feat(terraform): Adding yaml based build time policies for correspond…

…ing PC run time policies (#3900) * adding yaml based build time policies for corresponding PC run time policies * adding yaml policies to test framework * adding checkov id's * Update checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml Co-authored-by: Anton Grübel <[email protected]> * Updated MR with suggested changes * fix wrong test resource types Co-authored-by: ssiddardha <[email protected]> Co-authored-by: Anton Grübel <[email protected]>
bridgecrewio · Nov 24, 2022 · 88003f5 · 88003f5
1 parent 288927f
commit 88003f5
Show file tree

Hide file tree

Showing 10 changed files with 348 additions and 0 deletions.
diff --git a/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml b/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml
@@ -0,0 +1,16 @@
+metadata:
+  id: "CKV2_AWS_42"
+  name: "Ensure AWS CloudFront distribution uses custom SSL certificate"
+  category: "NETWORKING"
+definition:
+  or:
+  - cond_type: "attribute"
+    resource_types:
+     - "aws_cloudfront_distribution"
+    attribute: "viewer_certificate.iam_certificate_id"
+    operator: "exists"
+  - cond_type: "attribute"
+    resource_types:
+     - "aws_cloudfront_distribution"
+    attribute: "viewer_certificate.acm_certificate_arn"
+    operator: "exists"
diff --git a/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml b/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml
@@ -0,0 +1,11 @@
+metadata:
+  id: "CKV2_AWS_43"
+  name: "Ensure S3 Bucket does not allow access to all Authenticated users"
+  category: "IAM"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "aws_s3_bucket_acl"
+  attribute: "access_control_policy.grant.*.grantee.uri"
+  operator: "not_equals"  
+  value: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
diff --git a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml
@@ -0,0 +1,66 @@
+metadata:
+  id: "CKV2_AWS_44"
+  name: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic"
+  category: "NETWORKING"
+definition:
+  or:
+    - cond_type: "attribute"
+      resource_types:
+        - "aws_route_table"
+      attribute: "route.*.vpc_peering_connection_id"
+      operator: "not_exists"
+    - and:
+        - cond_type: "attribute"
+          resource_types:
+          - "aws_route_table"
+          attribute: "route.*.cidr_block"
+          operator: "not_contains"
+          value: "0.0.0.0/0"
+        - cond_type: "attribute"
+          resource_types:
+          - "aws_route_table"
+          attribute: "route.*.cidr_block"
+          operator: "not_contains"
+          value: "0.0.0.0"
+        - cond_type: "attribute"
+          resource_types:
+            - "aws_route_table"
+          attribute: "route.*.ipv6_cidr_block"
+          operator: "not_contains"
+          value: "::0"
+        - cond_type: "attribute"
+          resource_types:
+            - "aws_route_table"
+          attribute: "route.*.ipv6_cidr_block"
+          operator: "not_contains"
+          value: "::/0"  
+    - cond_type: "attribute"
+      resource_types:
+        - "aws_route"
+      attribute: "vpc_peering_connection_id"          
+      operator: "not_exists"
+    - and:
+        - cond_type: "attribute"
+          resource_types:
+          - "aws_route"
+          attribute: "destination_cidr_block"
+          operator: "not_contains"
+          value: "0.0.0.0/0"
+        - cond_type: "attribute"
+          resource_types:
+          - "aws_route"
+          attribute: "destination_cidr_block"
+          operator: "not_contains"
+          value: "0.0.0.0"
+        - cond_type: "attribute"
+          resource_types:
+            - "aws_route"
+          attribute: "destination_ipv6_cidr_block"
+          operator: "not_contains"
+          value: "::0"
+        - cond_type: "attribute"
+          resource_types:
+            - "aws_route"
+          attribute: "destination_ipv6_cidr_block"
+          operator: "not_contains"
+          value: "::/0"
diff --git a/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/expected.yaml b/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/expected.yaml
@@ -0,0 +1,5 @@
+fail:
+  - "aws_cloudfront_distribution.fail"
+pass:
+  - "aws_cloudfront_distribution.pass_1"
+  - "aws_cloudfront_distribution.pass_2"
diff --git a/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/main.tf b/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/main.tf
@@ -0,0 +1,60 @@
+resource "aws_cloudfront_distribution" "pass_1" {
+
+  origin {
+    domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
+    origin_id   = "primaryS3"
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
+    }
+  }
+
+  default_cache_behavior {
+   target_origin_id = "groupS3"
+  }
+
+  viewer_certificate {
+    acm_certificate_arn = "aaaaa"
+  }
+}
+
+resource "aws_cloudfront_distribution" "pass_2" {
+
+  origin {
+    domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
+    origin_id   = "primaryS3"
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
+    }
+  }
+
+  default_cache_behavior {
+   target_origin_id = "groupS3"
+  }
+
+  viewer_certificate {
+    acm_certificate_arn = "aaaaa"
+    iam_certificate_id = "adaffwqfwff"
+  }
+}
+
+resource "aws_cloudfront_distribution" "fail" {
+
+  origin {
+    domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
+    origin_id   = "primaryS3"
+
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
+    }
+  }
+
+  default_cache_behavior {
+    target_origin_id = "groupS3"
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = "test"
+  }
+}
diff --git a/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "aws_s3_bucket_acl.pass"
+fail:
+  - "aws_s3_bucket_acl.fail_1"
+  - "aws_s3_bucket_acl.fail_2"
diff --git a/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf
@@ -0,0 +1,55 @@
+resource "aws_s3_bucket_acl" "fail_1" {
+  bucket = "name"
+  access_control_policy {
+    grant {
+      grantee {
+        id   = "52b113e7a2f25102679df27bb0ae12b3f85be6"
+        type = "CanonicalUser"
+      }
+      permission = "READ"
+    }
+    grant {
+      grantee {
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+      }
+      permission = "READ_ACP"
+    }
+    owner {
+      id = data.aws_canonical_user_id.current.id
+    }
+  }
+}
+
+resource "aws_s3_bucket_acl" "fail_2" {
+  bucket = "name"
+  access_control_policy {
+
+    grant {
+      grantee {
+        type = "Group"
+        uri  = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
+      }
+      permission = "READ_ACP"
+    }
+    owner {
+      id = data.aws_canonical_user_id.current.id
+    }
+  }
+}
+
+resource "aws_s3_bucket_acl" "pass" {
+  bucket = "name"
+  access_control_policy {
+    grant {
+      grantee {
+        id   = "52b113e7a2f25102679df27bb0ae12b3f85be6"
+        type = "CanonicalUser"
+      }
+      permission = "READ"
+    }
+    owner {
+      id = data.aws_canonical_user_id.current.id
+    }
+  }
+}
diff --git a/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml
@@ -0,0 +1,16 @@
+pass:
+  - "aws_route.aws_route_pass_1"
+  - "aws_route.aws_route_pass_2"
+  - "aws_route.aws_route_pass_3"
+  - "aws_route_table.aws_route_table_pass_1"
+  - "aws_route_table.aws_route_table_pass_2"
+  - "aws_route_table.aws_route_table_pass_3"
+fail:
+  - "aws_route.aws_route_fail_1"
+  - "aws_route.aws_route_fail_2"
+  - "aws_route.aws_route_fail_3"
+  - "aws_route.aws_route_fail_4"
+  - "aws_route_table.aws_route_table_fail_1"
+  - "aws_route_table.aws_route_table_fail_2"
+  - "aws_route_table.aws_route_table_fail_3"
+  - "aws_route_table.aws_route_table_fail_4"
diff --git a/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf
@@ -0,0 +1,105 @@
+resource "aws_route" "aws_route_pass_1" {
+  route_table_id            = "rtb-4fbb3ac4"
+  destination_cidr_block    = "10.0.1.0/22"
+  vpc_peering_connection_id = "pcx-45ff3dc1"
+}
+
+resource "aws_route" "aws_route_pass_2" {
+  route_table_id            = "rtb-4fbb3ac4"
+  destination_ipv6_cidr_block = "2002::1234:abcd:ffff:c0a8:101/64"
+  vpc_peering_connection_id = "pcx-45ff3dc1"
+}
+
+resource "aws_route" "aws_route_pass_3" {
+  route_table_id            = "rtb-4fbb3ac4"
+  destination_ipv6_cidr_block = "2002::1234:abcd:ffff:c0a8:101/64"
+  instance_id = aws_instance.example.id
+}
+
+resource "aws_route" "aws_route_fail_1" {
+  route_table_id            = "rtb-4fbb3ac4"
+  destination_cidr_block    = "0.0.0.0"
+  vpc_peering_connection_id = "pcx-45ff3dc1"
+}
+
+resource "aws_route" "aws_route_fail_2" {
+  route_table_id            = "rtb-4fbb3ac4"
+  destination_cidr_block    = "0.0.0.0/0"
+  vpc_peering_connection_id = "pcx-45ff3dc1"
+}
+
+resource "aws_route" "aws_route_fail_3" {
+  route_table_id            = "rtb-4fbb3ac4"
+  destination_ipv6_cidr_block = "::0"
+  vpc_peering_connection_id = "pcx-45ff3dc1"
+}
+
+resource "aws_route" "aws_route_fail_4" {
+  route_table_id            = "rtb-4fbb3ac4"
+  destination_ipv6_cidr_block = "::/0"
+  vpc_peering_connection_id = "pcx-45ff3dc1"
+}
+
+resource "aws_route_table" "aws_route_table_pass_1" {
+  vpc_id = aws_vpc.example.id
+
+  route {
+    ipv6_cidr_block = "::/0"
+    gateway_id = aws_internet_gateway.example.id
+    instance_id = aws_instance.example.id
+  }
+}
+
+resource "aws_route_table" "aws_route_table_pass_2" {
+  vpc_id = aws_vpc.example.id
+
+  route {
+    ipv6_cidr_block = "2002::1234:abcd:ffff:c0a8:101/64"
+    vpc_peering_connection_id = "pcx-45ff3dc1"
+  }
+}
+
+resource "aws_route_table" "aws_route_table_pass_3" {
+  vpc_id = aws_vpc.example.id
+
+  route {
+    cidr_block = "10.0.1.0/22"
+    vpc_peering_connection_id = "pcx-45ff3dc1"
+  }
+}
+
+resource "aws_route_table" "aws_route_table_fail_1" {
+  vpc_id = aws_vpc.example.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    vpc_peering_connection_id = "pcx-45ff3dc1"
+  }
+}
+
+resource "aws_route_table" "aws_route_table_fail_2" {
+  vpc_id = aws_vpc.example.id
+
+  route {
+    cidr_block = "0.0.0.0"
+    vpc_peering_connection_id = "pcx-45ff3dc1"
+  }
+}
+
+resource "aws_route_table" "aws_route_table_fail_3" {
+  vpc_id = aws_vpc.example.id
+
+  route {
+    ipv6_cidr_block = "::0"
+    vpc_peering_connection_id = "pcx-45ff3dc1"
+  }
+}
+
+resource "aws_route_table" "aws_route_table_fail_4" {
+  vpc_id = aws_vpc.example.id
+
+  route {
+    ipv6_cidr_block = "::/0"
+    vpc_peering_connection_id = "pcx-45ff3dc1"
+  }
+}
diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py
@@ -26,6 +26,15 @@ def setUp(self) -> None:
     def test_ADORepositoryHasMinTwoReviewers(self):
         self.go("ADORepositoryHasMinTwoReviewers")
 
+    def test_VPCPeeringRouteTableOverlyPermissive(self):
+        self.go("VPCPeeringRouteTableOverlyPermissive")
+
+    def test_S3NotAllowAccessToAllAuthenticatedUsers(self):
+        self.go("S3NotAllowAccessToAllAuthenticatedUsers")
+
+    def test_CloudFrontHasCustomSSLCertificate(self):
+        self.go("CloudFrontHasCustomSSLCertificate")            
+
     def test_CodecommitApprovalRulesAttached(self):
         self.go("CodecommitApprovalRulesAttached")