From 59a89d68f278a3391b30ee070ca3d4fb1dba3cef Mon Sep 17 00:00:00 2001 From: Taylor Date: Fri, 3 May 2024 16:45:28 -0700 Subject: [PATCH] Add CKV2_AWS_68 Corresponds to ea712527-83e7-7855-0ec9-1610194a9b9b --- .../aws/S3UnmonitoredCloudAccounts.yaml | 17 +++ .../S3UnmonitoredCloudAccounts/expected.yaml | 6 + .../S3UnmonitoredCloudAccounts/main.tf | 134 ++++++++++++++++++ .../graph/checks/test_yaml_policies.py | 3 + 4 files changed, 160 insertions(+) create mode 100644 checkov/terraform/checks/graph_checks/aws/S3UnmonitoredCloudAccounts.yaml create mode 100644 tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/main.tf diff --git a/checkov/terraform/checks/graph_checks/aws/S3UnmonitoredCloudAccounts.yaml b/checkov/terraform/checks/graph_checks/aws/S3UnmonitoredCloudAccounts.yaml new file mode 100644 index 00000000000..a912c78a177 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/S3UnmonitoredCloudAccounts.yaml @@ -0,0 +1,17 @@ +metadata: + id: "CKV2_AWS_68" + name: "Ensure AWS S3 buckets are not accessible to unmonitored cloud accounts" + category: "IAM" +definition: + or: + - cond_type: attribute + resource_types: + - aws_s3_bucket_acl + attribute: $.access_control_policy[*].grant[*].grantee.id + operator: jsonpath_not_exists + - cond_type: attribute + resource_types: + - aws_s3_bucket_acl + attribute: $.access_control_policy[*].grant[*].grantee.id + operator: jsonpath_equals + value: "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" diff --git a/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/expected.yaml b/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/expected.yaml new file mode 100644 index 00000000000..eb1885a8645 --- /dev/null +++ b/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/expected.yaml @@ -0,0 +1,6 @@ +pass: + - "aws_s3_bucket_acl.pass_no_id" + - "aws_s3_bucket_acl.pass_good_id" +fail: + - "aws_s3_bucket_acl.fail_last_id" + - "aws_s3_bucket_acl.fail_multiple_id" diff --git a/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/main.tf b/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/main.tf new file mode 100644 index 00000000000..e973afb7d7d --- /dev/null +++ b/tests/terraform/graph/checks/resources/S3UnmonitoredCloudAccounts/main.tf @@ -0,0 +1,134 @@ +# Pass - no IDs +resource "aws_s3_bucket_acl" "pass_no_id" { + depends_on = [aws_s3_bucket_ownership_controls.example] + + bucket = aws_s3_bucket.example.id + access_control_policy { + grant { + grantee { + type = "CanonicalUser" + } + permission = "READ" + } + + grant { + grantee { + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "READ_ACP" + } + + grant { + grantee { + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "READ_ACP" + } + } +} + +# Pass2 - only good ID +resource "aws_s3_bucket_acl" "pass_good_id" { + depends_on = [aws_s3_bucket_ownership_controls.example] + + bucket = aws_s3_bucket.example.id + access_control_policy { + grant { + grantee { + type = "CanonicalUser" + } + permission = "READ" + } + + grant { + grantee { + id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "READ_ACP" + } + + owner { + id = data.aws_canonical_user_id.current.id + } + } +} + +# Fail - bad last id +resource "aws_s3_bucket_acl" "fail_last_id" { + depends_on = [aws_s3_bucket_ownership_controls.example] + + bucket = aws_s3_bucket.example.id + access_control_policy { + grant { + grantee { + #id = data.aws_canonical_user_id.current.id + type = "CanonicalUser" + } + permission = "READ" + } + + grant { + grantee { + id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "READ_ACP" + } + + grant { + grantee { + id = "blah" + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "READ_ACP" + } + + owner { + id = data.aws_canonical_user_id.current.id + } + } +} + +# Fail - multiple bad IDs +resource "aws_s3_bucket_acl" "fail_multiple_id" { + depends_on = [aws_s3_bucket_ownership_controls.example] + + bucket = aws_s3_bucket.example.id + access_control_policy { + grant { + grantee { + id = data.aws_canonical_user_id.current.id + type = "CanonicalUser" + } + permission = "READ" + } + + grant { + grantee { + id = "c4c1ede66af53448b93c283ce9448c4ba468c9432aa01d700d3878632f77d2d0" + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "READ_ACP" + } + + grant { + grantee { + id = "blah" + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "READ_ACP" + } + + owner { + id = data.aws_canonical_user_id.current.id + } + } +} diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py index 6ebe0816aa8..16bc5a33fbf 100644 --- a/tests/terraform/graph/checks/test_yaml_policies.py +++ b/tests/terraform/graph/checks/test_yaml_policies.py @@ -514,6 +514,9 @@ def test_IBM_K8sClustersAccessibleViaPrivateEndPt(self): def test_S3CMKRegularRotation(self): self.go("S3CMKRegularRotation") + def test_S3UnmonitoredCloudAccounts(self): + self.go("S3UnmonitoredCloudAccounts") + def test_registry_load(self): registry = Registry(parser=GraphCheckParser(), checks_dir=str( Path(__file__).parent.parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks"))