to unauthorized access, data leaks, or compromise of the service. Therefore, it is vital to check and ensure that Lambda functions are enforced to validate code-signing for security.
No description provided.