-
-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: updates kms comp with embedded policy creation #523
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bridgecrew has found errors in this PR ⬇️
context = module.this.context | ||
} | ||
|
||
data "aws_iam_policy_document" "key_policy" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure IAM policies does not allow write access without constraint
Resource: aws_iam_policy_document.key_policy | ID: BC_AWS_IAM_57
How to Fix
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"s3:*"
]
resources = [
"foo",
]
}
}
Description
This policy allows actions that permit modification of resource-based policies or can otherwise can expose AWS resources to the public via similar actions that can lead to resource exposure.For example:
1 - s3:PutBucketPolicy, s3:PutBucketAcl, and s3:PutObjectAcl grant permissions to modify the properties of S3 buckets or objects for new or existing objects in an S3 bucket, which could expose objects to rogue actors or to the internet.
2 - ecr:SetRepositoryPolicy could allow an attacker to exfiltrate container images (which sometimes unintentionally contain secrets and non-public information), tamper with container images, or otherwise modify.
3 - iam:UpdateAssumeRolePolicy could allow an attacker to create a backdoor by assuming a privileged role in the victim account from an external account.
The ability to modify AWS Resource Access Manager, which could allow a malicious actor to share a VPC hosting sensitive or internal services to rogue AWS accounts
Attackers can easily exploit Resource Exposure permissions to expose resources to rogue users or the internet, as shown by endgame, an AWS pentesting tool that was also released by Salesforce.
For more info, visit cloudsplaning documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/
context = module.this.context | ||
} | ||
|
||
data "aws_iam_policy_document" "key_policy" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure IAM policies do not allow permissions management / resource exposure without constraint
Resource: aws_iam_policy_document.key_policy | ID: BC_AWS_IAM_56
How to Fix
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"s3:*"
]
resources = [
"foo",
]
}
}
Description
This policy allows actions that permit modification of resource-based policies or can otherwise can expose AWS resources to the public via similar actions that can lead to resource exposure.For example:
1 - s3:PutBucketPolicy, s3:PutBucketAcl, and s3:PutObjectAcl grant permissions to modify the properties of S3 buckets or objects for new or existing objects in an S3 bucket, which could expose objects to rogue actors or to the internet.
2 - ecr:SetRepositoryPolicy could allow an attacker to exfiltrate container images (which sometimes unintentionally contain secrets and non-public information), tamper with container images, or otherwise modify.
3 - iam:UpdateAssumeRolePolicy could allow an attacker to create a backdoor by assuming a privileged role in the victim account from an external account.
The ability to modify AWS Resource Access Manager, which could allow a malicious actor to share a VPC hosting sensitive or internal services to rogue AWS accounts
Attackers can easily exploit Resource Exposure permissions to expose resources to rogue users or the internet, as shown by endgame, an AWS pentesting tool that was also released by Salesforce.
For more info, visit cloudsplaning documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/
@@ -1,15 +1,80 @@ | |||
locals { | |||
account_id = data.aws_caller_identity.current.account_id | |||
account_principal = "arn:aws:iam::${local.account_id}:root" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's use the data source here for govcloud
account_principal = "arn:aws:iam::${local.account_id}:root" | |
account_principal = "arn:${data.aws_partition.current.partition}:iam::${local.account_id}:root" |
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition
|
||
principals { | ||
type = "AWS" | ||
identifiers = local.administration_principals |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
identifiers = local.administration_principals | |
identifiers = [local.account_principal] |
administration_principals = [ | ||
local.account_principal | ||
] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This local doesn't seem very useful
administration_principals = [ | |
local.account_principal | |
] |
))) | ||
} | ||
|
||
data "aws_caller_identity" "current" {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
data "aws_caller_identity" "current" {} | |
data "aws_caller_identity" "current" {} | |
data "aws_partition" "current" {} |
variable "description" { | ||
type = string | ||
description = "The description for the KMS Key." | ||
default = null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the description isn't set to the original value of Parameter Store KMS master key
, won't that cause people's kms keys to be recreated?
default = "Parameter Store KMS master key" | ||
description = "The description of the key as viewed in AWS console" | ||
default = "ENCRYPT_DECRYPT" | ||
description = "Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we add a validation rule here or is this already done by the upstream module?
type = string | ||
default = "" | ||
description = "The display name of the alias. The name must start with the word `alias` followed by a forward slash. If not specified, the alias name will be auto-generated." | ||
default = "SYMMETRIC_DEFAULT" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a breaking change or is this the normal default and we're just being explicit?
"kms:*", | ||
] | ||
|
||
resources = ["*"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be good to allow overriding the resources
here so users of this component can give granular permissions to kms
. These would also allay warnings by bridgecrew shown above.
identifiers = local.principals | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of hard coding this policy here, can we utilize this module and expose the inputs as variables so we can be as flexible as possible from the YAML?
https://github.com/cloudposse/terraform-aws-iam-policy
e.g.
components:
terraform:
kms:
vars:
policy:
iam_policy_statements:
KeyAdministration:
effect: "Allow"
actions:
- "kms:*"
resources:
- "*"
principals:
type: "AWS"
# This may be something we can contribute to the upstream module to dynamically fill these %s in
# or it can be added by the HCL for this component
identifiers:
- "arn:%s:iam::%s:root"
KeyUsage:
effect: "Allow"
actions:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:DescribeKey"
resources:
- "*"
principals:
type: "AWS"
# Same here, these can be provided by the HCL unless this `identifiers` key is provided
identifiers:
- "..."
what
why
aws-team-role
roles into the KMS policy, so we do something like "Admins in the dev account have access to use this Key"references