diff --git a/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml b/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml new file mode 100644 index 00000000000..5c8a1e29466 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml @@ -0,0 +1,19 @@ +metadata: + id: "CKV2_AWS_66" + name: "Ensure MWAA environment is not publicly accessible" + category: "NETWORKING" + +definition: + + or: + + - cond_type: "attribute" + resource_types: "aws_mwaa_environment" + attribute: "webserver_access_mode" + operator: "not_exists" + + - cond_type: "attribute" + resource_types: "aws_mwaa_environment" + attribute: "webserver_access_mode" + operator: "equals" + value: "PRIVATE_ONLY" diff --git a/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml b/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml new file mode 100644 index 00000000000..ef36d04e729 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml @@ -0,0 +1,12 @@ +metadata: + id: "CKV2_AWS_65" + name: "Ensure access control lists for S3 buckets are disabled" + category: "GENERAL_SECURITY" + +definition: + + cond_type: "attribute" + resource_types: "aws_s3_bucket_ownership_controls" + attribute: "rule.object_ownership" + operator: "equals" + value: "BucketOwnerEnforced" diff --git a/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/expected.yaml b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/expected.yaml new file mode 100644 index 00000000000..c45079ef130 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/expected.yaml @@ -0,0 +1,5 @@ +pass: + - "aws_mwaa_environment.pud_mwaa_env_pass" + - "aws_mwaa_environment.pud_mwaa_env_pass_1" +fail: + - "aws_mwaa_environment.pud_mwaa_env_fail" diff --git a/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/main.tf b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/main.tf new file mode 100644 index 00000000000..5dc0f36a6ba --- /dev/null +++ b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/main.tf @@ -0,0 +1,104 @@ +# PASS 1: webserver_access_mode = PRIVATE_ONLY + +resource "aws_iam_role" "pud_pass_role" { + name = "pud_pass_role" + assume_role_policy = jsonencode({ + Version = "2023-09-27" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + }) + + tags = { + tag-key = "pud_checkov_pass" + } +} + +resource "aws_s3_bucket" "pud_pass_bucket" { + bucket = "pud_pass_bucket" +} + +resource "aws_mwaa_environment" "pud_mwaa_env_pass" { + dag_s3_path = "dags/" + execution_role_arn = aws_iam_role.pud_pass_role.arn + name = "pud_mwaa_env_pass" + webserver_access_mode = "PRIVATE_ONLY" + source_bucket_arn = aws_s3_bucket.pud_pass_bucket.arn +} + +# PASS 2: webserver_access_mode Not mentioned. DEFAULT = PRIVATE_ONLY + +resource "aws_iam_role" "pud_pass_role_1" { + name = "pud_pass_role_1" + assume_role_policy = jsonencode({ + Version = "2023-09-27" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + }) + + tags = { + tag-key = "pud_checkov_pass_1" + } +} + +resource "aws_s3_bucket" "pud_pass_bucket_1" { + bucket = "pud_pass_bucket_1" +} + +resource "aws_mwaa_environment" "pud_mwaa_env_pass_1" { + dag_s3_path = "dags/" + execution_role_arn = aws_iam_role.pud_pass_role.arn + name = "pud_mwaa_env_pass_1" + source_bucket_arn = aws_s3_bucket.pud_pass_bucket.arn +} + +# FAIL: webserver_access_mode = PUBLIC_ONLY + +resource "aws_iam_role" "pud_fail_role" { + name = "pud_fail_role" + assume_role_policy = jsonencode({ + Version = "2023-09-27" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + }) + + tags = { + tag-key = "pud_checkov_fail" + } +} + +resource "aws_s3_bucket" "pud_fail_bucket" { + bucket = "pud_fail_bucket" +} + +resource "aws_mwaa_environment" "pud_mwaa_env_fail" { + dag_s3_path = "dags/" + execution_role_arn = aws_iam_role.pud_fail_role.arn + name = "pud_mwaa_env_fail" + webserver_access_mode = "PUBLIC_ONLY" + source_bucket_arn = aws_s3_bucket.pud_fail_bucket.arn +} + diff --git a/tests/terraform/graph/checks/resources/AWSdisableS3ACL/expected.yaml b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/expected.yaml new file mode 100644 index 00000000000..e6f9c9b79f1 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/expected.yaml @@ -0,0 +1,4 @@ +fail: + - "aws_s3_bucket_ownership_controls.pud_bucket_fail" +pass: + - "aws_s3_bucket_ownership_controls.pud_bucket_pass" diff --git a/tests/terraform/graph/checks/resources/AWSdisableS3ACL/main.tf b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/main.tf new file mode 100644 index 00000000000..996219a72c1 --- /dev/null +++ b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/main.tf @@ -0,0 +1,27 @@ +# FAIL + +resource "aws_s3_bucket" "pud_bucket_fail" { + bucket = "pud_bucket_fail" +} + +resource "aws_s3_bucket_ownership_controls" "pud_bucket_fail" { + bucket = aws_s3_bucket.pud_bucket_fail.id + + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +# PASS + +resource "aws_s3_bucket" "pud_bucket_pass" { + bucket = "pud_bucket_pass" +} + +resource "aws_s3_bucket_ownership_controls" "pud_bucket_pass" { + bucket = aws_s3_bucket.pud_bucket_pass.id + + rule { + object_ownership = "BucketOwnerEnforced" + } +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py index cce9692eb9e..8fe4795d3bc 100644 --- a/tests/terraform/graph/checks/test_yaml_policies.py +++ b/tests/terraform/graph/checks/test_yaml_policies.py @@ -412,6 +412,12 @@ def test_AzureMariaDBserverUsingTLS_1_2(self): def test_AzureStorageAccountEnableSoftDelete(self): self.go("AzureStorageAccountEnableSoftDelete") + def test_AWSdisableS3ACL(self): + self.go("AWSdisableS3ACL") + + def test_AWS_private_MWAA_environment(self): + self.go("AWS_private_MWAA_environment") + def test_registry_load(self): registry = Registry(parser=GraphCheckParser(), checks_dir=str( Path(__file__).parent.parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks"))