Checkmarx · rafaela-soares · Jul 11, 2022 · Jun 29, 2022 · Jun 29, 2022 · Jun 29, 2022
@@ -0,0 +1,11 @@
+{
+    "id": "0ca1017d-3b80-423e-bb9c-6cd5898d34bd",
+    "queryName": "Lambda IAM InvokeFunction Misconfigured",
+    "severity": "LOW",
+    "category": "Best Practices",
+    "descriptionText": "Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'",
+    "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission",
+    "platform": "Terraform",
+    "descriptionID": "0ca1017d",
+    "cloudProvider": "aws"
+}
@@ -0,0 +1,49 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+#CxPolicy for ressource iam policy
+CxPolicy[result] {
+	resourceType := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"}
+	resource := input.document[i].resource[resourceType[idx]][name]
+	policy := common_lib.json_unmarshal(resource.policy)
+	st := common_lib.get_statement(policy)
+	statement := st[_]
+
+
+	check_iam_action(statement) == true
+	not check_iam_ressource(statement)
+
+    result := {
+		"documentId": input.document[i].id,
+		"resourceType": resourceType[idx],
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("%s[%s].policy", [resourceType[idx], name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("%s[%s].policy is misconfigured", [name]),
+		"keyActualValue": sprintf("%s[%s].policy allows access to function (unqualified ARN) and its sub-resources, add another statement with \":*\" to function name", [name])
+	}
+}
+
+check_iam_ressource(statement) {
+	is_string(statement.Resource)
+	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)", statement.Resource)
+	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)", statement.Resource)
+} else {
+	is_array(statement.Resource)
+	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)", statement.Resource[_])
+	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)", statement.Resource[_])
+}
+
+check_iam_action(statement) {
+	any([regex.match("(^lambda:InvokeFunction$|^lambda:[*]$)", statement.actions[_]), statement.actions[_] == "*"])
+} else {
+	any([regex.match("(^lambda:InvokeFunction$|^lambda:[*]$)", statement.Actions[_]), statement.Actions[_] == "*"])
+} else {
+	is_array(statement.Action)
+	any([regex.match("(^lambda:InvokeFunction$|^lambda:[*]$)", statement.Action[_]), statement.Action[_] == "*"])
+} else {
+	is_string(statement.Action)
+	any([regex.match("(^lambda:InvokeFunction$|^lambda:[*]$)", statement.Action), statement.Action == "*"])
+}
@@ -0,0 +1,23 @@
+resource "aws_iam_policy" "negative1policy" {
+  name        = "negative1policy"
+  path        = "/"
+  description = "negative1 Policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "lambda:InvokeFunction",
+        ]
+        Effect   = "Allow"
+        Resource = [
+            "arn:aws:lambda:*:*:function:negative1",
+            "arn:aws:lambda:*:*:function:negative1:*"
+        ]
+      },
+    ]
+  })
+}
@@ -0,0 +1,20 @@
+resource "aws_iam_policy" "negative2policy" {
+  name        = "negative2policy"
+  path        = "/"
+  description = "negative2 Policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "s3:*",
+        ]
+        Effect   = "Allow"
+        Resource = ["*"]
+      },
+    ]
+  })
+}
@@ -0,0 +1,22 @@
+resource "aws_iam_policy" "positive1policy" {
+  name        = "positive1policy"
+  path        = "/"
+  description = "Positive1 Policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "lambda:InvokeFunction",
+        ]
+        Effect   = "Allow"
+        Resource = [
+            "arn:aws:lambda:*:*:function:positive1"
+        ]
+      },
+    ]
+  })
+}
@@ -0,0 +1,22 @@
+resource "aws_iam_policy" "positive2policy" {
+  name        = "positive2policy"
+  path        = "/"
+  description = "Positive2 Policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2022-20-27"
+    Statement = [
+      {
+        Action = [
+          "lambda:InvokeFunction",
+        ]
+        Effect   = "Allow"
+        Resource = [
+            "arn:aws:lambda:*:*:function:positive2*:*"
+        ]
+      },
+    ]
+  })
+}
@@ -0,0 +1,22 @@
+resource "aws_iam_policy" "positive3policy" {
+  name        = "positive3policy"
+  path        = "/"
+  description = "positive3 Policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2022-20-27"
+    Statement = [
+      {
+        Action = [
+          "lambda:InvokeFunction",
+        ]
+        Effect   = "Allow"
+        Resource = [
+            "arn:aws:lambda:*:*:function:*:*"
+        ]
+      },
+    ]
+  })
+}
@@ -0,0 +1,20 @@
+resource "aws_iam_policy" "positive4policy" {
+  name        = "positive4policy"
+  path        = "/"
+  description = "positive4 Policy"
+  policy      = data.aws_iam_policy_document.datapositive4policy.json
+}
+# Terraform's "jsonencode" function converts a
+# Terraform expression result to valid JSON syntax.
+data "aws_iam_policy_document" "datapositive4policy" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "lambda:InvokeFunction"
+    ]
+
+    resources = [
+      "arn:aws:lambda:*:*:function:*:*"
+    ]
+  }
+}
@@ -0,0 +1,22 @@
+resource "aws_iam_policy" "positive5policy" {
+  name        = "positive5policy"
+  path        = "/"
+  description = "positive5 Policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2022-20-27"
+    Statement = [
+      {
+        Action = [
+          "*",
+        ]
+        Effect   = "Allow"
+        Resource = [
+            "arn:aws:lambda:*:*:function:*:*"
+        ]
+      },
+    ]
+  })
+}
@@ -0,0 +1,22 @@
+resource "aws_iam_policy" "positive6policy" {
+  name        = "positive6policy"
+  path        = "/"
+  description = "positive6 Policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2022-20-27"
+    Statement = [
+      {
+        Action = [
+          "lambda:*",
+        ]
+        Effect   = "Allow"
+        Resource = [
+            "arn:aws:lambda:*:*:function:*:*"
+        ]
+      },
+    ]
+  })
+}
@@ -0,0 +1,38 @@
+[
+    {
+      "queryName": "Lambda IAM InvokeFunction Misconfigured",
+      "severity": "LOW",
+      "line": 8,
+      "filename": "positive1.tf"
+    },
+    {
+      "queryName": "Lambda IAM InvokeFunction Misconfigured",
+      "severity": "LOW",
+      "line": 8,
+      "filename": "positive2.tf"
+    },
+    {
+      "queryName": "Lambda IAM InvokeFunction Misconfigured",
+      "severity": "LOW",
+      "line": 8,
+      "filename": "positive3.tf"
+    },
+    {
+      "queryName": "Lambda IAM InvokeFunction Misconfigured",
+      "severity": "LOW",
+      "line": 5,
+      "filename": "positive4.tf"
+    },
+    {
+      "queryName": "Lambda IAM InvokeFunction Misconfigured",
+      "severity": "LOW",
+      "line": 8,
+      "filename": "positive5.tf"
+    },
+    {
+      "queryName": "Lambda IAM InvokeFunction Misconfigured",
+      "severity": "LOW",
+      "line": 8,
+      "filename": "positive6.tf"
+    }
+]