Add CKV2_AWS_68

Corresponds to ea712527-83e7-7855-0ec9-1610194a9b9b
bridgecrewio · May 3, 2024 · 59a89d6 · 59a89d6
1 parent c6d0868
commit 59a89d6
Show file tree

Hide file tree

Showing 4 changed files with 160 additions and 0 deletions.
diff --git a/checkov/terraform/checks/graph_checks/aws/S3UnmonitoredCloudAccounts.yaml b/checkov/terraform/checks/graph_checks/aws/S3UnmonitoredCloudAccounts.yaml
@@ -0,0 +1,17 @@
+metadata:
+  id: "CKV2_AWS_68"
+  name: "Ensure AWS S3 buckets are not accessible to unmonitored cloud accounts"
+  category: "IAM"
+definition:
+  or:
+    - cond_type: attribute
+      resource_types:
+        - aws_s3_bucket_acl
+      attribute: $.access_control_policy[*].grant[*].grantee.id
+      operator: jsonpath_not_exists
+    - cond_type: attribute
+      resource_types:
+        - aws_s3_bucket_acl
+      attribute: $.access_control_policy[*].grant[*].grantee.id
+      operator: jsonpath_equals
+      value: "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
diff --git a/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/expected.yaml b/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/expected.yaml
@@ -0,0 +1,6 @@
+pass:
+  - "aws_s3_bucket_acl.pass_no_id"
+  - "aws_s3_bucket_acl.pass_good_id"
+fail:
+  - "aws_s3_bucket_acl.fail_last_id"
+  - "aws_s3_bucket_acl.fail_multiple_id"
diff --git a/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/main.tf b/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/main.tf
@@ -0,0 +1,134 @@
+# Pass - no IDs
+resource "aws_s3_bucket_acl" "pass_no_id" {
+  depends_on = [aws_s3_bucket_ownership_controls.example]
+
+  bucket = aws_s3_bucket.example.id
+  access_control_policy {
+    grant {
+      grantee {
+        type = "CanonicalUser"
+      }
+      permission = "READ"
+    }
+
+    grant {
+      grantee {
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+      }
+      permission = "READ_ACP"
+    }
+
+    grant {
+      grantee {
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+      }
+      permission = "READ_ACP"
+    }
+  }
+}
+
+# Pass2 - only good ID
+resource "aws_s3_bucket_acl" "pass_good_id" {
+  depends_on = [aws_s3_bucket_ownership_controls.example]
+
+  bucket = aws_s3_bucket.example.id
+  access_control_policy {
+    grant {
+      grantee {
+        type = "CanonicalUser"
+      }
+      permission = "READ"
+    }
+
+    grant {
+      grantee {
+        id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+      }
+      permission = "READ_ACP"
+    }
+
+    owner {
+      id = data.aws_canonical_user_id.current.id
+    }
+  }
+}
+
+# Fail - bad last id
+resource "aws_s3_bucket_acl" "fail_last_id" {
+  depends_on = [aws_s3_bucket_ownership_controls.example]
+
+  bucket = aws_s3_bucket.example.id
+  access_control_policy {
+    grant {
+      grantee {
+        #id   = data.aws_canonical_user_id.current.id
+        type = "CanonicalUser"
+      }
+      permission = "READ"
+    }
+
+    grant {
+      grantee {
+        id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+      }
+      permission = "READ_ACP"
+    }
+
+    grant {
+      grantee {
+        id = "blah"
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+      }
+      permission = "READ_ACP"
+    }
+
+    owner {
+      id = data.aws_canonical_user_id.current.id
+    }
+  }
+}
+
+# Fail - multiple bad IDs
+resource "aws_s3_bucket_acl" "fail_multiple_id" {
+  depends_on = [aws_s3_bucket_ownership_controls.example]
+
+  bucket = aws_s3_bucket.example.id
+  access_control_policy {
+    grant {
+      grantee {
+        id   = data.aws_canonical_user_id.current.id
+        type = "CanonicalUser"
+      }
+      permission = "READ"
+    }
+
+    grant {
+      grantee {
+        id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0"
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+      }
+      permission = "READ_ACP"
+    }
+
+    grant {
+      grantee {
+        id = "blah"
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+      }
+      permission = "READ_ACP"
+    }
+
+    owner {
+      id = data.aws_canonical_user_id.current.id
+    }
+  }
+}
diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py
@@ -514,6 +514,9 @@ def test_IBM_K8sClustersAccessibleViaPrivateEndPt(self):
     def test_S3CMKRegularRotation(self):
         self.go("S3CMKRegularRotation")
 
+    def test_S3UnmonitoredCloudAccounts(self):
+        self.go("S3UnmonitoredCloudAccounts")
+
     def test_registry_load(self):
         registry = Registry(parser=GraphCheckParser(), checks_dir=str(
             Path(__file__).parent.parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks"))