added new query IAM role allows public assume for ansible Checkmarx#1419

(Checkmarx#1420)
Dipesh-Reen · Dec 30, 2020 · b8de81d · b8de81d
1 parent 97d2fde
commit b8de81d
Show file tree

Hide file tree

Showing 5 changed files with 123 additions and 0 deletions.
diff --git a/assets/queries/ansible/aws/IAM_role_allows_all_principals_to_assume/metadata.json b/assets/queries/ansible/aws/IAM_role_allows_all_principals_to_assume/metadata.json
@@ -0,0 +1,8 @@
+{
+  "id": "IAM_role_allows_all_principals_to_assume",
+  "queryName": "IAM role allows all principals to assume",
+  "severity": "LOW",
+  "category": "Identity and Access Management",
+  "descriptionText": "IAM role allows all services or principals to assume it",
+  "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html"
+}
diff --git a/assets/queries/ansible/aws/IAM_role_allows_all_principals_to_assume/query.rego b/assets/queries/ansible/aws/IAM_role_allows_all_principals_to_assume/query.rego
@@ -0,0 +1,64 @@
+package Cx
+
+CxPolicy [result] {
+  document := input.document[i]
+  tasks := getTasks(document)
+  task := tasks[t]
+  awsApiGateway := task["community.aws.iam_managed_policy"]
+  contains(awsApiGateway.state, "present")
+  policy := json_unmarshal(awsApiGateway.policy)
+  statement := policy.Statement[_]
+  resource := statement.Principal.AWS
+  contains(resource, "arn:aws:iam::")
+  contains(resource, ":root")
+  not contains(statement.Effect,"Deny")
+  clusterName := task.name
+  result := {
+                "documentId":       input.document[i].id,
+                "searchKey":        sprintf("name={{%s}}.{{community.aws.iam_managed_policy}}.Statement.Principal.AWS", [clusterName]),
+                "issueType":        "IncorrectAttribute",
+                "keyExpectedValue": "community.aws.iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root",
+                "keyActualValue":   "community.aws.iam_managed_policy.policy.Statement.Principal.AWS contains ':root'"
+              }
+}
+
+CxPolicy [result] {
+  document := input.document[i]
+  tasks := getTasks(document)
+  task := tasks[t]
+  awsApiGateway := task["community.aws.iam_managed_policy"]
+  contains(awsApiGateway.state, "present")
+  statement := awsApiGateway.policy.Statement[_]
+  resource := statement.Principal[j].AWS
+  contains(resource, "arn:aws:iam::")
+  contains(resource, ":root")
+  not contains(statement.Effect,"Deny")
+  clusterName := task.name
+  result := {
+                "documentId":       input.document[i].id,
+                "searchKey":        sprintf("name={{%s}}.{{community.aws.iam_managed_policy}}.Statement.Principal.AWS", [clusterName]),
+                "issueType":        "IncorrectAttribute",
+                "keyExpectedValue": "community.aws.iam_managed_policy.policy.Statement.Principal.AWS should not contain ':root",
+                "keyActualValue":   "community.aws.iam_managed_policy.policy.Statement.Principal.AWS contains ':root'"
+              }
+
+}
+
+
+json_unmarshal(s) = result {
+	s == null
+	result := json.unmarshal("{}")
+}
+
+json_unmarshal(s) = result {
+	s != null
+	result := json.unmarshal(s)
+}
+
+getTasks(document) = result {
+    result := [body | playbook := document.playbooks[0]; body := playbook.tasks]
+    count(result) != 0
+} else = result {
+    result := [body | playbook := document.playbooks[_]; body := playbook ]  
+    count(result) != 0
+}
diff --git a/assets/queries/ansible/aws/IAM_role_allows_all_principals_to_assume/test/negative.yaml b/assets/queries/ansible/aws/IAM_role_allows_all_principals_to_assume/test/negative.yaml
@@ -0,0 +1,11 @@
+- name: Create IAM Managed Policy
+  community.aws.iam_managed_policy:
+    policy_name: "ManagedPolicy"
+    policy:
+      Version: "2012-10-17"
+      Statement:
+      - Effect: "Allow"
+        Action: "logs:CreateLogGroup"
+        Resource: "*"
+    make_default: false
+    state: present
diff --git a/assets/queries/ansible/aws/IAM_role_allows_all_principals_to_assume/test/positive.yaml b/assets/queries/ansible/aws/IAM_role_allows_all_principals_to_assume/test/positive.yaml
@@ -0,0 +1,28 @@
+- name: Create IAM Managed Policy
+  community.aws.iam_managed_policy:
+    policy_name: "ManagedPolicy"
+    policy:
+      Version: "2012-10-17"
+      Statement:
+      - Effect: "Allow"
+        Action: "logs:CreateLogGroup"
+        Resource: "*"
+        Principal:
+            - AWS: "arn:aws:iam::root"
+    make_default: false
+    state: present
+- name: Create2 IAM Managed Policy
+  community.aws.iam_managed_policy:
+    policy_name: "ManagedPolicy2"
+    policy: >
+      {
+        "Version": "2012-10-17",
+        "Statement":[{
+          "Effect": "Allow",
+          "Action": "logs:PutRetentionPolicy",
+          "Resource": "*",
+          "Principal" : { "AWS" : "arn:aws:iam::root" }
+        }]
+      }
+    only_version: true
+    state: present
diff --git a/...s/ansible/aws/IAM_role_allows_all_principals_to_assume/test/positive_expected_result.json b/...s/ansible/aws/IAM_role_allows_all_principals_to_assume/test/positive_expected_result.json
@@ -0,0 +1,12 @@
+[
+	{
+		"queryName": "IAM role allows all principals to assume",
+		"severity": "LOW",
+		"line": 11
+	},
+	{
+		"queryName": "IAM role allows all principals to assume",
+		"severity": "LOW",
+		"line": 24
+	}
+]