From 8e5dc32bde91bbfa960a46c79650d114436939df Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 6 Oct 2022 16:25:33 +0200 Subject: [PATCH] Modify rule S6304: Add Python CDK (#1299) --- rules/S6304/ask-yourself.adoc | 6 +-- rules/S6304/description.adoc | 2 +- rules/S6304/message.adoc | 3 ++ rules/S6304/metadata.json | 2 +- rules/S6304/python/highlighting.adoc | 4 ++ rules/S6304/python/metadata.json | 2 + rules/S6304/python/rule.adoc | 60 ++++++++++++++++++++++++++++ rules/S6304/recommended.adoc | 2 +- 8 files changed, 74 insertions(+), 7 deletions(-) create mode 100644 rules/S6304/message.adoc create mode 100644 rules/S6304/python/highlighting.adoc create mode 100644 rules/S6304/python/metadata.json create mode 100644 rules/S6304/python/rule.adoc diff --git a/rules/S6304/ask-yourself.adoc b/rules/S6304/ask-yourself.adoc index 413967b875..1cbfa8106d 100644 --- a/rules/S6304/ask-yourself.adoc +++ b/rules/S6304/ask-yourself.adoc @@ -1,7 +1,5 @@ == Ask Yourself Whether -The AWS account: +The AWS account has more than one resource with different levels of sensitivity. -* has more than one resource with different levels of sensitivity. - -There is a risk if you answered yes to any of this question. +A risk exists if you answered yes to this question. diff --git a/rules/S6304/description.adoc b/rules/S6304/description.adoc index cf15ae9870..5e2d069091 100644 --- a/rules/S6304/description.adoc +++ b/rules/S6304/description.adoc @@ -1,2 +1,2 @@ -A policy that allows identities to access all resources in an AWS account may violates https://en.wikipedia.org/wiki/Principle_of_least_privilege[the principle of least privilege]. Suppose an identity has permission to access all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive information will occur. +A policy that allows identities to access all resources in an AWS account may violate https://en.wikipedia.org/wiki/Principle_of_least_privilege[the principle of least privilege]. Suppose an identity has permission to access all resources even though it only requires access to some non-sensitive ones. In this case, unauthorized access and disclosure of sensitive information will occur. diff --git a/rules/S6304/message.adoc b/rules/S6304/message.adoc new file mode 100644 index 0000000000..4bf71dc145 --- /dev/null +++ b/rules/S6304/message.adoc @@ -0,0 +1,3 @@ +=== Message + +* Make sure granting access to all resources is safe here. diff --git a/rules/S6304/metadata.json b/rules/S6304/metadata.json index 7ddc1b0016..dd08728593 100644 --- a/rules/S6304/metadata.json +++ b/rules/S6304/metadata.json @@ -1,5 +1,5 @@ { - "title": "Policies granting access to all resources of an accounts are security-sensitive", + "title": "Policies granting access to all resources of an account are security-sensitive", "type": "SECURITY_HOTSPOT", "status": "ready", "remediation": { diff --git a/rules/S6304/python/highlighting.adoc b/rules/S6304/python/highlighting.adoc new file mode 100644 index 0000000000..1cf2cf5d67 --- /dev/null +++ b/rules/S6304/python/highlighting.adoc @@ -0,0 +1,4 @@ +=== Highlighting + +* Primary location: `resources` (constructor) or `Resource` (`from_json`) +* Secondary location: `effect` (constructor, if it exists) or `Effect` (`from_json`) diff --git a/rules/S6304/python/metadata.json b/rules/S6304/python/metadata.json new file mode 100644 index 0000000000..7a73a41bfd --- /dev/null +++ b/rules/S6304/python/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6304/python/rule.adoc b/rules/S6304/python/rule.adoc new file mode 100644 index 0000000000..5aa17c1ed7 --- /dev/null +++ b/rules/S6304/python/rule.adoc @@ -0,0 +1,60 @@ +include::../description.adoc[] + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Noncompliant Code Example + +The wildcard `"*"` is specified as the resource for this `PolicyStatement`. This grants the update permission for all policies of the account: + +[source,python] +---- +from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement + +PolicyDocument( + statements=[ + PolicyStatement( + effect=Effect.ALLOW, + actions="iam:CreatePolicyVersion", + resources=["*"] # Noncompliant + ) + ] +) +---- + +== Compliant Solution + +Restrict the update permission to the appropriate subset of policies: + +[source,python] +---- +from aws_cdk import Aws +from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement + +PolicyDocument( + statements=[ + PolicyStatement( + effect=Effect.ALLOW, + actions="iam:CreatePolicyVersion", + resources=[f"arn:aws:iam::{Aws.ACCOUNT_ID}:policy/team1/*"] + ) + ] +) +---- + +include::../exceptions.adoc[] + +include::../see.adoc[] + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +include::highlighting.adoc[] + +endif::env-github,rspecator-view[] diff --git a/rules/S6304/recommended.adoc b/rules/S6304/recommended.adoc index 6a4fdc3e0d..8575cade0b 100644 --- a/rules/S6304/recommended.adoc +++ b/rules/S6304/recommended.adoc @@ -1,3 +1,3 @@ == Recommended Secure Coding Practices -It's recommended to apply the least privilege principle, i.e. by only granting access to necessary resources. A good practice to achieve this is to organize or https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/[tag] resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors. +It's recommended to apply the least privilege principle, i.e., by only granting access to necessary resources. A good practice to achieve this is to organize or https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/[tag] resources depending on the sensitivity level of data they store or process. Therefore, managing a secure access control is less prone to errors.