Adding support for new resource types in check-no-public-access api. (#39)

* Adding support for new resource types in check-no-public-access api.

* Adding support for new resource types in check-no-public-access api.

* Adding support for new resource types in check-no-public-access api.

* Adding support for new resource types in check-no-public-access api.

* Update the GHH action to publish to PyPi version

* Adding support for new resource types in check-no-public-access api.

* Adding support for new resource types in check-no-public-access api.

Author: hbendapu

.github/workflows/release-to-pypi.yaml

@@ -21,7 +21,7 @@ jobs:
         run: |
           python3 -m build
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@v1.8.14
+        uses: pypa/gh-action-pypi-publish@@v1.12.4
         with:
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}

README.md

@@ -148,6 +148,11 @@ Resource-based policies that can be checked with `check-no-public-access` are li
 - AWS::SecretsManager::Secret
 - AWS::SNS::Topic
 - AWS::SQS::Queue
+- AWS::S3Tables::TableBucket
+- AWS::S3Tables::Table
+- AWS::Backup::BackupVault
+- AWS::CodeArtifact::Domain
+- AWS::ApiGateway::RestApi
 - Role trust policies (AWS::IAM::AssumeRolePolicyDocument)
 
 

iam_check/config/default.yaml

@@ -53,6 +53,11 @@ arnServiceMap:
   aws_transfer_access: server_id?fakeServerId
   aws_transfer_user: user_name?fakeUserName
   aws_vpc_endpoint: fakeName
+  aws_s3tables_table_bucket_policy: table_bucket_arn?fakeTableBucketARN
+  aws_s3tables_table_policy: table_bucket_arn?fakeTableBucketARN
+  aws_kinesis_resource_policy: resource_arn?fakeResourceArn
+  aws_dynamodb_resource_policy: resource_arn?fakeResourceArn
+  aws_lambda_permission: function_name?fakeFunctionName
 # iamChecks:
 #   - AccessAnalyzer
 
@@ -116,6 +121,12 @@ iamPolicyAttributes:
   aws_transfer_access: policy
   aws_transfer_user: policy
   aws_vpc_endpoint: policy
+  aws_s3tables_table_bucket_policy: resource_policy
+  aws_s3tables_table_policy: resource_policy
+  aws_kinesis_resource_policy: policy
+  aws_dynamodb_resource_policy: policy
+  aws_lambda_permission: policy
+
 
 validatePolicyResourceType:
   aws_s3_bucket: AWS::S3::Bucket

iam_check/lib/iamcheck_AccessAnalyzer.py

@@ -34,6 +34,24 @@
     "aws_sqs_queue": "AWS::SQS::Queue",
     "aws_sqs_queue_policy": "AWS::SQS::Queue",
     "assume_role_policy": "AWS::IAM::AssumeRolePolicyDocument",
+    "aws_s3tables_table_bucket": "AWS::S3Tables::TableBucket",
+    "aws_s3tables_table_bucket_policy": "AWS::S3Tables::TableBucket",
+    "aws_api_gateway_rest_api": "AWS::ApiGateway::RestApi",
+    "aws_api_gateway_rest_api_policy": "AWS::ApiGateway::RestApi",
+    "aws_codeartifact_domain": "AWS::CodeArtifact::Domain",
+    "aws_codeartifact_domain_permissions_policy": "AWS::CodeArtifact::Domain",
+    "aws_backup_vault": "AWS::Backup::BackupVault",
+    "aws_backup_vault_policy": "AWS::Backup::BackupVault",
+    "aws_cloudtrail_event_data_store": "AWS::CloudTrail::EventDataStore",
+    "aws_s3tables_table": "AWS::S3Tables::Table",
+    "aws_s3tables_table_policy": "AWS::S3Tables::Table",
+    "aws_lambda_permission": "AWS::Lambda::Function",
+    "aws_lambda_function": "AWS::Lambda::Function",
+    "aws_dynamodb_resource_policy": "AWS::DynamoDB::Table",
+    "aws_dynamodb_table": "AWS::DynamoDB::Table",
+    "aws_kinesis_resource_policy": "AWS::Kinesis::Stream",
+    "aws_kinesis_stream": "AWS::Kinesis::Stream",
+    "aws_kinesis_stream_consumer": "AWS::Kinesis::StreamConsumer",
 }
 
 

iam_check/lib/tfPlan.py

@@ -1,4 +1,5 @@
 # from ..config import iamPolicyAttributes, arnServiceMap, awsAccount
+from collections import defaultdict
 import iam_check.config as config
 import enum
 import logging
@@ -81,10 +82,66 @@ def __str__(self) -> str:
             obj["proposed_unknown"] = json.loads(str(self.proposed_unknown))
         return json.dumps(obj, indent=4)
 
+    def generatePolicyForLambda(self, resource, permissions_policies):
+        action = self.getValue(f"{resource}.action")
+        function_name = self.getValue(f"{resource}.function_name")
+        principal = self.getValue(f"{resource}.principal")
+        source_arn = None
+        source_account = None
+        principal_org_id = None
+        try:
+            source_arn = self.getValue(f"{resource}.source_arn")
+        except KeyError:
+            pass
+        try:
+            source_account = self.getValue(f"{resource}.source_account")
+        except KeyError:
+            pass
+        try:
+            principal_org_id = self.getValue(f"{resource}.principal_org_id")
+        except KeyError:
+            pass
+
+        policy_statement = {"Effect": "Allow", "Action": action}
+        if "amazonaws" in principal:
+            # this is a permission to a service
+            policy_statement["Principal"] = {"Service": principal}
+        else:
+            # otherwise this is a permission to an account
+            policy_statement["Principal"] = {"AWS": principal}
+
+        # just the function name
+        policy_statement["Resource"] = f"arn::lambda:::function:{function_name}"
+        # Ref to the supported arguments
+        # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission
+
+        if source_arn is not None:
+            condition = policy_statement.get("Condition", {})
+            condition["ArnLike"] = {"AWS:SourceArn": source_arn}
+            policy_statement["Condition"] = condition
+
+        if source_account is not None:
+            condition = policy_statement.get("Condition", {})
+            condition["StringEquals"] = {"AWS:SourceAccount": source_account}
+            policy_statement["Condition"] = condition
+
+        if principal_org_id is not None:
+            condition = policy_statement.get("Condition", {})
+            if "StringEquals" not in condition:
+                condition["StringEquals"] = {}
+            condition["StringEquals"]["AWS:PrincipalOrgID"] = principal_org_id
+            policy_statement["Condition"] = condition
+
+        permissions_policies[f"{resource}.policy"].append(policy_statement)
+        return permissions_policies
+
     def findPolicies(self):
         logging.debug("generating a list of policies in plan")
         policies = {}
         resources = self.listResources()
+        # used to collect all policy statements related to a resource. Currently, only applicable to aws_lambda_permission
+        # where each aws_lambda_permission is mapped to a statement.
+        permissions_policies = defaultdict(list)
         for r in resources:
             resourceType = r.split(".")[-2]
             if resourceType not in config.iamPolicyAttributes:
@@ -93,6 +150,11 @@ def findPolicies(self):
             attributes = config.iamPolicyAttributes[resourceType]
             if isinstance(attributes, str):
                 attributes = [attributes]
+            if resourceType == "aws_lambda_permission":
+                permissions_policies = self.generatePolicyForLambda(
+                    r, permissions_policies
+                )
+                continue
             for attribute in attributes:
                 # check if attribute is a base one or inside a block
                 if "." not in attribute:
@@ -134,6 +196,10 @@ def findPolicies(self):
                                     policies[ref] = policy
                             else:
                                 LOGGER.info(f"No policy found at: {ref}")
+        for key, statements in permissions_policies.items():
+            policy_document = {"Version": "2012-10-17", "Statement": statements}
+            policies[key] = json.dumps(policy_document)
+
         for ref in policies.keys():
             LOGGER.debug(f"found policy at {ref}")
 

iam_check/test/no_access_granted/actions_findings.json

@@ -3,14 +3,14 @@
     {
       "findingType": "SECURITY_WARNING",
       "code": "policy-analysis-CheckAccessNotGranted",
-      "message": "The policy document grants access to perform one or more of the listed actions or resources.",
+      "message": "The policy document grants access to perform one or more of the listed actions.",
       "resourceName": "fakeBucket",
       "policyName": "aws_s3_bucket_policy.allow_access_from_another_account",
       "details": {
         "result": "FAIL",
         "reasons": [
           {
-            "description": "One or more of the listed actions or resources in the statement with index: 0.",
+            "description": "One or more of the listed actions in the statement with index: 0.",
             "statementIndex": 0,
             "accessInput": [
               {
@@ -21,7 +21,7 @@
             ]
           }
         ],
-        "message": "The policy document grants access to perform one or more of the listed actions or resources."
+        "message": "The policy document grants access to perform one or more of the listed actions."
       }
     }
   ],

iam_check/test/no_access_granted/resources_and_actions_findings.json

@@ -3,14 +3,14 @@
     {
       "findingType": "SECURITY_WARNING",
       "code": "policy-analysis-CheckAccessNotGranted",
-      "message": "The policy document grants access to perform one or more of the listed actions or resources.",
+      "message": "The policy document grants access to one or more listed resources to perform one or more listed actions.",
       "resourceName": "fakeBucket",
       "policyName": "aws_s3_bucket_policy.allow_access_from_another_account",
       "details": {
         "result": "FAIL",
         "reasons": [
           {
-            "description": "One or more of the listed actions or resources in the statement with index: 0.",
+            "description": "One or more of the listed actions and/or resources in the statement with index: 0.",
             "statementIndex": 0,
             "accessInput": [
               {
@@ -24,7 +24,7 @@
             ]
           }
         ],
-        "message": "The policy document grants access to perform one or more of the listed actions or resources."
+        "message": "The policy document grants access to one or more listed resources to perform one or more listed actions."
       }
     }
   ],

iam_check/test/no_access_granted/resources_findings.json

@@ -3,14 +3,14 @@
     {
       "findingType": "SECURITY_WARNING",
       "code": "policy-analysis-CheckAccessNotGranted",
-      "message": "The policy document grants access to perform one or more of the listed actions or resources.",
+      "message": "The policy document grants access to one or more of the listed resources.",
       "resourceName": "fakeBucket",
       "policyName": "aws_s3_bucket_policy.allow_access_from_another_account",
       "details": {
         "result": "FAIL",
         "reasons": [
           {
-            "description": "One or more of the listed actions or resources in the statement with index: 0.",
+            "description": "One or more of the listed resources in the statement with index: 0.",
             "statementIndex": 0,
             "accessInput": [
               {
@@ -21,7 +21,7 @@
             ]
           }
         ],
-        "message": "The policy document grants access to perform one or more of the listed actions or resources."
+        "message": "The policy document grants access to one or more of the listed resources."
       }
     }
   ],