From 2513661e8f5896fccbf3eb36c285ce02c89ea60c Mon Sep 17 00:00:00 2001 From: ssiddardha Date: Fri, 18 Nov 2022 11:51:27 +0530 Subject: [PATCH 1/6] adding yaml based build time policies for corresponding PC run time policies --- .../CloudFrontHasCustomSSLCertificate.yaml | 16 +++ ...NotAllowAccessToAllAuthenticatedUsers.yaml | 11 ++ .../VPCPeeringRouteTableOverlyPermissive.yaml | 68 ++++++++++++ .../expected.yaml | 5 + .../CloudFrontHasCustomSSLCertificate/main.tf | 60 ++++++++++ .../expected.yaml | 5 + .../main.tf | 57 ++++++++++ .../expected.yaml | 16 +++ .../main.tf | 105 ++++++++++++++++++ 9 files changed, 343 insertions(+) create mode 100644 checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml create mode 100644 checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml create mode 100644 checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml create mode 100644 tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/main.tf create mode 100644 tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf create mode 100644 tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml create mode 100644 tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf diff --git a/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml b/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml new file mode 100644 index 00000000000..5d99915be3d --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml @@ -0,0 +1,16 @@ +metadata: + id: "CKV2_AWS_TEST_2" + name: "Ensure AWS CloudFront distribution uses custom SSL certificate" + category: "NETWORKING" +definition: + or: + - cond_type: "attribute" + resource_types: + - "aws_cloudfront_distribution" + attribute: "viewer_certificate.iam_certificate_id" + operator: "exists" + - cond_type: "attribute" + resource_types: + - "aws_cloudfront_distribution" + attribute: "viewer_certificate.acm_certificate_arn" + operator: "exists" \ No newline at end of file diff --git a/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml b/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml new file mode 100644 index 00000000000..c2999d3a307 --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml @@ -0,0 +1,11 @@ +metadata: + id: "CKV2_AWS_TEST_S3_2" + name: "Ensure S3 Bucket does not allow access to all Authenticated users" + category: "GENERAL_SECURITY" +definition: + cond_type: "attribute" + resource_types: + - "aws_s3_bucket_acl" + attribute: "access_control_policy.grant.*.grantee.uri" + operator: "not_equals" + value: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" \ No newline at end of file diff --git a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml new file mode 100644 index 00000000000..2dbb77d144a --- /dev/null +++ b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml @@ -0,0 +1,68 @@ +metadata: + id: "CKV2_AWS_TEST_VPC_2" + name: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic" + category: "NETWORKING" +definition: + or: + - or: + - cond_type: "attribute" + resource_types: + - "aws_route_table" + attribute: "route.*.vpc_peering_connection_id" + operator: "not_exists" + - and: + - cond_type: "attribute" + resource_types: + - "aws_route_table" + attribute: "route.*.cidr_block" + operator: "not_contains" + value: "0.0.0.0/0" + - cond_type: "attribute" + resource_types: + - "aws_route_table" + attribute: "route.*.cidr_block" + operator: "not_contains" + value: "0.0.0.0" + - cond_type: "attribute" + resource_types: + - "aws_route_table" + attribute: "route.*.ipv6_cidr_block" + operator: "not_contains" + value: "::0" + - cond_type: "attribute" + resource_types: + - "aws_route_table" + attribute: "route.*.ipv6_cidr_block" + operator: "not_contains" + value: "::/0" + - or: + - cond_type: "attribute" + resource_types: + - "aws_route" + attribute: "vpc_peering_connection_id" + operator: "not_exists" + - and: + - cond_type: "attribute" + resource_types: + - "aws_route" + attribute: "destination_cidr_block" + operator: "not_contains" + value: "0.0.0.0/0" + - cond_type: "attribute" + resource_types: + - "aws_route" + attribute: "destination_cidr_block" + operator: "not_contains" + value: "0.0.0.0" + - cond_type: "attribute" + resource_types: + - "aws_route" + attribute: "destination_ipv6_cidr_block" + operator: "not_contains" + value: "::0" + - cond_type: "attribute" + resource_types: + - "aws_route" + attribute: "destination_ipv6_cidr_block" + operator: "not_contains" + value: "::/0" \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/expected.yaml b/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/expected.yaml new file mode 100644 index 00000000000..c352c1ff254 --- /dev/null +++ b/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/expected.yaml @@ -0,0 +1,5 @@ +fail: + - "aws_cloudfront_distribution.fail" +pass: + - "aws_cloudfront_distribution.pass_1" + - "aws_cloudfront_distribution.pass_2" diff --git a/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/main.tf b/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/main.tf new file mode 100644 index 00000000000..d6f6dda006d --- /dev/null +++ b/tests/terraform/graph/checks/resources/CloudFrontHasCustomSSLCertificate/main.tf @@ -0,0 +1,60 @@ +resource "aws_cloudfront_distribution" "pass_1" { + + origin { + domain_name = aws_s3_bucket.primary.bucket_regional_domain_name + origin_id = "primaryS3" + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path + } + } + + default_cache_behavior { + target_origin_id = "groupS3" + } + + viewer_certificate { + acm_certificate_arn = "aaaaa" + } +} + +resource "aws_cloudfront_distribution" "pass_2" { + + origin { + domain_name = aws_s3_bucket.primary.bucket_regional_domain_name + origin_id = "primaryS3" + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path + } + } + + default_cache_behavior { + target_origin_id = "groupS3" + } + + viewer_certificate { + acm_certificate_arn = "aaaaa" + iam_certificate_id = "adaffwqfwff" + } +} + +resource "aws_cloudfront_distribution" "fail" { + + origin { + domain_name = aws_s3_bucket.primary.bucket_regional_domain_name + origin_id = "primaryS3" + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path + } + } + + default_cache_behavior { + target_origin_id = "groupS3" + } + + viewer_certificate { + cloudfront_default_certificate = "test" + } +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml new file mode 100644 index 00000000000..801116250bd --- /dev/null +++ b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml @@ -0,0 +1,5 @@ +pass: + - "aws_s3_bucket.pass" +fail: + - "aws_s3_bucket.fail_1" + - "aws_s3_bucket.fail_2" diff --git a/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf new file mode 100644 index 00000000000..c7169e91e0c --- /dev/null +++ b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf @@ -0,0 +1,57 @@ + + +resource "aws_s3_bucket_acl" "fail_1" { + bucket = "name" + access_control_policy { + grant { + grantee { + id = "52b113e7a2f25102679df27bb0ae12b3f85be6" + type = "CanonicalUser" + } + permission = "READ" + } + grant { + grantee { + type = "Group" + uri = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" + } + permission = "READ_ACP" + } + owner { + id = data.aws_canonical_user_id.current.id + } + } +} + +resource "aws_s3_bucket_acl" "fail_2" { + bucket = "name" + access_control_policy { + + grant { + grantee { + type = "Group" + uri = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" + } + permission = "READ_ACP" + } + owner { + id = data.aws_canonical_user_id.current.id + } + } +} + +resource "aws_s3_bucket_acl" "pass" { + bucket = "name" + access_control_policy { + grant { + grantee { + id = "52b113e7a2f25102679df27bb0ae12b3f85be6" + type = "CanonicalUser" + } + permission = "READ" + } + owner { + id = data.aws_canonical_user_id.current.id + } + } +} \ No newline at end of file diff --git a/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml new file mode 100644 index 00000000000..e494cd405dc --- /dev/null +++ b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/expected.yaml @@ -0,0 +1,16 @@ +pass: + - "aws_route.aws_route_pass_1" + - "aws_route.aws_route_pass_2" + - "aws_route.aws_route_pass_3" + - "aws_route_table.aws_route_table_pass_1" + - "aws_route_table.aws_route_table_pass_2" + - "aws_route_table.aws_route_table_pass_3" +fail: + - "aws_route.aws_route_fail_1" + - "aws_route.aws_route_fail_2" + - "aws_route.aws_route_fail_3" + - "aws_route.aws_route_fail_4" + - "aws_route_table.aws_route_table_fail_1" + - "aws_route_table.aws_route_table_fail_2" + - "aws_route_table.aws_route_table_fail_3" + - "aws_route_table.aws_route_table_fail_4" diff --git a/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf new file mode 100644 index 00000000000..8ae9b41843f --- /dev/null +++ b/tests/terraform/graph/checks/resources/VPCPeeringRouteTableOverlyPermissive/main.tf @@ -0,0 +1,105 @@ +resource "aws_route" "aws_route_pass_1" { + route_table_id = "rtb-4fbb3ac4" + destination_cidr_block = "10.0.1.0/22" + vpc_peering_connection_id = "pcx-45ff3dc1" +} + +resource "aws_route" "aws_route_pass_2" { + route_table_id = "rtb-4fbb3ac4" + destination_ipv6_cidr_block = "2002::1234:abcd:ffff:c0a8:101/64" + vpc_peering_connection_id = "pcx-45ff3dc1" +} + +resource "aws_route" "aws_route_pass_3" { + route_table_id = "rtb-4fbb3ac4" + destination_ipv6_cidr_block = "2002::1234:abcd:ffff:c0a8:101/64" + instance_id = aws_instance.example.id +} + +resource "aws_route" "aws_route_fail_1" { + route_table_id = "rtb-4fbb3ac4" + destination_cidr_block = "0.0.0.0" + vpc_peering_connection_id = "pcx-45ff3dc1" +} + +resource "aws_route" "aws_route_fail_2" { + route_table_id = "rtb-4fbb3ac4" + destination_cidr_block = "0.0.0.0/0" + vpc_peering_connection_id = "pcx-45ff3dc1" +} + +resource "aws_route" "aws_route_fail_3" { + route_table_id = "rtb-4fbb3ac4" + destination_ipv6_cidr_block = "::0" + vpc_peering_connection_id = "pcx-45ff3dc1" +} + +resource "aws_route" "aws_route_fail_4" { + route_table_id = "rtb-4fbb3ac4" + destination_ipv6_cidr_block = "::/0" + vpc_peering_connection_id = "pcx-45ff3dc1" +} + +resource "aws_route_table" "aws_route_table_pass_1" { + vpc_id = aws_vpc.example.id + + route { + ipv6_cidr_block = "::/0" + gateway_id = aws_internet_gateway.example.id + instance_id = aws_instance.example.id + } +} + +resource "aws_route_table" "aws_route_table_pass_2" { + vpc_id = aws_vpc.example.id + + route { + ipv6_cidr_block = "2002::1234:abcd:ffff:c0a8:101/64" + vpc_peering_connection_id = "pcx-45ff3dc1" + } +} + +resource "aws_route_table" "aws_route_table_pass_3" { + vpc_id = aws_vpc.example.id + + route { + cidr_block = "10.0.1.0/22" + vpc_peering_connection_id = "pcx-45ff3dc1" + } +} + +resource "aws_route_table" "aws_route_table_fail_1" { + vpc_id = aws_vpc.example.id + + route { + cidr_block = "0.0.0.0/0" + vpc_peering_connection_id = "pcx-45ff3dc1" + } +} + +resource "aws_route_table" "aws_route_table_fail_2" { + vpc_id = aws_vpc.example.id + + route { + cidr_block = "0.0.0.0" + vpc_peering_connection_id = "pcx-45ff3dc1" + } +} + +resource "aws_route_table" "aws_route_table_fail_3" { + vpc_id = aws_vpc.example.id + + route { + ipv6_cidr_block = "::0" + vpc_peering_connection_id = "pcx-45ff3dc1" + } +} + +resource "aws_route_table" "aws_route_table_fail_4" { + vpc_id = aws_vpc.example.id + + route { + ipv6_cidr_block = "::/0" + vpc_peering_connection_id = "pcx-45ff3dc1" + } +} \ No newline at end of file From 4944c569f4d7228fec943afef79970cb6c751aa8 Mon Sep 17 00:00:00 2001 From: ssiddardha Date: Fri, 18 Nov 2022 11:57:20 +0530 Subject: [PATCH 2/6] adding yaml policies to test framework --- tests/terraform/graph/checks/test_yaml_policies.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py index 1642dc41b10..c2cf8052fd7 100644 --- a/tests/terraform/graph/checks/test_yaml_policies.py +++ b/tests/terraform/graph/checks/test_yaml_policies.py @@ -26,6 +26,15 @@ def setUp(self) -> None: def test_ADORepositoryHasMinTwoReviewers(self): self.go("ADORepositoryHasMinTwoReviewers") + def test_VPCPeeringRouteTableOverlyPermissive(self): + self.go("VPCPeeringRouteTableOverlyPermissive") + + def test_S3NotAllowAccessToAllAuthenticatedUsers(self): + self.go("S3NotAllowAccessToAllAuthenticatedUsers") + + def test_CloudFrontHasCustomSSLCertificate(self): + self.go("CloudFrontHasCustomSSLCertificate") + def test_CodecommitApprovalRulesAttached(self): self.go("CodecommitApprovalRulesAttached") From 273c5805d5f7a42414c9c7f87027c0b497095513 Mon Sep 17 00:00:00 2001 From: ssiddardha Date: Fri, 18 Nov 2022 12:00:31 +0530 Subject: [PATCH 3/6] adding checkov id's --- .../graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml | 2 +- .../aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml | 2 +- .../graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml b/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml index 5d99915be3d..476659a1875 100644 --- a/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml +++ b/checkov/terraform/checks/graph_checks/aws/CloudFrontHasCustomSSLCertificate.yaml @@ -1,5 +1,5 @@ metadata: - id: "CKV2_AWS_TEST_2" + id: "CKV2_AWS_42" name: "Ensure AWS CloudFront distribution uses custom SSL certificate" category: "NETWORKING" definition: diff --git a/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml b/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml index c2999d3a307..2c5f7fb68ed 100644 --- a/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml +++ b/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml @@ -1,5 +1,5 @@ metadata: - id: "CKV2_AWS_TEST_S3_2" + id: "CKV2_AWS_43" name: "Ensure S3 Bucket does not allow access to all Authenticated users" category: "GENERAL_SECURITY" definition: diff --git a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml index 2dbb77d144a..73e878fcf9e 100644 --- a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml +++ b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml @@ -1,5 +1,5 @@ metadata: - id: "CKV2_AWS_TEST_VPC_2" + id: "CKV2_AWS_44" name: "Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic" category: "NETWORKING" definition: From a8ae04655b47235b3ffb4e815385e18d6154db0d Mon Sep 17 00:00:00 2001 From: ssiddardha <116793184+ssiddardha@users.noreply.github.com> Date: Mon, 21 Nov 2022 09:48:23 +0530 Subject: [PATCH 4/6] Update checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Anton GrĂ¼bel --- .../aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml b/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml index 2c5f7fb68ed..97342091e26 100644 --- a/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml +++ b/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml @@ -1,7 +1,7 @@ metadata: id: "CKV2_AWS_43" name: "Ensure S3 Bucket does not allow access to all Authenticated users" - category: "GENERAL_SECURITY" + category: "IAM" definition: cond_type: "attribute" resource_types: From 3a6e4fc2ad7dc54d3f6ec4b9f10aa9f6806c78c9 Mon Sep 17 00:00:00 2001 From: ssiddardha <116793184+ssiddardha@users.noreply.github.com> Date: Mon, 21 Nov 2022 10:04:10 +0530 Subject: [PATCH 5/6] Updated MR with suggested changes --- .../VPCPeeringRouteTableOverlyPermissive.yaml | 110 +++++++++--------- 1 file changed, 54 insertions(+), 56 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml index 73e878fcf9e..58192af7073 100644 --- a/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml +++ b/checkov/terraform/checks/graph_checks/aws/VPCPeeringRouteTableOverlyPermissive.yaml @@ -4,65 +4,63 @@ metadata: category: "NETWORKING" definition: or: - - or: + - cond_type: "attribute" + resource_types: + - "aws_route_table" + attribute: "route.*.vpc_peering_connection_id" + operator: "not_exists" + - and: + - cond_type: "attribute" + resource_types: + - "aws_route_table" + attribute: "route.*.cidr_block" + operator: "not_contains" + value: "0.0.0.0/0" + - cond_type: "attribute" + resource_types: + - "aws_route_table" + attribute: "route.*.cidr_block" + operator: "not_contains" + value: "0.0.0.0" + - cond_type: "attribute" + resource_types: + - "aws_route_table" + attribute: "route.*.ipv6_cidr_block" + operator: "not_contains" + value: "::0" - cond_type: "attribute" resource_types: - "aws_route_table" - attribute: "route.*.vpc_peering_connection_id" - operator: "not_exists" - - and: - - cond_type: "attribute" - resource_types: - - "aws_route_table" - attribute: "route.*.cidr_block" - operator: "not_contains" - value: "0.0.0.0/0" - - cond_type: "attribute" - resource_types: - - "aws_route_table" - attribute: "route.*.cidr_block" - operator: "not_contains" - value: "0.0.0.0" - - cond_type: "attribute" - resource_types: - - "aws_route_table" - attribute: "route.*.ipv6_cidr_block" - operator: "not_contains" - value: "::0" - - cond_type: "attribute" - resource_types: - - "aws_route_table" - attribute: "route.*.ipv6_cidr_block" - operator: "not_contains" - value: "::/0" - - or: + attribute: "route.*.ipv6_cidr_block" + operator: "not_contains" + value: "::/0" + - cond_type: "attribute" + resource_types: + - "aws_route" + attribute: "vpc_peering_connection_id" + operator: "not_exists" + - and: + - cond_type: "attribute" + resource_types: + - "aws_route" + attribute: "destination_cidr_block" + operator: "not_contains" + value: "0.0.0.0/0" + - cond_type: "attribute" + resource_types: + - "aws_route" + attribute: "destination_cidr_block" + operator: "not_contains" + value: "0.0.0.0" + - cond_type: "attribute" + resource_types: + - "aws_route" + attribute: "destination_ipv6_cidr_block" + operator: "not_contains" + value: "::0" - cond_type: "attribute" resource_types: - "aws_route" - attribute: "vpc_peering_connection_id" - operator: "not_exists" - - and: - - cond_type: "attribute" - resource_types: - - "aws_route" - attribute: "destination_cidr_block" - operator: "not_contains" - value: "0.0.0.0/0" - - cond_type: "attribute" - resource_types: - - "aws_route" - attribute: "destination_cidr_block" - operator: "not_contains" - value: "0.0.0.0" - - cond_type: "attribute" - resource_types: - - "aws_route" - attribute: "destination_ipv6_cidr_block" - operator: "not_contains" - value: "::0" - - cond_type: "attribute" - resource_types: - - "aws_route" - attribute: "destination_ipv6_cidr_block" - operator: "not_contains" - value: "::/0" \ No newline at end of file + attribute: "destination_ipv6_cidr_block" + operator: "not_contains" + value: "::/0" From e100b00337152b432f348f9fdbb9aa59208ca549 Mon Sep 17 00:00:00 2001 From: gruebel Date: Wed, 23 Nov 2022 00:05:19 +0100 Subject: [PATCH 6/6] fix wrong test resource types --- .../aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml | 2 +- .../S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml | 6 +++--- .../S3NotAllowAccessToAllAuthenticatedUsers/main.tf | 4 +--- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml b/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml index 97342091e26..c19c6f9fc16 100644 --- a/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml +++ b/checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml @@ -8,4 +8,4 @@ definition: - "aws_s3_bucket_acl" attribute: "access_control_policy.grant.*.grantee.uri" operator: "not_equals" - value: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" \ No newline at end of file + value: "http://acs.amazonaws.com/groups/global/AuthenticatedUsers" diff --git a/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml index 801116250bd..d2376e1a99f 100644 --- a/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml +++ b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/expected.yaml @@ -1,5 +1,5 @@ pass: - - "aws_s3_bucket.pass" + - "aws_s3_bucket_acl.pass" fail: - - "aws_s3_bucket.fail_1" - - "aws_s3_bucket.fail_2" + - "aws_s3_bucket_acl.fail_1" + - "aws_s3_bucket_acl.fail_2" diff --git a/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf index c7169e91e0c..7956b7627c8 100644 --- a/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf +++ b/tests/terraform/graph/checks/resources/S3NotAllowAccessToAllAuthenticatedUsers/main.tf @@ -1,5 +1,3 @@ - - resource "aws_s3_bucket_acl" "fail_1" { bucket = "name" access_control_policy { @@ -54,4 +52,4 @@ resource "aws_s3_bucket_acl" "pass" { id = data.aws_canonical_user_id.current.id } } -} \ No newline at end of file +}