feat: updates kms comp with embedded policy creation #523
Conversation
![bridgecrew[bot]](https://avatars.githubusercontent.com/in/52968?s=60&v=4){kind=small}
| context = module.this.context | ||
| } | ||
|
|
||
| data "aws_iam_policy_document" "key_policy" { |
There was a problem hiding this comment.
Ensure IAM policies does not allow write access without constraint
Resource: aws_iam_policy_document.key_policy | ID: BC_AWS_IAM_57
How to Fix
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"s3:*"
]
resources = [
"foo",
]
}
}Description
This policy allows actions that permit modification of resource-based policies or can otherwise can expose AWS resources to the public via similar actions that can lead to resource exposure.For example:
1 - s3:PutBucketPolicy, s3:PutBucketAcl, and s3:PutObjectAcl grant permissions to modify the properties of S3 buckets or objects for new or existing objects in an S3 bucket, which could expose objects to rogue actors or to the internet.
2 - ecr:SetRepositoryPolicy could allow an attacker to exfiltrate container images (which sometimes unintentionally contain secrets and non-public information), tamper with container images, or otherwise modify.
3 - iam:UpdateAssumeRolePolicy could allow an attacker to create a backdoor by assuming a privileged role in the victim account from an external account.
The ability to modify AWS Resource Access Manager, which could allow a malicious actor to share a VPC hosting sensitive or internal services to rogue AWS accounts
Attackers can easily exploit Resource Exposure permissions to expose resources to rogue users or the internet, as shown by endgame, an AWS pentesting tool that was also released by Salesforce.
For more info, visit cloudsplaning documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/
| context = module.this.context | ||
| } | ||
|
|
||
| data "aws_iam_policy_document" "key_policy" { |
There was a problem hiding this comment.
Ensure IAM policies do not allow permissions management / resource exposure without constraint
Resource: aws_iam_policy_document.key_policy | ID: BC_AWS_IAM_56
How to Fix
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"s3:*"
]
resources = [
"foo",
]
}
}Description
This policy allows actions that permit modification of resource-based policies or can otherwise can expose AWS resources to the public via similar actions that can lead to resource exposure.For example:
1 - s3:PutBucketPolicy, s3:PutBucketAcl, and s3:PutObjectAcl grant permissions to modify the properties of S3 buckets or objects for new or existing objects in an S3 bucket, which could expose objects to rogue actors or to the internet.
2 - ecr:SetRepositoryPolicy could allow an attacker to exfiltrate container images (which sometimes unintentionally contain secrets and non-public information), tamper with container images, or otherwise modify.
3 - iam:UpdateAssumeRolePolicy could allow an attacker to create a backdoor by assuming a privileged role in the victim account from an external account.
The ability to modify AWS Resource Access Manager, which could allow a malicious actor to share a VPC hosting sensitive or internal services to rogue AWS accounts
Attackers can easily exploit Resource Exposure permissions to expose resources to rogue users or the internet, as shown by endgame, an AWS pentesting tool that was also released by Salesforce.
For more info, visit cloudsplaning documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/
| @@ -1,15 +1,80 @@ | |||
| locals { | |||
| account_id = data.aws_caller_identity.current.account_id | |||
| account_principal = "arn:aws:iam::${local.account_id}:root" | |||
There was a problem hiding this comment.
Let's use the data source here for govcloud
| account_principal = "arn:aws:iam::${local.account_id}:root" | |
| account_principal = "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:root" |
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition
|
|
||
| principals { | ||
| type = "AWS" | ||
| identifiers = local.administration_principals |
There was a problem hiding this comment.
| identifiers = local.administration_principals | |
| identifiers = [local.account_principal] |
| administration_principals = [ | ||
| local.account_principal | ||
| ] | ||
|
|
There was a problem hiding this comment.
This local doesn't seem very useful
| administration_principals = [ | |
| local.account_principal | |
| ] |
| ))) | ||
| } | ||
|
|
||
| data "aws_caller_identity" "current" {} |
There was a problem hiding this comment.
| data "aws_caller_identity" "current" {} | |
| data "aws_caller_identity" "current" {} | |
| data "aws_partition" "current" {} |
| variable "description" { | ||
| type = string | ||
| description = "The description for the KMS Key." | ||
| default = null |
There was a problem hiding this comment.
If the description isn't set to the original value of Parameter Store KMS master key, won't that cause people's kms keys to be recreated?
| default = "Parameter Store KMS master key" | ||
| description = "The description of the key as viewed in AWS console" | ||
| default = "ENCRYPT_DECRYPT" | ||
| description = "Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`." |
There was a problem hiding this comment.
Should we add a validation rule here or is this already done by the upstream module?
| type = string | ||
| default = "" | ||
| description = "The display name of the alias. The name must start with the word `alias` followed by a forward slash. If not specified, the alias name will be auto-generated." | ||
| default = "SYMMETRIC_DEFAULT" |
There was a problem hiding this comment.
Is this a breaking change or is this the normal default and we're just being explicit?
| "kms:*", | ||
| ] | ||
|
|
||
| resources = ["*"] |
There was a problem hiding this comment.
It would be good to allow overriding the resources here so users of this component can give granular permissions to kms. These would also allay warnings by bridgecrew shown above.
| identifiers = local.principals | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Instead of hard coding this policy here, can we utilize this module and expose the inputs as variables so we can be as flexible as possible from the YAML?
https://github.com/cloudposse/terraform-aws-iam-policy
e.g.
components:
terraform:
kms:
vars:
policy:
iam_policy_statements:
KeyAdministration:
effect: "Allow"
actions:
- "kms:*"
resources:
- "*"
principals:
type: "AWS"
# This may be something we can contribute to the upstream module to dynamically fill these %s in
# or it can be added by the HCL for this component
identifiers:
- "arn:%s:iam::%s:root"
KeyUsage:
effect: "Allow"
actions:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:DescribeKey"
resources:
- "*"
principals:
type: "AWS"
# Same here, these can be provided by the HCL unless this `identifiers` key is provided
identifiers:
- "..."
what
why
aws-team-roleroles into the KMS policy, so we do something like "Admins in the dev account have access to use this Key"references