Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(terraform): Add more conditions for CKV_AWS_70 #6464

Merged
merged 4 commits into from
Jun 23, 2024
Merged

fix(terraform): Add more conditions for CKV_AWS_70 #6464

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5c2226d
Add more conditions
tsmithv11 Jun 18, 2024
c4884e8
Fix typo
tsmithv11 Jun 20, 2024
0f59774
Merge branch 'main' into another-condition-ckvaws70
tsmithv11 Jun 20, 2024
6fdb0ee
Merge branch 'main' into another-condition-ckvaws70
tsmithv11 Jun 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,26 @@ def check_conditions(statement) -> bool:
# Passed if 'aws:PrincipalArn' or 'aws:SourceArn' do not match because then they are specific
return True

# Handle VPC sources. Other sources not specific enough
# Leaves out the NOT conditions as too broad ('StringNotEquals', 'StringNotEqualsIgnoreCase', 'StringNotLike')
string_conditions = ['StringEquals', 'StringEqualsIgnoreCase', 'StringLike']
if any(condition_type in condition for condition_type in string_conditions):
for condition_type in string_conditions:
if condition_type in condition:
# Purposefully not included: 'aws:SourceIp', 'aws:UserAgent', 'aws:Referer', 'aws:RequestTime',
# 'aws:SourceArn', 'aws:PrincipalType', 'aws:RequestTag', 'aws:SecureTransport', 'aws:SourceIp',
# 'aws:MultiFactorAuthPresent', 'aws:PrincipalType', all 'Properties of the request',
# all 'Properties of the resource', 'aws:PrincipalTag', 'aws:PrincipalIsAWSService',
# 'aws:PrincipalServiceName', 'aws:PrincipalServiceNamesList', 'aws:PrincipalType', 'aws:userid',
# 'aws:username'
if any(source in condition[condition_type] for source in ['aws:sourceVpce', 'aws:SourceVpc',
'aws:PrincipalOrgPath', 'aws:userid']):
'aws:PrincipalOrgPaths', 'aws:userid',
'aws:PrincipalArn',
'aws:PrincipalAccount',
'aws:PrincipalOrgID',
'aws:Ec2InstanceSourceVpc',
'ec2:SourceInstanceArn',
'lambda:SourceFunctionArn',
'ssm:SourceInstanceArn']):
return True

# Default fail if none of the above conditions are met
Expand Down
Loading