Merge pull request Checkmarx#6096 from Checkmarx/add_aws_sso_queries

feat(query): add aws sso security queries support

assets/queries/terraform/aws/iam_policies_with_full_privileges/query.rego

@@ -27,3 +27,27 @@ CxPolicy[result] {
 		"searchLine": common_lib.build_search_line(["resource", resourceType[idx], name, "policy"], []),
 	}
 }
+
+CxPolicy[result] {
+	resource := input.document[i].data.aws_iam_policy_document[name]
+
+    policy := {"Statement": resource.statement}
+
+	st := common_lib.get_statement(policy)
+	statement := st[_]
+
+	common_lib.is_allow_effect(statement)
+	common_lib.equalsOrInArray(statement.resources, "*")
+	common_lib.equalsOrInArray(statement.actions, "*")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_iam_policy_document",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_iam_policy_document[%s].policy", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'policy.Statement.Action' shouldn't contain '*'",
+		"keyActualValue": "'policy.Statement.Action' contains '*'",
+		"searchLine": common_lib.build_search_line(["resource", "aws_iam_policy_document", name, "policy"], []),
+	}
+}

assets/queries/terraform/aws/iam_policies_with_full_privileges/test/negative.tf

@@ -15,3 +15,15 @@ resource "aws_iam_role_policy" "negative1" {
 }
 EOF
 }
+data "aws_iam_policy_document" "example" {
+  statement {
+    sid = "1"
+    effect = "Allow"
+    actions = [
+      "*"
+    ]
+    resources = [
+      "arn:aws:s3:::*",
+    ]
+  }
+}

assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive.tf

@@ -15,3 +15,16 @@ resource "aws_iam_role_policy" "positive1" {
 }
 EOF
 }
+
+data "aws_iam_policy_document" "example" {
+  statement {
+    sid = "1"
+    effect = "Allow"
+    actions = [
+      "*"
+    ]
+    resources = [
+      "*",
+    ]
+  }
+}

assets/queries/terraform/aws/iam_policies_with_full_privileges/test/positive_expected_result.json

@@ -2,6 +2,14 @@
   {
     "queryName": "IAM Policies With Full Privileges",
     "severity": "HIGH",
-    "line": 5
+    "line": 5,
+    "fileName": "positive.tf"
+  },
+  {
+    "queryName": "IAM Policies With Full Privileges",
+    "severity": "HIGH",
+    "line": 19,
+    "fileName": "positive.tf"
   }
+
 ]

assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "ce9dfce0-5fc8-433b-944a-3b16153111a8",
+  "queryName": "SSO Permission With Inadequate User Session Duration",
+  "severity": "MEDIUM",
+  "category": "Access Control",
+  "descriptionText": "SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set",
+  "platform": "Terraform",
+  "descriptionID": "755ecfdf",
+  "cloudProvider": "aws"
+}

assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/query.rego

@@ -0,0 +1,42 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_ssoadmin_permission_set[name]
+	session_duration := resource.session_duration 
+
+	more_than_one_hour(session_duration)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_ssoadmin_permission_set_inline_policy",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_ssoadmin_permission_set[%s].session_duration", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "session_duration should not be higher than 1 hour",
+		"keyActualValue": "session_duration is higher than 1 hour",
+		"searchLine": common_lib.build_search_line(["resource", "aws_ssoadmin_permission_set_inline_policy", name, "session_duration"], []),
+	}
+}
+
+more_than_one_hour(session_duration) {
+	time := get_hours_value(session_duration) + get_minutes_value(session_duration) + get_seconds_value(session_duration)
+    time > 3600
+}
+
+get_hours_value(session_duration) := duration {
+	hours_value := trim_suffix(regex.find_all_string_submatch_n(`\d{1,2}H`, session_duration, 1)[0][0], "H")
+    duration := 3600 * to_number(hours_value)
+} else := 0
+
+get_minutes_value(session_duration) := duration {
+	minutes_value := trim_suffix(regex.find_all_string_submatch_n(`\d{1,2}M`, session_duration, 1)[0][0], "M")
+    duration := 60 * to_number(minutes_value)
+} else := 0
+
+get_seconds_value(session_duration) := duration {
+	seconds_value := trim_suffix(regex.find_all_string_submatch_n(`\d{1,2}S`, session_duration, 1)[0][0], "S")
+    duration := to_number(seconds_value)
+} else := 0

assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/negative.tf

@@ -0,0 +1,15 @@
+resource "aws_ssoadmin_permission_set" "example" {
+  name             = "Example"
+  description      = "An example"
+  instance_arn     = tolist(data.aws_ssoadmin_instances.example.arns)[0]
+  relay_state      = "https://s3.console.aws.amazon.com/s3/home?region=us-east-1#"
+  session_duration = "PT1H"
+}
+
+resource "aws_ssoadmin_permission_set" "example2" {
+  name             = "Example"
+  description      = "An example"
+  instance_arn     = tolist(data.aws_ssoadmin_instances.example.arns)[0]
+  relay_state      = "https://s3.console.aws.amazon.com/s3/home?region=us-east-1#"
+}
+

assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive.tf

@@ -0,0 +1,15 @@
+resource "aws_ssoadmin_permission_set" "example3" {
+  name             = "Example"
+  description      = "An example"
+  instance_arn     = tolist(data.aws_ssoadmin_instances.example.arns)[0]
+  relay_state      = "https://s3.console.aws.amazon.com/s3/home?region=us-east-1#"
+  session_duration = "PT1H1M"
+}
+
+resource "aws_ssoadmin_permission_set" "example4" {
+  name             = "Example"
+  description      = "An example"
+  instance_arn     = tolist(data.aws_ssoadmin_instances.example.arns)[0]
+  relay_state      = "https://s3.console.aws.amazon.com/s3/home?region=us-east-1#"
+  session_duration = "PT2H"
+}

assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+  {
+    "queryName": "SSO Permission With Inadequate User Session Duration",
+    "severity": "MEDIUM",
+    "line": 6,
+    "fileName": "positive.tf"
+  },
+  {
+    "queryName": "SSO Permission With Inadequate User Session Duration",
+    "severity": "MEDIUM",
+    "line": 14,
+    "fileName": "positive.tf"
+  }
+]

assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "4003118b-046b-4640-b200-b8c7a4c8b89f",
+  "queryName": "SSO Identity User Unsafe Creation",
+  "severity": "LOW",
+  "category": "Access Control",
+  "descriptionText": "The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user",
+  "platform": "Terraform",
+  "descriptionID": "a30fa3d3",
+  "cloudProvider": "aws"
+}

assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/query.rego

@@ -0,0 +1,19 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_identitystore_user[name]
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_identitystore_user",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_identitystore_user[%s]", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "aws_identitystore_user resource should not be used",
+		"keyActualValue": "aws_identitystore_user resource is used",
+		"searchLine": common_lib.build_search_line(["resource", "aws_identitystore_user", name], []),
+	}
+}

assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/test/negative.tf

@@ -0,0 +1,32 @@
+resource "aws_ssoadmin_permission_set_inline_policy" "neg1" {
+  instance_arn       = aws_ssoadmin_permission_set.example.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.example.arn
+  inline_policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": [
+        "s3:ListBucket*",
+        "s3:HeadBucket",
+        "s3:Get*"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::b1",
+        "arn:aws:s3:::b1/*",
+        "arn:aws:s3:::b2",
+        "arn:aws:s3:::b2/*"
+      ],
+      "Sid": ""
+    },
+    {
+      "Action": "s3:PutObject*",
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::b1/*",
+      "Sid": ""
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+}

assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/test/positive.tf

@@ -0,0 +1,15 @@
+resource "aws_identitystore_user" "example" {
+  identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0]
+
+  display_name = "John Doe"
+  user_name    = "johndoe"
+
+  name {
+    given_name  = "John"
+    family_name = "Doe"
+  }
+
+  emails {
+    value = "[email protected]"
+  }
+}

assets/queries/terraform/aws/sso_policy_with_full_priveleges copy/test/positive_expected_result.json

@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "SSO Identity User Unsafe Creation",
+    "severity": "LOW",
+    "line": 1,
+    "fileName": "positive.tf"
+  }
+]

assets/queries/terraform/aws/sso_policy_with_full_priveleges/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "132a8c31-9837-4203-9fd1-15ca210c7b73",
+  "queryName": "SSO Policy with full privileges",
+  "severity": "HIGH",
+  "category": "Access Control",
+  "descriptionText": "SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy",
+  "platform": "Terraform",
+  "descriptionID": "cae7c4fc",
+  "cloudProvider": "aws"
+}

assets/queries/terraform/aws/sso_policy_with_full_priveleges/query.rego

@@ -0,0 +1,27 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.aws_ssoadmin_permission_set_inline_policy[name]
+
+	policy := common_lib.json_unmarshal(resource.inline_policy)
+		st := common_lib.get_statement(policy)
+	statement := st[_]
+
+	common_lib.is_allow_effect(statement)
+	common_lib.equalsOrInArray(statement.Resource, "*")
+	common_lib.equalsOrInArray(statement.Action, "*")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "aws_ssoadmin_permission_set_inline_policy",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("aws_ssoadmin_permission_set_inline_policy[%s].inline_policy", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "inline_policy.Statement.Action should not equal to, nor contain '*'",
+		"keyActualValue": "inline_policy.Statement.Action is equal to or contains '*'",
+		"searchLine": common_lib.build_search_line(["resource", "aws_ssoadmin_permission_set_inline_policy", name, "inline_policy"], []),
+	}
+}

assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/negative.tf

@@ -0,0 +1,32 @@
+resource "aws_ssoadmin_permission_set_inline_policy" "neg1" {
+  instance_arn       = aws_ssoadmin_permission_set.example.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.example.arn
+  inline_policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": [
+        "s3:ListBucket*",
+        "s3:HeadBucket",
+        "s3:Get*"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::b1",
+        "arn:aws:s3:::b1/*",
+        "arn:aws:s3:::b2",
+        "arn:aws:s3:::b2/*"
+      ],
+      "Sid": ""
+    },
+    {
+      "Action": "s3:PutObject*",
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::b1/*",
+      "Sid": ""
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+}

assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive.tf

@@ -0,0 +1,27 @@
+resource "aws_ssoadmin_permission_set_inline_policy" "pos1" {
+  instance_arn       = aws_ssoadmin_permission_set.example.instance_arn
+  permission_set_arn = aws_ssoadmin_permission_set.example.arn
+  inline_policy = <<POLICY
+{
+  "Statement": [
+    {
+      "Action": [
+        "*"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "*"
+      ],
+      "Sid": ""
+    },
+    {
+      "Action": "s3:PutObject*",
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::b1/*",
+      "Sid": ""
+    }
+  ],
+  "Version": "2012-10-17"
+}
+POLICY
+}

assets/queries/terraform/aws/sso_policy_with_full_priveleges/test/positive_expected_result.json

@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "SSO Policy with full privileges",
+    "severity": "HIGH",
+    "line": 4,
+    "fileName": "positive.tf"
+  }
+]