re-order and adding permission for validate template

Author: Taniya Mathur

.gitlab-ci.yml

@@ -16,8 +16,8 @@ image: public.ecr.aws/docker/library/python:3.13-bookworm
 
 stages:
   - developer_tests
-  - integration_tests
   - deployment_validation
+  - integration_tests
 
 developer_tests:
   stage: developer_tests
@@ -111,6 +111,8 @@ deployment_validation:
     - pip install PyYAML
 
   script:
+    # Validate CloudFormation service role template syntax
+    - aws cloudformation validate-template --template-body file://iam-roles/cloudformation-management/IDP-Cloudformation-Service-Role.yaml --no-cli-pager
     # Check if service role has sufficient permissions for main stack deployment
     - |
       python3 -c "

analyze_high_priority_issues.py

@@ -0,0 +1,62 @@
+#!/usr/bin/env python3
+
+import json
+from collections import defaultdict
+
+def analyze_high_priority_issues():
+    """Analyze high priority security issues from DSR report"""
+    
+    # Load the issues file
+    with open('.dsr/issues.json', 'r') as f:
+        issues = json.load(f)
+    
+    # Filter high priority issues (case insensitive)
+    high_priority_issues = [
+        issue for issue in issues 
+        if issue.get('priority', '').lower() == 'high'
+    ]
+    
+    # Categorize by check_id prefix
+    categories = defaultdict(list)
+    
+    for issue in high_priority_issues:
+        check_id = issue.get('check_id', 'UNKNOWN')
+        prefix = check_id.split('-')[0] if '-' in check_id else check_id.split('_')[0]
+        categories[prefix].append(issue)
+    
+    # Print summary
+    print("HIGH PRIORITY SECURITY ISSUES ANALYSIS")
+    print("=" * 50)
+    print(f"Total High Priority Issues: {len(high_priority_issues)}")
+    print()
+    
+    # Sort categories by count (descending)
+    sorted_categories = sorted(categories.items(), key=lambda x: len(x[1]), reverse=True)
+    
+    for category, issues_list in sorted_categories:
+        print(f"{category}: {len(issues_list)} issues")
+        
+        # Group by specific check_id within category
+        check_ids = defaultdict(int)
+        for issue in issues_list:
+            check_ids[issue.get('check_id', 'UNKNOWN')] += 1
+        
+        for check_id, count in sorted(check_ids.items(), key=lambda x: x[1], reverse=True):
+            print(f"  - {check_id}: {count}")
+        print()
+    
+    # Detailed breakdown by issue type
+    print("DETAILED ISSUE BREAKDOWN")
+    print("=" * 30)
+    
+    issue_types = defaultdict(int)
+    for issue in high_priority_issues:
+        issue_desc = issue.get('issue', 'Unknown issue')[:80] + "..." if len(issue.get('issue', '')) > 80 else issue.get('issue', 'Unknown issue')
+        issue_types[issue_desc] += 1
+    
+    for issue_type, count in sorted(issue_types.items(), key=lambda x: x[1], reverse=True):
+        if count > 1:
+            print(f"{count}x: {issue_type}")
+
+if __name__ == "__main__":
+    analyze_high_priority_issues()

high_periority_issues.md

@@ -0,0 +1,56 @@
+HIGH PRIORITY SECURITY ISSUES ANALYSIS
+==================================================
+Total High Priority Issues: 140
+
+S3: 83 issues
+  - S3-005: 30
+  - S3-008: 27
+  - S3-001: 26
+
+DDB: 17 issues
+  - DDB-002: 17
+
+IAM: 14 issues
+  - IAM-004: 8
+  - IAM-005: 6
+
+LAMBDA: 9 issues
+  - LAMBDA-004: 3
+  - LAMBDA-011: 3
+  - LAMBDA-012: 3
+
+EKS: 5 issues
+  - EKS-024: 5
+
+ASC: 3 issues
+  - ASC-002: 3
+
+CFR: 3 issues
+  - CFR-004: 3
+
+EC2: 2 issues
+  - EC2-002: 2
+
+CKV: 2 issues
+  - CKV_AWS_99: 2
+
+KMS: 2 issues
+  - KMS-002: 1
+  - KMS-007: 1
+
+DETAILED ISSUE BREAKDOWN
+==============================
+30x: S3 bucket used as CloudFront origin lacks OAC configuration (intrinsic function ...
+27x: S3 bucket lacks lifecycle policy
+26x: S3 bucket does not have proper access logging or violates least privilege princi...
+17x: DynamoDB data plane events are not captured by CloudTrail logging
+8x: Compute resource has IAM role without permissions boundary, allowing unrestricte...
+6x: Resource policy allows cross-account access without proper confused deputy preve...
+5x: Container images are not being scanned for vulnerabilities (no image scanning st...
+3x: No X-Ray tracing configured for Lambda function
+3x: Lambda function lacks CloudWatch alarms for monitoring
+3x: Lambda function shares an IAM execution role with another function
+3x: AppSync GraphQL API is missing appropriate authorization method (missing or inco...
+3x: CloudFront distribution allows insecure HTTP traffic (no minimum TLS version spe...
+2x: EC2 instance role violates principle of least privilege
+2x: Ensure Glue Security Configuration Encryption is enabled

scripts/sdlc/cfn/credential-vendor.yml

@@ -91,6 +91,15 @@ Resources:
                 Action:
                   - codebuild:BatchGetBuilds
                 Resource: !Sub "arn:aws:codebuild:*:${AWS::AccountId}:project/*"
+        - PolicyName: CloudFormationValidatePolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Sid: CloudFormationValidate
+                Effect: Allow
+                Action:
+                  - cloudformation:ValidateTemplate
+                Resource: "*"
         - PolicyName: CloudWatchLogsAccessPolicy
           PolicyDocument:
             Version: '2012-10-17'