Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

query terraform s3 bucket http policy query, action_check function cause false positive on iam policy document #5352

Closed
LupovichRan opened this issue May 16, 2022 · 2 comments · Fixed by #5415
Closed

query terraform s3 bucket http policy query, action_check function cause false positive on iam policy document #5352

LupovichRan opened this issue May 16, 2022 · 2 comments · Fixed by #5415
Labels
bug Something isn't working community Community contribution

Comments

@LupovichRan
Copy link
Contributor

LupovichRan commented May 16, 2022
edited
Loading

https://github.com/Checkmarx/kics/blob/1e1654ff52193635b301e4e06144353b9869ead3/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests/query.rego

query terraform s3 bucket http policy query, action_check function cause false positive on iam policy document

Expected Behavior

Check the iam policy document to find out if deny http is found on created s3 bucket.

Actual Behavior

incorrect report that bucket is missing deny on http requests

Steps to Reproduce the Problem


data "aws_iam_policy_document" "bucket_test_policy" {

  statement {
    effect = "Deny"

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    actions = [
      "s3:*",
    ]


    resources = [
      "arn:aws:s3:::a/*",
      "arn:aws:s3:::a",
    ]
    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
  }
}


resource "aws_s3_bucket" "bucket_test_bucket" {
  bucket = "a"
  acl    = "private"
  policy = data.aws_iam_policy_document.bucket_test_policy.json
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
  versioning {
    enabled = true
  }
  tags = {
    Name      = "a"
    terraform = true
  }

}

resource "aws_s3_bucket_public_access_block" "bucket_test_block" {
  bucket = aws_s3_bucket.bucket_test_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Specifications

  • Platform: Terraform \ AWS
@LupovichRan LupovichRan added bug Something isn't working community Community contribution labels May 16, 2022
@LupovichRan LupovichRan changed the title query terraform s3 bucket http policy does not check iam policy document query terraform s3 bucket http policy query does not check iam policy document May 25, 2022
@LupovichRan
Copy link
Contributor Author

LupovichRan commented May 27, 2022
edited
Loading

after study of the code and running local tests, it seems code supports iam policy document the errors comes from this function

validActions := {"*", "s3:*", "s3:GetObject"}

check_action(action) {
	is_string(action)
	action == validActions[x]
} else {
	action[a] == validActions[x]
}

commenting this line
#check_action(statement.Action)
solves the issue
@kaplanlior - can you please check the purpose of this check_action function ?
if its ok to comment it out - i'll open pull request for this change , or you prefer i'll remove the function and the array.

@LupovichRan LupovichRan changed the title query terraform s3 bucket http policy query does not check iam policy document query terraform s3 bucket http policy query, action_check function cause false positive on iam policy document May 27, 2022
@LupovichRan LupovichRan mentioned this issue May 28, 2022
Merged
@LupovichRan
Copy link
Contributor Author

LupovichRan commented May 28, 2022
edited
Loading

resolved by #5415

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Community contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(query): s3 bucket policy accepts http requests LupovichRan/kics
1 participant
@LupovichRan