From d0f22b132bd936c4e111174d152ffdc17670d0cb Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Wed, 18 Dec 2024 16:08:42 +0600 Subject: [PATCH] chore: add removed Go checks as deprecated Signed-off-by: Nikita Pivkin --- .../aws/iam/AVD-AWS-0057/CloudFormation.md | 9 +- avd_docs/aws/iam/AVD-AWS-0057/Terraform.md | 69 ++++++------ avd_docs/aws/iam/AVD-AWS-0057/docs.md | 3 +- avd_docs/aws/iam/AVD-AWS-0169/docs.md | 5 +- .../aws/sam/AVD-AWS-0114/CloudFormation.md | 23 ++-- avd_docs/aws/sam/AVD-AWS-0114/docs.md | 3 +- .../aws/sam/AVD-AWS-0120/CloudFormation.md | 17 ++- avd_docs/aws/sam/AVD-AWS-0120/docs.md | 6 +- avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md | 6 +- avd_docs/aws/ssm/AVD-AWS-0134/docs.md | 3 +- .../enable_access_analyzer.rego | 1 + checks/cloud/aws/iam/no_policy_wildcards.rego | 38 +++++++ checks/cloud/aws/iam/no_policy_wildcards.yaml | 106 ++++++++++++++++++ .../cloud/aws/iam/require_support_role.rego | 29 +++++ .../aws/sam/no_function_policy_wildcards.rego | 28 +++++ .../aws/sam/no_function_policy_wildcards.yaml | 46 ++++++++ .../no_state_machine_policy_wildcards.rego | 40 +++++++ .../no_state_machine_policy_wildcards.yaml | 50 +++++++++ .../cloud/aws/ssm/avoid_leaks_via_http.rego | 31 +++++ test/rego/aws_access_analyzer_test.go | 52 --------- 20 files changed, 440 insertions(+), 125 deletions(-) create mode 100644 checks/cloud/aws/iam/no_policy_wildcards.rego create mode 100644 checks/cloud/aws/iam/no_policy_wildcards.yaml create mode 100644 checks/cloud/aws/iam/require_support_role.rego create mode 100644 checks/cloud/aws/sam/no_function_policy_wildcards.rego create mode 100644 checks/cloud/aws/sam/no_function_policy_wildcards.yaml create mode 100644 checks/cloud/aws/sam/no_state_machine_policy_wildcards.rego create mode 100644 checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml create mode 100644 checks/cloud/aws/ssm/avoid_leaks_via_http.rego delete mode 100644 test/rego/aws_access_analyzer_test.go diff --git a/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md b/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md index 42f175d1..1ac5d71c 100644 --- a/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md +++ b/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md @@ -1,10 +1,10 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. -```yaml--- +```yaml Resources: GoodPolicy: - Type: 'AWS::IAM::Policy' + Type: AWS::IAM::Policy Properties: PolicyName: CFNUsers PolicyDocument: @@ -12,9 +12,8 @@ Resources: Statement: - Effect: Allow Action: - - 's3:ListBuckets' - Resource: 'specific-bucket' - + - s3:ListBuckets + Resource: specific-bucket ``` diff --git a/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md b/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md index d9ef5b23..e5cf3030 100644 --- a/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md +++ b/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md @@ -2,41 +2,40 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. ```hcl - resource "aws_iam_role_policy" "test_policy" { - name = "test_policy" - role = aws_iam_role.test_role.id - - policy = data.aws_iam_policy_document.s3_policy.json - } - - resource "aws_iam_role" "test_role" { - name = "test_role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Sid = "" - Principal = { - Service = "s3.amazonaws.com" - } - }, - ] - }) - } - - data "aws_iam_policy_document" "s3_policy" { - statement { - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - } - actions = ["s3:GetObject"] - resources = [aws_s3_bucket.example.arn] - } - } - +resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = data.aws_iam_policy_document.s3_policy.json +} + +resource "aws_iam_role" "test_role" { + name = "test_role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "s3.amazonaws.com" + } + }, + ] + }) +} + +data "aws_iam_policy_document" "s3_policy" { + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = ["s3:GetObject"] + resources = [aws_s3_bucket.example.arn] + } +} ``` #### Remediation Links diff --git a/avd_docs/aws/iam/AVD-AWS-0057/docs.md b/avd_docs/aws/iam/AVD-AWS-0057/docs.md index 6aa472c9..a216e3da 100644 --- a/avd_docs/aws/iam/AVD-AWS-0057/docs.md +++ b/avd_docs/aws/iam/AVD-AWS-0057/docs.md @@ -1,8 +1,9 @@ You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + ### Impact -Overly permissive policies may grant access to sensitive resources + {{ remediationActions }} diff --git a/avd_docs/aws/iam/AVD-AWS-0169/docs.md b/avd_docs/aws/iam/AVD-AWS-0169/docs.md index e65af623..98bf7fe0 100644 --- a/avd_docs/aws/iam/AVD-AWS-0169/docs.md +++ b/avd_docs/aws/iam/AVD-AWS-0169/docs.md @@ -1,11 +1,10 @@ - By implementing least privilege for access control, an IAM Role will require an appropriate IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support. - + ### Impact -Incident management is not possible without a support role. + {{ remediationActions }} diff --git a/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md index 240a4e18..8d717078 100644 --- a/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md @@ -1,7 +1,7 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. -```yaml--- +```yaml Resources: GoodFunction: Type: AWS::Serverless::Function @@ -10,20 +10,19 @@ Resources: ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name ImageConfig: Command: - - "app.lambda_handler" + - app.lambda_handler EntryPoint: - - "entrypoint1" - WorkingDirectory: "workDir" - Policies: + - entrypoint1 + WorkingDirectory: workDir + Policies: - AWSLambdaExecute - - Version: '2012-10-17' + - Version: "2012-10-17" Statement: - - Effect: Allow - Action: - - s3:GetObject - - s3:GetObjectACL - Resource: 'arn:aws:s3:::my-bucket/*' - + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: arn:aws:s3:::my-bucket/* ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0114/docs.md b/avd_docs/aws/sam/AVD-AWS-0114/docs.md index 721f7836..099567a5 100644 --- a/avd_docs/aws/sam/AVD-AWS-0114/docs.md +++ b/avd_docs/aws/sam/AVD-AWS-0114/docs.md @@ -1,8 +1,9 @@ You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + ### Impact -Overly permissive policies may grant access to sensitive resources + {{ remediationActions }} diff --git a/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md index f6af777e..74133a8a 100644 --- a/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md @@ -1,7 +1,7 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. -```yaml--- +```yaml Resources: GoodFunction: Type: AWS::Serverless::StateMachine @@ -16,16 +16,15 @@ Resources: Role: arn:aws:iam::123456123456:role/service-role/my-sample-role Tracing: Enabled: true - Policies: + Policies: - AWSLambdaExecute - - Version: '2012-10-17' + - Version: "2012-10-17" Statement: - - Effect: Allow - Action: - - s3:GetObject - - s3:GetObjectACL - Resource: 'arn:aws:s3:::my-bucket/*' - + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: arn:aws:s3:::my-bucket/* ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0120/docs.md b/avd_docs/aws/sam/AVD-AWS-0120/docs.md index daade7f5..474db1a3 100644 --- a/avd_docs/aws/sam/AVD-AWS-0120/docs.md +++ b/avd_docs/aws/sam/AVD-AWS-0120/docs.md @@ -1,8 +1,10 @@ -You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. +You should use the principle of least privilege when defining your IAM policies. +This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + ### Impact -Overly permissive policies may grant access to sensitive resources + {{ remediationActions }} diff --git a/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md b/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md index f2a0349f..13b3f94a 100644 --- a/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md +++ b/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md @@ -3,12 +3,10 @@ Remove this potential exfiltration HTTP request. ```hcl resource "aws_ssm_parameter" "db_password" { - name = "db_password" - type = "SecureString" + name = "db_password" + type = "SecureString" value = var.db_password } - - ``` diff --git a/avd_docs/aws/ssm/AVD-AWS-0134/docs.md b/avd_docs/aws/ssm/AVD-AWS-0134/docs.md index 4fe0f81e..dccbfce0 100644 --- a/avd_docs/aws/ssm/AVD-AWS-0134/docs.md +++ b/avd_docs/aws/ssm/AVD-AWS-0134/docs.md @@ -1,8 +1,9 @@ The data.http block can be used to send secret data outside of the organisation. + ### Impact -Secrets could be exposed outside of the organisation. + {{ remediationActions }} diff --git a/checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego b/checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego index eb467998..aa159db6 100644 --- a/checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego +++ b/checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego @@ -20,6 +20,7 @@ # service: accessanalyzer # severity: LOW # short_code: enable-access-analyzer +# deprecated: true # recommended_action: Enable IAM Access analyzer across all regions. # frameworks: # cis-aws-1.4: diff --git a/checks/cloud/aws/iam/no_policy_wildcards.rego b/checks/cloud/aws/iam/no_policy_wildcards.rego new file mode 100644 index 00000000..dff4b918 --- /dev/null +++ b/checks/cloud/aws/iam/no_policy_wildcards.rego @@ -0,0 +1,38 @@ +# METADATA +# title: IAM policy should avoid use of wildcards and instead apply the principle of least privilege +# description: | +# You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html +# custom: +# id: AVD-AWS-0057 +# avd_id: AVD-AWS-0057 +# provider: aws +# service: iam +# severity: HIGH +# short_code: no-policy-wildcards +# deprecated: true +# recommended_action: Specify the exact permissions required, and to which resources they should apply instead of using wildcards. +# frameworks: +# default: +# - null +# cis-aws-1.4: +# - "1.16" +# input: +# selector: +# - type: cloud +# subtypes: +# - service: iam +# provider: aws +# terraform: +# links: +# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +# good_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml +# bad_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml +# cloudformation: +# good_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml +# bad_examples: checks/cloud/aws/iam/no_policy_wildcards.yaml +package builtin.aws.iam.aws0057 diff --git a/checks/cloud/aws/iam/no_policy_wildcards.yaml b/checks/cloud/aws/iam/no_policy_wildcards.yaml new file mode 100644 index 00000000..aabc6afd --- /dev/null +++ b/checks/cloud/aws/iam/no_policy_wildcards.yaml @@ -0,0 +1,106 @@ +cloudformation: + good: + - |- + Resources: + GoodPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: CFNUsers + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:ListBuckets + Resource: specific-bucket + bad: + - |- + Resources: + BadPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: CFNUsers + PolicyDocument: + + Version: "2012-10-17" + + Statement: + - Effect: Allow + Action: + - cloudformation:Describe* + - cloudformation:List* + - cloudformation:Get* + Resource: '*' +terraform: + good: + - |- + resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = data.aws_iam_policy_document.s3_policy.json + } + + resource "aws_iam_role" "test_role" { + name = "test_role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "s3.amazonaws.com" + } + }, + ] + }) + } + + data "aws_iam_policy_document" "s3_policy" { + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = ["s3:GetObject"] + resources = [aws_s3_bucket.example.arn] + } + } + bad: + - |- + resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = data.aws_iam_policy_document.s3_policy.json + } + + resource "aws_iam_role" "test_role" { + name = "test_role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "s3.amazonaws.com" + } + }, + ] + }) + } + + data "aws_iam_policy_document" "s3_policy" { + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = ["s3:*"] + resources = ["*"] + } + } diff --git a/checks/cloud/aws/iam/require_support_role.rego b/checks/cloud/aws/iam/require_support_role.rego new file mode 100644 index 00000000..f461a0c5 --- /dev/null +++ b/checks/cloud/aws/iam/require_support_role.rego @@ -0,0 +1,29 @@ +# METADATA +# title: Missing IAM Role to allow authorized users to manage incidents with AWS Support. +# description: | +# By implementing least privilege for access control, an IAM Role will require an appropriate +# IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - https://console.aws.amazon.com/iam/ +# custom: +# id: AVD-AWS-0169 +# avd_id: AVD-AWS-0169 +# provider: aws +# service: iam +# severity: LOW +# short_code: require-support-role +# deprecated: true +# recommended_action: Create an IAM role with the necessary permissions to manage incidents with AWS Support. +# frameworks: +# cis-aws-1.4: +# - "1.17" +# input: +# selector: +# - type: cloud +# subtypes: +# - service: iam +# provider: aws +package builtin.aws.iam.aws0169 diff --git a/checks/cloud/aws/sam/no_function_policy_wildcards.rego b/checks/cloud/aws/sam/no_function_policy_wildcards.rego new file mode 100644 index 00000000..36999ff2 --- /dev/null +++ b/checks/cloud/aws/sam/no_function_policy_wildcards.rego @@ -0,0 +1,28 @@ +# METADATA +# title: Function policies should avoid use of wildcards and instead apply the principle of least privilege +# description: | +# You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-policies +# custom: +# id: AVD-AWS-0114 +# avd_id: AVD-AWS-0114 +# provider: aws +# service: sam +# severity: HIGH +# short_code: no-function-policy-wildcards +# deprecated: true +# recommended_action: Specify the exact permissions required, and to which resources they should apply instead of using wildcards. +# input: +# selector: +# - type: cloud +# subtypes: +# - service: sam +# provider: aws +# cloud_formation: +# good_examples: checks/cloud/aws/sam/no_function_policy_wildcards.yaml +# bad_examples: checks/cloud/aws/sam/no_function_policy_wildcards.yaml +package builtin.aws.sam.aws0114 diff --git a/checks/cloud/aws/sam/no_function_policy_wildcards.yaml b/checks/cloud/aws/sam/no_function_policy_wildcards.yaml new file mode 100644 index 00000000..c316dada --- /dev/null +++ b/checks/cloud/aws/sam/no_function_policy_wildcards.yaml @@ -0,0 +1,46 @@ +cloudformation: + good: + - |- + Resources: + GoodFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - app.lambda_handler + EntryPoint: + - entrypoint1 + WorkingDirectory: workDir + Policies: + - AWSLambdaExecute + - Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: arn:aws:s3:::my-bucket/* + bad: + - |- + Resources: + BadFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - app.lambda_handler + EntryPoint: + - entrypoint1 + WorkingDirectory: workDir + Policies: + - AWSLambdaExecute + - Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:* + Resource: arn:aws:s3:::my-bucket/* diff --git a/checks/cloud/aws/sam/no_state_machine_policy_wildcards.rego b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.rego new file mode 100644 index 00000000..a1610258 --- /dev/null +++ b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.rego @@ -0,0 +1,40 @@ +# METADATA +# title: State machine policies should avoid use of wildcards and instead apply the principle of least privilege +# description: | +# You should use the principle of least privilege when defining your IAM policies. +# This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-policies" +# custom: +# id: AVD-AWS-0120 +# avd_id: AVD-AWS-0120 +# provider: aws +# service: sam +# severity: HIGH +# short_code: no-state-machine-policy-wildcards +# deprecated: true +# recommended_action: Specify the exact permissions required, and to which resources they should apply instead of using wildcards. +# input: +# selector: +# - type: cloud +# subtypes: +# - service: sam +# provider: aws +# cloud_formation: +# good_examples: checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml +# bad_examples: checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml +package builtin.aws.sam.aws0120 + +import rego.v1 + +deny contains res if { + some table in input.aws.sam.simpletables + not table.ssespecification.enabled.value + res := result.new( + "Domain name is configured with an outdated TLS policy.", + table.ssespecification.enabled, + ) +} diff --git a/checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml new file mode 100644 index 00000000..680d4932 --- /dev/null +++ b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.yaml @@ -0,0 +1,50 @@ +cloudformation: + good: + - |- + Resources: + GoodFunction: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + Policies: + - AWSLambdaExecute + - Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: arn:aws:s3:::my-bucket/* + bad: + - |- + Resources: + BadFunction: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + Policies: + - AWSLambdaExecute + - Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:* + Resource: arn:aws:s3:::my-bucket/* diff --git a/checks/cloud/aws/ssm/avoid_leaks_via_http.rego b/checks/cloud/aws/ssm/avoid_leaks_via_http.rego new file mode 100644 index 00000000..e72d2ae2 --- /dev/null +++ b/checks/cloud/aws/ssm/avoid_leaks_via_http.rego @@ -0,0 +1,31 @@ +# METADATA +# title: Secrets should not be exfiltrated using Terraform HTTP data blocks +# description: | +# The data.http block can be used to send secret data outside of the organisation. +# scope: package +# schemas: +# - input: schema["cloud"] +# related_resources: +# - https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/ +# custom: +# id: AVD-AWS-0134 +# avd_id: AVD-AWS-0134 +# provider: aws +# service: ssm +# severity: CRITICAL +# short_code: avoid-leaks-via-http +# deprecated: true +# recommended_action: Remove this potential exfiltration HTTP request. +# input: +# selector: +# - type: cloud +# subtypes: +# - service: ssm +# provider: aws +# terraform: +# good_examples: checks/cloud/aws/ssm/avoid_leaks_via_http.yaml +# bad_examples: checks/cloud/aws/ssm/avoid_leaks_via_http.yaml +# cloud_formation: +# good_examples: checks/cloud/aws/ssm/avoid_leaks_via_http.yaml +# bad_examples: checks/cloud/aws/ssm/avoid_leaks_via_http.yaml +package builtin.aws.ssm.aws0134 diff --git a/test/rego/aws_access_analyzer_test.go b/test/rego/aws_access_analyzer_test.go deleted file mode 100644 index ac51db58..00000000 --- a/test/rego/aws_access_analyzer_test.go +++ /dev/null @@ -1,52 +0,0 @@ -package test - -import ( - "github.com/aquasecurity/trivy/pkg/iac/providers/aws" - "github.com/aquasecurity/trivy/pkg/iac/providers/aws/accessanalyzer" - "github.com/aquasecurity/trivy/pkg/iac/state" - trivyTypes "github.com/aquasecurity/trivy/pkg/iac/types" -) - -func init() { - addTests(awsAccessAnalyzerTestCases) -} - -var awsAccessAnalyzerTestCases = testCases{ - "AVD-AWS-0175": { - // TODO: Trivy does not export empty structures into Rego - // { - - // name: "No analyzers enabled", - // input: state.State{AWS: aws.AWS{AccessAnalyzer: accessanalyzer.AccessAnalyzer{}}}, - // expected: true, - // }, - { - name: "Analyzer disabled", - input: state.State{AWS: aws.AWS{AccessAnalyzer: accessanalyzer.AccessAnalyzer{ - Analyzers: []accessanalyzer.Analyzer{ - { - Metadata: trivyTypes.NewTestMetadata(), - ARN: trivyTypes.String("arn:aws:accessanalyzer:us-east-1:123456789012:analyzer/test", trivyTypes.NewTestMetadata()), - Name: trivyTypes.String("test", trivyTypes.NewTestMetadata()), - Active: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), - }, - }, - }}}, - expected: true, - }, - { - name: "Analyzer enabled", - input: state.State{AWS: aws.AWS{AccessAnalyzer: accessanalyzer.AccessAnalyzer{ - Analyzers: []accessanalyzer.Analyzer{ - { - Metadata: trivyTypes.NewTestMetadata(), - ARN: trivyTypes.String("arn:aws:accessanalyzer:us-east-1:123456789012:analyzer/test", trivyTypes.NewTestMetadata()), - Name: trivyTypes.String("test", trivyTypes.NewTestMetadata()), - Active: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), - }, - }}}, - }, - expected: false, - }, - }, -}