From 5a19c0b9eda98700f309c407c35eb32bd4f210d6 Mon Sep 17 00:00:00 2001 From: gafnit Date: Tue, 31 May 2022 18:29:56 +0300 Subject: [PATCH 01/11] feat(queries): add new aws iam privilege escalation queries --- .../glue-UpdateDevEndpoint/metadata.json | 11 +++ .../group/glue-UpdateDevEndpoint/query.rego | 73 ++++++++++++++++++ .../glue-UpdateDevEndpoint/test/negative1.tf | 21 ++++++ .../glue-UpdateDevEndpoint/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../group/iam-AddUserToGroup/metadata.json | 11 +++ .../group/iam-AddUserToGroup/query.rego | 73 ++++++++++++++++++ .../iam-AddUserToGroup/test/negative1.tf | 21 ++++++ .../iam-AddUserToGroup/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../group/iam-AttachGroupPolicy/metadata.json | 11 +++ .../group/iam-AttachGroupPolicy/query.rego | 73 ++++++++++++++++++ .../iam-AttachGroupPolicy/test/negative1.tf | 21 ++++++ .../iam-AttachGroupPolicy/test/positive1.tf | 31 ++++++++ .../test/positive_expected_result.json | 8 ++ .../group/iam-AttachRolePolicy/metadata.json | 11 +++ .../group/iam-AttachRolePolicy/query.rego | 73 ++++++++++++++++++ .../iam-AttachRolePolicy/test/negative1.tf | 21 ++++++ .../iam-AttachRolePolicy/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../group/iam-AttachUserPolicy/metadata.json | 11 +++ .../group/iam-AttachUserPolicy/query.rego | 73 ++++++++++++++++++ .../iam-AttachUserPolicy/test/negative1.tf | 21 ++++++ .../iam-AttachUserPolicy/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../group/iam-CreateAccessKey/metadata.json | 11 +++ .../group/iam-CreateAccessKey/query.rego | 73 ++++++++++++++++++ .../iam-CreateAccessKey/test/negative1.tf | 21 ++++++ .../iam-CreateAccessKey/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../iam-CreateLoginProfile/metadata.json | 11 +++ .../group/iam-CreateLoginProfile/query.rego | 73 ++++++++++++++++++ .../iam-CreateLoginProfile/test/negative1.tf | 21 ++++++ .../iam-CreateLoginProfile/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../iam-CreatePolicyVersion/metadata.json | 11 +++ .../group/iam-CreatePolicyVersion/query.rego | 73 ++++++++++++++++++ .../iam-CreatePolicyVersion/test/negative1.tf | 21 ++++++ .../iam-CreatePolicyVersion/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../iam-PassRole-ec2-RunInstances/query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 75 +++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../group/iam-PutGroupPolicy/metadata.json | 11 +++ .../group/iam-PutGroupPolicy/query.rego | 73 ++++++++++++++++++ .../iam-PutGroupPolicy/test/negative1.tf | 21 ++++++ .../iam-PutGroupPolicy/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../group/iam-PutRolePolicy/metadata.json | 11 +++ .../group/iam-PutRolePolicy/query.rego | 73 ++++++++++++++++++ .../group/iam-PutRolePolicy/test/negative1.tf | 21 ++++++ .../group/iam-PutRolePolicy/test/positive1.tf | 31 ++++++++ .../test/positive_expected_result.json | 8 ++ .../group/iam-PutUserPolicy/metadata.json | 11 +++ .../group/iam-PutUserPolicy/query.rego | 73 ++++++++++++++++++ .../group/iam-PutUserPolicy/test/negative1.tf | 21 ++++++ .../group/iam-PutUserPolicy/test/positive1.tf | 31 ++++++++ .../test/positive_expected_result.json | 8 ++ .../iam-SetDefaultPolicyVersion/metadata.json | 11 +++ .../iam-SetDefaultPolicyVersion/query.rego | 73 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../iam-UpdateLoginProfile/metadata.json | 11 +++ .../group/iam-UpdateLoginProfile/query.rego | 73 ++++++++++++++++++ .../iam-UpdateLoginProfile/test/negative1.tf | 21 ++++++ .../iam-UpdateLoginProfile/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../lambda-UpdateFunctionCode/metadata.json | 11 +++ .../lambda-UpdateFunctionCode/query.rego | 73 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../role/glue-UpdateDevEndpoint/metadata.json | 11 +++ .../role/glue-UpdateDevEndpoint/query.rego | 73 ++++++++++++++++++ .../glue-UpdateDevEndpoint/test/negative1.tf | 21 ++++++ .../glue-UpdateDevEndpoint/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-AddUserToGroup/metadata.json | 11 +++ .../role/iam-AddUserToGroup/query.rego | 73 ++++++++++++++++++ .../role/iam-AddUserToGroup/test/negative1.tf | 21 ++++++ .../role/iam-AddUserToGroup/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-AttachGroupPolicy/metadata.json | 11 +++ .../role/iam-AttachGroupPolicy/query.rego | 73 ++++++++++++++++++ .../iam-AttachGroupPolicy/test/negative1.tf | 21 ++++++ .../iam-AttachGroupPolicy/test/positive1.tf | 31 ++++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-AttachRolePolicy/metadata.json | 11 +++ .../role/iam-AttachRolePolicy/query.rego | 73 ++++++++++++++++++ .../iam-AttachRolePolicy/test/negative1.tf | 21 ++++++ .../iam-AttachRolePolicy/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-AttachUserPolicy/metadata.json | 11 +++ .../role/iam-AttachUserPolicy/query.rego | 73 ++++++++++++++++++ .../iam-AttachUserPolicy/test/negative1.tf | 21 ++++++ .../iam-AttachUserPolicy/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-CreateAccessKey/metadata.json | 11 +++ .../role/iam-CreateAccessKey/query.rego | 73 ++++++++++++++++++ .../iam-CreateAccessKey/test/negative1.tf | 21 ++++++ .../iam-CreateAccessKey/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-CreateLoginProfile/metadata.json | 11 +++ .../role/iam-CreateLoginProfile/query.rego | 73 ++++++++++++++++++ .../iam-CreateLoginProfile/test/negative1.tf | 21 ++++++ .../iam-CreateLoginProfile/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../iam-CreatePolicyVersion/metadata.json | 11 +++ .../role/iam-CreatePolicyVersion/query.rego | 73 ++++++++++++++++++ .../iam-CreatePolicyVersion/test/negative1.tf | 21 ++++++ .../iam-CreatePolicyVersion/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../iam-PassRole-ec2-RunInstances/query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 75 +++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-PutGroupPolicy/metadata.json | 11 +++ .../role/iam-PutGroupPolicy/query.rego | 73 ++++++++++++++++++ .../role/iam-PutGroupPolicy/test/negative1.tf | 21 ++++++ .../role/iam-PutGroupPolicy/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-PutRolePolicy/metadata.json | 11 +++ .../role/iam-PutRolePolicy/query.rego | 73 ++++++++++++++++++ .../role/iam-PutRolePolicy/test/negative1.tf | 21 ++++++ .../role/iam-PutRolePolicy/test/positive1.tf | 31 ++++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-PutUserPolicy/metadata.json | 11 +++ .../role/iam-PutUserPolicy/query.rego | 73 ++++++++++++++++++ .../role/iam-PutUserPolicy/test/negative1.tf | 21 ++++++ .../role/iam-PutUserPolicy/test/positive1.tf | 31 ++++++++ .../test/positive_expected_result.json | 8 ++ .../iam-SetDefaultPolicyVersion/metadata.json | 11 +++ .../iam-SetDefaultPolicyVersion/query.rego | 73 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../role/iam-UpdateLoginProfile/metadata.json | 11 +++ .../role/iam-UpdateLoginProfile/query.rego | 73 ++++++++++++++++++ .../iam-UpdateLoginProfile/test/negative1.tf | 21 ++++++ .../iam-UpdateLoginProfile/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../lambda-UpdateFunctionCode/metadata.json | 11 +++ .../role/lambda-UpdateFunctionCode/query.rego | 73 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../user/glue-UpdateDevEndpoint/metadata.json | 11 +++ .../user/glue-UpdateDevEndpoint/query.rego | 73 ++++++++++++++++++ .../glue-UpdateDevEndpoint/test/negative1.tf | 21 ++++++ .../glue-UpdateDevEndpoint/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-AddUserToGroup/metadata.json | 11 +++ .../user/iam-AddUserToGroup/query.rego | 73 ++++++++++++++++++ .../user/iam-AddUserToGroup/test/negative1.tf | 21 ++++++ .../user/iam-AddUserToGroup/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-AttachGroupPolicy/metadata.json | 11 +++ .../user/iam-AttachGroupPolicy/query.rego | 73 ++++++++++++++++++ .../iam-AttachGroupPolicy/test/negative1.tf | 21 ++++++ .../iam-AttachGroupPolicy/test/positive1.tf | 31 ++++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-AttachRolePolicy/metadata.json | 11 +++ .../user/iam-AttachRolePolicy/query.rego | 73 ++++++++++++++++++ .../iam-AttachRolePolicy/test/negative1.tf | 21 ++++++ .../iam-AttachRolePolicy/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-AttachUserPolicy/metadata.json | 11 +++ .../user/iam-AttachUserPolicy/query.rego | 73 ++++++++++++++++++ .../iam-AttachUserPolicy/test/negative1.tf | 21 ++++++ .../iam-AttachUserPolicy/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-CreateAccessKey/metadata.json | 11 +++ .../user/iam-CreateAccessKey/query.rego | 73 ++++++++++++++++++ .../iam-CreateAccessKey/test/negative1.tf | 21 ++++++ .../iam-CreateAccessKey/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-CreateLoginProfile/metadata.json | 11 +++ .../user/iam-CreateLoginProfile/query.rego | 73 ++++++++++++++++++ .../iam-CreateLoginProfile/test/negative1.tf | 21 ++++++ .../iam-CreateLoginProfile/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../iam-CreatePolicyVersion/metadata.json | 11 +++ .../user/iam-CreatePolicyVersion/query.rego | 73 ++++++++++++++++++ .../iam-CreatePolicyVersion/test/negative1.tf | 21 ++++++ .../iam-CreatePolicyVersion/test/positive1.tf | 29 +++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../iam-PassRole-ec2-RunInstances/query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 75 +++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-PutGroupPolicy/metadata.json | 11 +++ .../user/iam-PutGroupPolicy/query.rego | 73 ++++++++++++++++++ .../user/iam-PutGroupPolicy/test/negative1.tf | 21 ++++++ .../user/iam-PutGroupPolicy/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-PutRolePolicy/metadata.json | 11 +++ .../user/iam-PutRolePolicy/query.rego | 73 ++++++++++++++++++ .../user/iam-PutRolePolicy/test/negative1.tf | 21 ++++++ .../user/iam-PutRolePolicy/test/positive1.tf | 31 ++++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-PutUserPolicy/metadata.json | 11 +++ .../user/iam-PutUserPolicy/query.rego | 73 ++++++++++++++++++ .../user/iam-PutUserPolicy/test/negative1.tf | 21 ++++++ .../user/iam-PutUserPolicy/test/positive1.tf | 31 ++++++++ .../test/positive_expected_result.json | 8 ++ .../iam-SetDefaultPolicyVersion/metadata.json | 11 +++ .../iam-SetDefaultPolicyVersion/query.rego | 73 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../metadata.json | 11 +++ .../query.rego | 74 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 49 ++++++++++++ .../test/positive_expected_result.json | 8 ++ .../user/iam-UpdateLoginProfile/metadata.json | 11 +++ .../user/iam-UpdateLoginProfile/query.rego | 73 ++++++++++++++++++ .../iam-UpdateLoginProfile/test/negative1.tf | 21 ++++++ .../iam-UpdateLoginProfile/test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ .../lambda-UpdateFunctionCode/metadata.json | 11 +++ .../user/lambda-UpdateFunctionCode/query.rego | 73 ++++++++++++++++++ .../test/negative1.tf | 21 ++++++ .../test/positive1.tf | 30 ++++++++ .../test/positive_expected_result.json | 8 ++ 285 files changed, 8451 insertions(+) create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive_expected_result.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/metadata.json create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/query.rego create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/negative1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive1.tf create mode 100644 assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/metadata.json new file mode 100644 index 00000000000..b62c68f43a6 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "8f3c16b3-354d-45db-8ad5-5066778a9485", + "queryName": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "10f17e18", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/query.rego new file mode 100644 index 00000000000..13648ae6d71 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "glue:UpdateDevEndpoint") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..6c56310f4ee --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:UpdateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..6d5d2b1b863 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/metadata.json new file mode 100644 index 00000000000..30f79045476 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "970ed7a2-0aca-4425-acf1-0453c9ecbca1", + "queryName": "Group with privilege escalation by actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "576ba016", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/query.rego new file mode 100644 index 00000000000..a61e1acbac9 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:AddUserToGroup") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive1.tf new file mode 100644 index 00000000000..b71e0166b16 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive_expected_result.json new file mode 100644 index 00000000000..60394264553 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/metadata.json new file mode 100644 index 00000000000..10a0c0ed88e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "70b42736-efee-4bce-80d5-50358ed94990", + "queryName": "Group with privilege escalation by actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "e42aec0c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/query.rego new file mode 100644 index 00000000000..4f9b15d733b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..fddabd66a73 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..a314d21b5a0 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/metadata.json new file mode 100644 index 00000000000..a34def349d5 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "3dd96caa-0b5f-4a85-b929-acfac4646cc2", + "queryName": "Group with privilege escalation by actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "5e39f36b", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/query.rego new file mode 100644 index 00000000000..3e075bf0673 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachRolePolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..c7d8fe2316a --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..f66511eccdb --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/metadata.json new file mode 100644 index 00000000000..728651fe63b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "db78d14b-10e5-4e6e-84b1-dace6327b1ec", + "queryName": "Group with privilege escalation by actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "25a0ad8b", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/query.rego new file mode 100644 index 00000000000..450282774ab --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachUserPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..11b1a6047bc --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..8718a4ec4de --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/metadata.json new file mode 100644 index 00000000000..c1af2af4230 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "846646e3-2af1-428c-ac5d-271eccfa6faf", + "queryName": "Group with privilege escalation by actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "5182dbde", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/query.rego new file mode 100644 index 00000000000..dac82f14120 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateAccessKey") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive1.tf new file mode 100644 index 00000000000..6bf052a9631 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateAccessKey", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive_expected_result.json new file mode 100644 index 00000000000..783abe59770 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/metadata.json new file mode 100644 index 00000000000..0efac05f688 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "04c686f1-e0cd-4812-88e1-4e038410074c", + "queryName": "Group with privilege escalation by actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "13604723", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/query.rego new file mode 100644 index 00000000000..abc0ff9e857 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..6976b4215cc --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..8ac9ee6c07c --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/metadata.json new file mode 100644 index 00000000000..22c6477c8d5 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "ec49cbfd-fae4-45f3-81b1-860526d66e3f", + "queryName": "Group with privilege escalation by actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "04f8f6ca", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/query.rego new file mode 100644 index 00000000000..cb0eb352b67 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:CreatePolicyVersion") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..f652e0936e8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreatePolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..4106cf0419b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/metadata.json new file mode 100644 index 00000000000..2272f43c90a --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "9b0ffadc-a61f-4c2a-b1e6-68fab60f6267", + "queryName": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "b02d4e3c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/query.rego new file mode 100644 index 00000000000..970173dd814 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "cloudformation:CreateStack") + unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive1.tf new file mode 100644 index 00000000000..7bf8fb48688 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateStack", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json new file mode 100644 index 00000000000..29b05ef90c5 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/metadata.json new file mode 100644 index 00000000000..faf77a07640 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "15e6ad8c-f420-49a6-bafb-074f5eb1ec74", + "queryName": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "e6e9e8eb", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/query.rego new file mode 100644 index 00000000000..3e7d982e8a5 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "ec2:RunInstances") + unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive1.tf new file mode 100644 index 00000000000..1db184aa245 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:RunInstances", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json new file mode 100644 index 00000000000..05fd1f4a1ac --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/metadata.json new file mode 100644 index 00000000000..fead0dd5cbb --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "7d544dad-8a6c-431c-84c1-5f07fe9afc0e", + "queryName": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "59598729", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/query.rego new file mode 100644 index 00000000000..d0fbd61d251 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "glue:CreateDevEndpoint") + unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..4b53cde802b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:CreateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..7efa7e55da3 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json new file mode 100644 index 00000000000..43e82cebc48 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "034d0aee-620f-4bf7-b7fb-efdf661fdb9e", + "queryName": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "2a7afde0", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego new file mode 100644 index 00000000000..45fa3eec5fb --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego @@ -0,0 +1,75 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "lambda:CreateFunction") + unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + unrecommended_permission_policy_scenarios(targetGroup, "lambda:InvokeFunction") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf new file mode 100644 index 00000000000..3be4c197c9e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:CreateFunction", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json new file mode 100644 index 00000000000..dd418a345f9 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/metadata.json new file mode 100644 index 00000000000..1f0f32012de --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "e77c89f6-9c85-49ea-b95b-5f960fe5be92", + "queryName": "Group with privilege escalation by actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "6ee8a28a", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/query.rego new file mode 100644 index 00000000000..ce74fb83784 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:PutGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..fd0ea4df28b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..dcc41bea208 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/metadata.json new file mode 100644 index 00000000000..6685bb2a125 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "c0c1e744-0f37-445e-924a-1846f0839f69", + "queryName": "Group with privilege escalation by actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "3a6914a5", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/query.rego new file mode 100644 index 00000000000..8c3daaa849c --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:PutRolePolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..89411b4a9cd --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..d9244ebfbc4 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/metadata.json new file mode 100644 index 00000000000..e2d4b777a9f --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "60263b4a-6801-4587-911d-919c37ed733b", + "queryName": "Group with privilege escalation by actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "fdfe7031", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/query.rego new file mode 100644 index 00000000000..9d810f9c2ec --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:PutUserPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..edd49854001 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..f409ed65c74 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/metadata.json new file mode 100644 index 00000000000..aa81d39f277 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "7782d4b3-e23e-432b-9742-d9528432e771", + "queryName": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "2be560bc", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/query.rego new file mode 100644 index 00000000000..18ffbb169c4 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:SetDefaultPolicyVersion") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..193341e24ee --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:SetDefaultPolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..4b5dcbc2028 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json new file mode 100644 index 00000000000..b33fcdccda3 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "78f1ec6f-5659-41ea-bd48-d0a142dce4f2", + "queryName": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "7fec1740", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego new file mode 100644 index 00000000000..d0f20e77e94 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateAssumeRolePolicy") + unrecommended_permission_policy_scenarios(targetGroup, "sts:AssumeRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf new file mode 100644 index 00000000000..99663d5260e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sts:AssumeRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json new file mode 100644 index 00000000000..3e4a13cf3c1 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/metadata.json new file mode 100644 index 00000000000..f0fdde8d214 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "ad296c0d-8131-4d6b-b030-1b0e73a99ad3", + "queryName": "Group with privilege escalation by actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "06985b1b", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/query.rego new file mode 100644 index 00000000000..8576accab64 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..a21d05bf9c9 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..9637c2ff201 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/metadata.json new file mode 100644 index 00000000000..6bb4707da38 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "571254d8-aa6a-432e-9725-535d3ef04d69", + "queryName": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "platform": "Terraform", + "descriptionID": "1a80fe5c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/query.rego new file mode 100644 index 00000000000..c1c67257389 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM group + input.document[i].resource.aws_iam_group[targetGroup] + + unrecommended_permission_policy_scenarios(targetGroup, "lambda:UpdateFunctionCode") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_group(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group(attachment) + group == targetGroup + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive1.tf new file mode 100644 index 00000000000..8e9a4e1cd86 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:UpdateFunctionCode", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive_expected_result.json new file mode 100644 index 00000000000..891c1f92eaf --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/metadata.json new file mode 100644 index 00000000000..8459b203feb --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "eda48c88-2b7d-4e34-b6ca-04c0194aee17", + "queryName": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "bff18777", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/query.rego new file mode 100644 index 00000000000..504f9356e74 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "glue:UpdateDevEndpoint") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..6c56310f4ee --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:UpdateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..58588f764e6 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/metadata.json new file mode 100644 index 00000000000..57a74916142 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "b8a31292-509d-4b61-bc40-13b167db7e9c", + "queryName": "Role with privilege escalation by actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "058bc100", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/query.rego new file mode 100644 index 00000000000..852a7895527 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:AddUserToGroup") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive1.tf new file mode 100644 index 00000000000..b71e0166b16 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive_expected_result.json new file mode 100644 index 00000000000..bc3922e764a --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/metadata.json new file mode 100644 index 00000000000..6a58d254385 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "f906113d-cdc0-415a-ba60-609cc6daaf4d", + "queryName": "Role with privilege escalation by actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "54b22492", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/query.rego new file mode 100644 index 00000000000..bb68ae00eac --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:AttachGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..fddabd66a73 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..28f4da8c535 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/metadata.json new file mode 100644 index 00000000000..b71ca46b354 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "f465fff1-0a0f-457d-aa4d-1bddb6f204ff", + "queryName": "Role with privilege escalation by actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "aaf96d6e", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/query.rego new file mode 100644 index 00000000000..b660a3ea805 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:AttachRolePolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..c7d8fe2316a --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..cae0fce001d --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/metadata.json new file mode 100644 index 00000000000..95460861dfb --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "7c96920c-6fd0-449d-9a52-0aa431b6beaf", + "queryName": "Role with privilege escalation by actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "4efcf3e9", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/query.rego new file mode 100644 index 00000000000..baae8beb84c --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:AttachUserPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..11b1a6047bc --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..a8e4bb6e46b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/metadata.json new file mode 100644 index 00000000000..71351245d08 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "5b4d4aee-ac94-4810-9611-833636e5916d", + "queryName": "Role with privilege escalation by actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "0d94441c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/query.rego new file mode 100644 index 00000000000..40c3de82548 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:CreateAccessKey") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive1.tf new file mode 100644 index 00000000000..6bf052a9631 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateAccessKey", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive_expected_result.json new file mode 100644 index 00000000000..1e3e2e7dd4f --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/metadata.json new file mode 100644 index 00000000000..55b21cce6ca --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "9a205ba3-0dd1-42eb-8d54-2ffec836b51a", + "queryName": "Role with privilege escalation by actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "0e9af0ce", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/query.rego new file mode 100644 index 00000000000..8c2a5e3b8b3 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:CreateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..6976b4215cc --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..e762db6c47d --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/metadata.json new file mode 100644 index 00000000000..29587d4a5ce --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "ee49557d-750c-4cc1-aa95-94ab36cbefde", + "queryName": "Role with privilege escalation by actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "fe987a1d", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/query.rego new file mode 100644 index 00000000000..8928bedcedb --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:CreatePolicyVersion") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..f652e0936e8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreatePolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..6ef6cc14602 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/metadata.json new file mode 100644 index 00000000000..b81309ec665 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "be2aa235-bd93-4b68-978a-1cc65d49082f", + "queryName": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "779be66e", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/query.rego new file mode 100644 index 00000000000..abf65bc9726 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "cloudformation:CreateStack") + unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive1.tf new file mode 100644 index 00000000000..7bf8fb48688 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateStack", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json new file mode 100644 index 00000000000..f724c1a76ff --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/metadata.json new file mode 100644 index 00000000000..6d38b7d0046 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "30b88745-eebe-4ecb-a3a9-5cf886e96204", + "queryName": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "b3d6f7cf", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/query.rego new file mode 100644 index 00000000000..9fc369ee090 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "ec2:RunInstances") + unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive1.tf new file mode 100644 index 00000000000..1db184aa245 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:RunInstances", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json new file mode 100644 index 00000000000..f8218cc677e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/metadata.json new file mode 100644 index 00000000000..3aa078f45ce --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "0a592060-8166-49f5-8e65-99ac6dce9871", + "queryName": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "0bc279fe", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/query.rego new file mode 100644 index 00000000000..9abd1675e87 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "glue:CreateDevEndpoint") + unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..4b53cde802b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:CreateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..dc2d79c09cc --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json new file mode 100644 index 00000000000..74d5cb09707 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "fa62ac4f-f5b9-45b9-97c1-625c8b6253ca", + "queryName": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "628b0909", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego new file mode 100644 index 00000000000..f4c17c6720d --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego @@ -0,0 +1,75 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "lambda:CreateFunction") + unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + unrecommended_permission_policy_scenarios(targetRole, "lambda:InvokeFunction") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf new file mode 100644 index 00000000000..3be4c197c9e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:CreateFunction", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json new file mode 100644 index 00000000000..b2319ba5efb --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/metadata.json new file mode 100644 index 00000000000..b1b80bd0285 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "d6047119-a0b2-4b59-a4f2-127a36fb685b", + "queryName": "Role with privilege escalation by actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "ce1bbaeb", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/query.rego new file mode 100644 index 00000000000..c67ef175d37 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:PutGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..fd0ea4df28b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..114036547f6 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/metadata.json new file mode 100644 index 00000000000..9c3a5a8e861 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7", + "queryName": "Role with privilege escalation by actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "2d361444", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/query.rego new file mode 100644 index 00000000000..0474a778538 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:PutRolePolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..89411b4a9cd --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..5cf41b2ae24 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/metadata.json new file mode 100644 index 00000000000..074201d875f --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "8f75840d-9ee7-42f3-b203-b40e3979eb12", + "queryName": "Role with privilege escalation by actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "48764f87", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/query.rego new file mode 100644 index 00000000000..7f6b3932aef --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:PutUserPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..edd49854001 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..f3aaf96efac --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/metadata.json new file mode 100644 index 00000000000..52d06d5d6c6 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "118281d0-6471-422e-a7c5-051bc667926e", + "queryName": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "a0ddfb38", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/query.rego new file mode 100644 index 00000000000..790947810be --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:SetDefaultPolicyVersion") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..193341e24ee --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:SetDefaultPolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..29388fd6135 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json new file mode 100644 index 00000000000..7ab3ada3888 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "f1173d8c-3264-4148-9fdb-61181e031b51", + "queryName": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "2d747022", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego new file mode 100644 index 00000000000..71d19e4e4f4 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateAssumeRolePolicy") + unrecommended_permission_policy_scenarios(targetRole, "sts:AssumeRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf new file mode 100644 index 00000000000..99663d5260e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sts:AssumeRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json new file mode 100644 index 00000000000..03fbd49e0a5 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/metadata.json new file mode 100644 index 00000000000..74f3e0ad416 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "35ccf766-0e4d-41ed-9ec4-2dab155082b4", + "queryName": "Role with privilege escalation by actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "8bf480db", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/query.rego new file mode 100644 index 00000000000..ca28064b587 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..a21d05bf9c9 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..0517d751604 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/metadata.json new file mode 100644 index 00000000000..0ab9989018b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "c583f0f9-7dfd-476b-a056-f47c62b47b46", + "queryName": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "platform": "Terraform", + "descriptionID": "d6861f3e", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/query.rego new file mode 100644 index 00000000000..ad882be3165 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM role + input.document[i].resource.aws_iam_role[targetRole] + + unrecommended_permission_policy_scenarios(targetRole, "lambda:UpdateFunctionCode") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_role(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role(attachment) + role == targetRole + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive1.tf new file mode 100644 index 00000000000..8e9a4e1cd86 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:UpdateFunctionCode", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive_expected_result.json new file mode 100644 index 00000000000..c693a51b460 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/metadata.json new file mode 100644 index 00000000000..586fad3da6e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "9b877bd8-94b4-4c10-a060-8e0436cc09fa", + "queryName": "User with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "1a48ac37", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/query.rego new file mode 100644 index 00000000000..2a3b98cc356 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "glue:UpdateDevEndpoint") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..6c56310f4ee --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:UpdateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..de910f04e63 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/metadata.json new file mode 100644 index 00000000000..0eb1be15a57 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "bf9d42c7-c2f9-4dfe-942c-c8cc8249a081", + "queryName": "User with privilege escalation by actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "b201d168", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/query.rego new file mode 100644 index 00000000000..34590997dc8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:AddUserToGroup") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive1.tf new file mode 100644 index 00000000000..b71e0166b16 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive_expected_result.json new file mode 100644 index 00000000000..ecbbec92c26 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/metadata.json new file mode 100644 index 00000000000..85a59954a13 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "6d23d87e-1c5b-4308-b224-92624300f29b", + "queryName": "User with privilege escalation by actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "9f22319f", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/query.rego new file mode 100644 index 00000000000..be13c496248 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:AttachGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..fddabd66a73 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..6b5179d5985 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/metadata.json new file mode 100644 index 00000000000..0eb7f6c3497 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "e227091e-2228-4b40-b046-fc13650d8e88", + "queryName": "User with privilege escalation by actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "a33a40e2", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/query.rego new file mode 100644 index 00000000000..cccf562fde4 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:AttachRolePolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..c7d8fe2316a --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..61048c46271 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/metadata.json new file mode 100644 index 00000000000..fb897d46bf2 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "70cb518c-d990-46f6-bc05-44a5041493d6", + "queryName": "User with privilege escalation by actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "98aa676c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/query.rego new file mode 100644 index 00000000000..82b1a4ed6e4 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:AttachUserPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..11b1a6047bc --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..1572618a513 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/metadata.json new file mode 100644 index 00000000000..2729c9012af --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "113208f2-a886-4526-9ecc-f3218600e12c", + "queryName": "User with privilege escalation by actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "29b987f3", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/query.rego new file mode 100644 index 00000000000..5f191fa6ccc --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:CreateAccessKey") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive1.tf new file mode 100644 index 00000000000..6bf052a9631 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateAccessKey", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive_expected_result.json new file mode 100644 index 00000000000..ab2be55b221 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/metadata.json new file mode 100644 index 00000000000..093c23431ef --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "0fd7d920-4711-46bd-aff2-d307d82cd8b7", + "queryName": "User with privilege escalation by actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "43ba4982", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/query.rego new file mode 100644 index 00000000000..2960d6a5b12 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:CreateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..6976b4215cc --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..b58d9e20f70 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/metadata.json new file mode 100644 index 00000000000..8e68ac461a4 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "1743f5f1-0bb0-4934-acef-c80baa5dadfa", + "queryName": "User with privilege escalation by actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "e894d408", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/query.rego new file mode 100644 index 00000000000..3bf1feabd25 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:CreatePolicyVersion") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..f652e0936e8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreatePolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..d8e6e2be621 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/metadata.json new file mode 100644 index 00000000000..d5b7491f89d --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "19ffbe31-9d72-4379-9768-431195eae328", + "queryName": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "c878232c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/query.rego new file mode 100644 index 00000000000..8b084987e41 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "cloudformation:CreateStack") + unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive1.tf new file mode 100644 index 00000000000..7bf8fb48688 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateStack", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json new file mode 100644 index 00000000000..79a553eb8da --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/metadata.json new file mode 100644 index 00000000000..633a7dda4d7 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "89561b03-cb35-44a9-a7e9-8356e71606f4", + "queryName": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "05f5544f", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/query.rego new file mode 100644 index 00000000000..a3c41ec40e0 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "ec2:RunInstances") + unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive1.tf new file mode 100644 index 00000000000..1db184aa245 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:RunInstances", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json new file mode 100644 index 00000000000..75d24faf48f --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/metadata.json new file mode 100644 index 00000000000..1c56ce748c6 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "94fbe150-27e3-4eba-9ca6-af32865e4503", + "queryName": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "8d9e01f1", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/query.rego new file mode 100644 index 00000000000..70c9c71746b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "glue:CreateDevEndpoint") + unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..4b53cde802b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:CreateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..cd605f27b82 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json new file mode 100644 index 00000000000..2cff3f56c1b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "8055dec2-efb8-4fe6-8837-d9bed6ff202a", + "queryName": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "da252d8a", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego new file mode 100644 index 00000000000..0bc396a054e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego @@ -0,0 +1,75 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "lambda:CreateFunction") + unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + unrecommended_permission_policy_scenarios(targetUser, "lambda:InvokeFunction") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf new file mode 100644 index 00000000000..3be4c197c9e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:CreateFunction", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json new file mode 100644 index 00000000000..9ad15fbd1b3 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/metadata.json new file mode 100644 index 00000000000..3b60bbf29a7 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "8bfbf7ab-d5e8-4100-8618-798956e101e0", + "queryName": "User with privilege escalation by actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "024a2d0d", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/query.rego new file mode 100644 index 00000000000..c4f75479dd3 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:PutGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..fd0ea4df28b --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..1f7232e4531 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/metadata.json new file mode 100644 index 00000000000..5990826d397 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "eeb4d37a-3c59-4789-a00c-1509bc3af1e5", + "queryName": "User with privilege escalation by actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "367257fe", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/query.rego new file mode 100644 index 00000000000..0d37a03980e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:PutRolePolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..89411b4a9cd --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..f5778473431 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/metadata.json new file mode 100644 index 00000000000..8121cf132c3 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "0c10d7da-85c4-4d62-b2a8-d6c104f1bd77", + "queryName": "User with privilege escalation by actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "b99501af", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/query.rego new file mode 100644 index 00000000000..af25dc8dd15 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:PutUserPolicy") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..edd49854001 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..450ee8bf701 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/metadata.json new file mode 100644 index 00000000000..77f9fad78ef --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "43a41523-386a-4cb1-becb-42af6b414433", + "queryName": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "85e8d749", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/query.rego new file mode 100644 index 00000000000..df7c2e2fa53 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:SetDefaultPolicyVersion") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..193341e24ee --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:SetDefaultPolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..8cd3c8640d6 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json new file mode 100644 index 00000000000..f9974aad023 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "33627268-1445-4385-988a-318fd9d1a512", + "queryName": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "7ab86e7e", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego new file mode 100644 index 00000000000..9da3cfc48d7 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego @@ -0,0 +1,74 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateAssumeRolePolicy") + unrecommended_permission_policy_scenarios(targetUser, "sts:AssumeRole") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf new file mode 100644 index 00000000000..99663d5260e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sts:AssumeRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json new file mode 100644 index 00000000000..1c2fb05c0b3 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/metadata.json new file mode 100644 index 00000000000..a17b1582ea7 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "6deb34e2-5d9c-499a-801b-ea6d9eda894f", + "queryName": "User with privilege escalation by actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "559f74f0", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/query.rego new file mode 100644 index 00000000000..32e315feb9e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..a21d05bf9c9 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..bb816011aac --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/metadata.json new file mode 100644 index 00000000000..9de1a145d03 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "b69247e5-7e73-464e-ba74-ec9b715c6e12", + "queryName": "User with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "platform": "Terraform", + "descriptionID": "f5d372a0", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/query.rego new file mode 100644 index 00000000000..a73cf0e175a --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/query.rego @@ -0,0 +1,73 @@ +package Cx + +import data.generic.common as common_lib + +CxPolicy[result] { + + # get a AWS IAM user + input.document[i].resource.aws_iam_user[targetUser] + + unrecommended_permission_policy_scenarios(targetUser, "lambda:UpdateFunctionCode") + + + result := { + "documentId": input.document[i].id, + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} + + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := common_lib.json_unmarshal(resourcePolicy.policy) + + st := common_lib.get_statement(policy) + statement := st[_] + + common_lib.is_allow_effect(statement) + + common_lib.equalsOrInArray(statement.Resource, "*") + common_lib.equalsOrInArray(statement.Action, lower(permission)) +} + +get_user(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + + +unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user(attachment) + user == targetUser + + # confirm that policy associated is unrecommend + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + \ No newline at end of file diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive1.tf new file mode 100644 index 00000000000..8e9a4e1cd86 --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:UpdateFunctionCode", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive_expected_result.json new file mode 100644 index 00000000000..92547d6f67e --- /dev/null +++ b/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] From beef03311c135b9f6220603b773a19f4e7a56388 Mon Sep 17 00:00:00 2001 From: gafnit Date: Sun, 26 Jun 2022 11:00:54 +0300 Subject: [PATCH 02/11] change to KICS query file structure --- .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../iam-PutRolePolicy => group_with_iam_PutRolePolicy}/query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../iam-PutUserPolicy => group_with_iam_PutUserPolicy}/query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../iam-PutRolePolicy => role_with_iam_PutRolePolicy}/query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../iam-PutUserPolicy => role_with_iam_PutUserPolicy}/query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../iam-PutRolePolicy => user_with_iam_PutRolePolicy}/query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../iam-PutUserPolicy => user_with_iam_PutUserPolicy}/query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 285 files changed, 0 insertions(+), 0 deletions(-) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/glue-UpdateDevEndpoint => group_with_glue_UpdateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/glue-UpdateDevEndpoint => group_with_glue_UpdateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/glue-UpdateDevEndpoint => group_with_glue_UpdateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/glue-UpdateDevEndpoint => group_with_glue_UpdateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/glue-UpdateDevEndpoint => group_with_glue_UpdateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AddUserToGroup => group_with_iam_AddUserToGroup}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AddUserToGroup => group_with_iam_AddUserToGroup}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AddUserToGroup => group_with_iam_AddUserToGroup}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AddUserToGroup => group_with_iam_AddUserToGroup}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AddUserToGroup => group_with_iam_AddUserToGroup}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachGroupPolicy => group_with_iam_AttachGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachGroupPolicy => group_with_iam_AttachGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachGroupPolicy => group_with_iam_AttachGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachGroupPolicy => group_with_iam_AttachGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachGroupPolicy => group_with_iam_AttachGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachRolePolicy => group_with_iam_AttachRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachRolePolicy => group_with_iam_AttachRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachRolePolicy => group_with_iam_AttachRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachRolePolicy => group_with_iam_AttachRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachRolePolicy => group_with_iam_AttachRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachUserPolicy => group_with_iam_AttachUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachUserPolicy => group_with_iam_AttachUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachUserPolicy => group_with_iam_AttachUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachUserPolicy => group_with_iam_AttachUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-AttachUserPolicy => group_with_iam_AttachUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateAccessKey => group_with_iam_CreateAccessKey}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateAccessKey => group_with_iam_CreateAccessKey}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateAccessKey => group_with_iam_CreateAccessKey}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateAccessKey => group_with_iam_CreateAccessKey}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateAccessKey => group_with_iam_CreateAccessKey}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateLoginProfile => group_with_iam_CreateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateLoginProfile => group_with_iam_CreateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateLoginProfile => group_with_iam_CreateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateLoginProfile => group_with_iam_CreateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreateLoginProfile => group_with_iam_CreateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreatePolicyVersion => group_with_iam_CreatePolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreatePolicyVersion => group_with_iam_CreatePolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreatePolicyVersion => group_with_iam_CreatePolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreatePolicyVersion => group_with_iam_CreatePolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-CreatePolicyVersion => group_with_iam_CreatePolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack => group_with_iam_PassRole_cloudformation_CreateStack}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack => group_with_iam_PassRole_cloudformation_CreateStack}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack => group_with_iam_PassRole_cloudformation_CreateStack}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack => group_with_iam_PassRole_cloudformation_CreateStack}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack => group_with_iam_PassRole_cloudformation_CreateStack}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances => group_with_iam_PassRole_ec2_RunInstances}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances => group_with_iam_PassRole_ec2_RunInstances}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances => group_with_iam_PassRole_ec2_RunInstances}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances => group_with_iam_PassRole_ec2_RunInstances}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances => group_with_iam_PassRole_ec2_RunInstances}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint => group_with_iam_PassRole_glue_CreateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint => group_with_iam_PassRole_glue_CreateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint => group_with_iam_PassRole_glue_CreateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint => group_with_iam_PassRole_glue_CreateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint => group_with_iam_PassRole_glue_CreateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutGroupPolicy => group_with_iam_PutGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutGroupPolicy => group_with_iam_PutGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutGroupPolicy => group_with_iam_PutGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutGroupPolicy => group_with_iam_PutGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutGroupPolicy => group_with_iam_PutGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutRolePolicy => group_with_iam_PutRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutRolePolicy => group_with_iam_PutRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutRolePolicy => group_with_iam_PutRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutRolePolicy => group_with_iam_PutRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutRolePolicy => group_with_iam_PutRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutUserPolicy => group_with_iam_PutUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutUserPolicy => group_with_iam_PutUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutUserPolicy => group_with_iam_PutUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutUserPolicy => group_with_iam_PutUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-PutUserPolicy => group_with_iam_PutUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-SetDefaultPolicyVersion => group_with_iam_SetDefaultPolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-SetDefaultPolicyVersion => group_with_iam_SetDefaultPolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-SetDefaultPolicyVersion => group_with_iam_SetDefaultPolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-SetDefaultPolicyVersion => group_with_iam_SetDefaultPolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-SetDefaultPolicyVersion => group_with_iam_SetDefaultPolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole => group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole => group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole => group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole => group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole => group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateLoginProfile => group_with_iam_UpdateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateLoginProfile => group_with_iam_UpdateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateLoginProfile => group_with_iam_UpdateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateLoginProfile => group_with_iam_UpdateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/iam-UpdateLoginProfile => group_with_iam_UpdateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/lambda-UpdateFunctionCode => group_with_lambda_UpdateFunctionCode}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/lambda-UpdateFunctionCode => group_with_lambda_UpdateFunctionCode}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/lambda-UpdateFunctionCode => group_with_lambda_UpdateFunctionCode}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/lambda-UpdateFunctionCode => group_with_lambda_UpdateFunctionCode}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/group/lambda-UpdateFunctionCode => group_with_lambda_UpdateFunctionCode}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/glue-UpdateDevEndpoint => role_with_glue_UpdateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/glue-UpdateDevEndpoint => role_with_glue_UpdateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/glue-UpdateDevEndpoint => role_with_glue_UpdateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/glue-UpdateDevEndpoint => role_with_glue_UpdateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/glue-UpdateDevEndpoint => role_with_glue_UpdateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AddUserToGroup => role_with_iam_AddUserToGroup}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AddUserToGroup => role_with_iam_AddUserToGroup}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AddUserToGroup => role_with_iam_AddUserToGroup}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AddUserToGroup => role_with_iam_AddUserToGroup}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AddUserToGroup => role_with_iam_AddUserToGroup}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachGroupPolicy => role_with_iam_AttachGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachGroupPolicy => role_with_iam_AttachGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachGroupPolicy => role_with_iam_AttachGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachGroupPolicy => role_with_iam_AttachGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachGroupPolicy => role_with_iam_AttachGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachRolePolicy => role_with_iam_AttachRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachRolePolicy => role_with_iam_AttachRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachRolePolicy => role_with_iam_AttachRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachRolePolicy => role_with_iam_AttachRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachRolePolicy => role_with_iam_AttachRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachUserPolicy => role_with_iam_AttachUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachUserPolicy => role_with_iam_AttachUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachUserPolicy => role_with_iam_AttachUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachUserPolicy => role_with_iam_AttachUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-AttachUserPolicy => role_with_iam_AttachUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateAccessKey => role_with_iam_CreateAccessKey}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateAccessKey => role_with_iam_CreateAccessKey}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateAccessKey => role_with_iam_CreateAccessKey}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateAccessKey => role_with_iam_CreateAccessKey}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateAccessKey => role_with_iam_CreateAccessKey}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateLoginProfile => role_with_iam_CreateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateLoginProfile => role_with_iam_CreateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateLoginProfile => role_with_iam_CreateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateLoginProfile => role_with_iam_CreateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreateLoginProfile => role_with_iam_CreateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreatePolicyVersion => role_with_iam_CreatePolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreatePolicyVersion => role_with_iam_CreatePolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreatePolicyVersion => role_with_iam_CreatePolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreatePolicyVersion => role_with_iam_CreatePolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-CreatePolicyVersion => role_with_iam_CreatePolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack => role_with_iam_PassRole_cloudformation_CreateStack}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack => role_with_iam_PassRole_cloudformation_CreateStack}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack => role_with_iam_PassRole_cloudformation_CreateStack}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack => role_with_iam_PassRole_cloudformation_CreateStack}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack => role_with_iam_PassRole_cloudformation_CreateStack}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances => role_with_iam_PassRole_ec2_RunInstances}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances => role_with_iam_PassRole_ec2_RunInstances}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances => role_with_iam_PassRole_ec2_RunInstances}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances => role_with_iam_PassRole_ec2_RunInstances}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances => role_with_iam_PassRole_ec2_RunInstances}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint => role_with_iam_PassRole_glue_CreateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint => role_with_iam_PassRole_glue_CreateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint => role_with_iam_PassRole_glue_CreateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint => role_with_iam_PassRole_glue_CreateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint => role_with_iam_PassRole_glue_CreateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutGroupPolicy => role_with_iam_PutGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutGroupPolicy => role_with_iam_PutGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutGroupPolicy => role_with_iam_PutGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutGroupPolicy => role_with_iam_PutGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutGroupPolicy => role_with_iam_PutGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutRolePolicy => role_with_iam_PutRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutRolePolicy => role_with_iam_PutRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutRolePolicy => role_with_iam_PutRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutRolePolicy => role_with_iam_PutRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutRolePolicy => role_with_iam_PutRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutUserPolicy => role_with_iam_PutUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutUserPolicy => role_with_iam_PutUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutUserPolicy => role_with_iam_PutUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutUserPolicy => role_with_iam_PutUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-PutUserPolicy => role_with_iam_PutUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-SetDefaultPolicyVersion => role_with_iam_SetDefaultPolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-SetDefaultPolicyVersion => role_with_iam_SetDefaultPolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-SetDefaultPolicyVersion => role_with_iam_SetDefaultPolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-SetDefaultPolicyVersion => role_with_iam_SetDefaultPolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-SetDefaultPolicyVersion => role_with_iam_SetDefaultPolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole => role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole => role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole => role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole => role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole => role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateLoginProfile => role_with_iam_UpdateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateLoginProfile => role_with_iam_UpdateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateLoginProfile => role_with_iam_UpdateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateLoginProfile => role_with_iam_UpdateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/iam-UpdateLoginProfile => role_with_iam_UpdateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/lambda-UpdateFunctionCode => role_with_lambda_UpdateFunctionCode}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/lambda-UpdateFunctionCode => role_with_lambda_UpdateFunctionCode}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/lambda-UpdateFunctionCode => role_with_lambda_UpdateFunctionCode}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/lambda-UpdateFunctionCode => role_with_lambda_UpdateFunctionCode}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/role/lambda-UpdateFunctionCode => role_with_lambda_UpdateFunctionCode}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/glue-UpdateDevEndpoint => user_with_glue_UpdateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/glue-UpdateDevEndpoint => user_with_glue_UpdateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/glue-UpdateDevEndpoint => user_with_glue_UpdateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/glue-UpdateDevEndpoint => user_with_glue_UpdateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/glue-UpdateDevEndpoint => user_with_glue_UpdateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AddUserToGroup => user_with_iam_AddUserToGroup}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AddUserToGroup => user_with_iam_AddUserToGroup}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AddUserToGroup => user_with_iam_AddUserToGroup}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AddUserToGroup => user_with_iam_AddUserToGroup}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AddUserToGroup => user_with_iam_AddUserToGroup}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachGroupPolicy => user_with_iam_AttachGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachGroupPolicy => user_with_iam_AttachGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachGroupPolicy => user_with_iam_AttachGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachGroupPolicy => user_with_iam_AttachGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachGroupPolicy => user_with_iam_AttachGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachRolePolicy => user_with_iam_AttachRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachRolePolicy => user_with_iam_AttachRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachRolePolicy => user_with_iam_AttachRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachRolePolicy => user_with_iam_AttachRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachRolePolicy => user_with_iam_AttachRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachUserPolicy => user_with_iam_AttachUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachUserPolicy => user_with_iam_AttachUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachUserPolicy => user_with_iam_AttachUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachUserPolicy => user_with_iam_AttachUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-AttachUserPolicy => user_with_iam_AttachUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateAccessKey => user_with_iam_CreateAccessKey}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateAccessKey => user_with_iam_CreateAccessKey}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateAccessKey => user_with_iam_CreateAccessKey}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateAccessKey => user_with_iam_CreateAccessKey}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateAccessKey => user_with_iam_CreateAccessKey}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateLoginProfile => user_with_iam_CreateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateLoginProfile => user_with_iam_CreateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateLoginProfile => user_with_iam_CreateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateLoginProfile => user_with_iam_CreateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreateLoginProfile => user_with_iam_CreateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreatePolicyVersion => user_with_iam_CreatePolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreatePolicyVersion => user_with_iam_CreatePolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreatePolicyVersion => user_with_iam_CreatePolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreatePolicyVersion => user_with_iam_CreatePolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-CreatePolicyVersion => user_with_iam_CreatePolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack => user_with_iam_PassRole_cloudformation_CreateStack}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack => user_with_iam_PassRole_cloudformation_CreateStack}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack => user_with_iam_PassRole_cloudformation_CreateStack}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack => user_with_iam_PassRole_cloudformation_CreateStack}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack => user_with_iam_PassRole_cloudformation_CreateStack}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances => user_with_iam_PassRole_ec2_RunInstances}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances => user_with_iam_PassRole_ec2_RunInstances}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances => user_with_iam_PassRole_ec2_RunInstances}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances => user_with_iam_PassRole_ec2_RunInstances}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances => user_with_iam_PassRole_ec2_RunInstances}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint => user_with_iam_PassRole_glue_CreateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint => user_with_iam_PassRole_glue_CreateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint => user_with_iam_PassRole_glue_CreateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint => user_with_iam_PassRole_glue_CreateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint => user_with_iam_PassRole_glue_CreateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction => user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutGroupPolicy => user_with_iam_PutGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutGroupPolicy => user_with_iam_PutGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutGroupPolicy => user_with_iam_PutGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutGroupPolicy => user_with_iam_PutGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutGroupPolicy => user_with_iam_PutGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutRolePolicy => user_with_iam_PutRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutRolePolicy => user_with_iam_PutRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutRolePolicy => user_with_iam_PutRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutRolePolicy => user_with_iam_PutRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutRolePolicy => user_with_iam_PutRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutUserPolicy => user_with_iam_PutUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutUserPolicy => user_with_iam_PutUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutUserPolicy => user_with_iam_PutUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutUserPolicy => user_with_iam_PutUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-PutUserPolicy => user_with_iam_PutUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-SetDefaultPolicyVersion => user_with_iam_SetDefaultPolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-SetDefaultPolicyVersion => user_with_iam_SetDefaultPolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-SetDefaultPolicyVersion => user_with_iam_SetDefaultPolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-SetDefaultPolicyVersion => user_with_iam_SetDefaultPolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-SetDefaultPolicyVersion => user_with_iam_SetDefaultPolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole => user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole => user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole => user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole => user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole => user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateLoginProfile => user_with_iam_UpdateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateLoginProfile => user_with_iam_UpdateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateLoginProfile => user_with_iam_UpdateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateLoginProfile => user_with_iam_UpdateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/iam-UpdateLoginProfile => user_with_iam_UpdateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/lambda-UpdateFunctionCode => user_with_lambda_UpdateFunctionCode}/metadata.json (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/lambda-UpdateFunctionCode => user_with_lambda_UpdateFunctionCode}/query.rego (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/lambda-UpdateFunctionCode => user_with_lambda_UpdateFunctionCode}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/lambda-UpdateFunctionCode => user_with_lambda_UpdateFunctionCode}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{iam_privilege_escalation/user/lambda-UpdateFunctionCode => user_with_lambda_UpdateFunctionCode}/test/positive_expected_result.json (100%) diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/query.rego rename to assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/metadata.json b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/metadata.json rename to assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/query.rego b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/query.rego rename to assets/queries/terraform/aws/group_with_iam_AddUserToGroup/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/query.rego rename to assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/metadata.json rename to assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/query.rego rename to assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/query.rego rename to assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/metadata.json b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/metadata.json rename to assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/query.rego b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/query.rego rename to assets/queries/terraform/aws/group_with_iam_CreateAccessKey/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateAccessKey/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/metadata.json rename to assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/query.rego rename to assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/metadata.json rename to assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/query.rego rename to assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-CreatePolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/metadata.json rename to assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/query.rego b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/query.rego rename to assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/metadata.json rename to assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/query.rego b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/query.rego rename to assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/query.rego rename to assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json rename to assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego rename to assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/query.rego rename to assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/metadata.json rename to assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/query.rego rename to assets/queries/terraform/aws/group_with_iam_PutRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/query.rego rename to assets/queries/terraform/aws/group_with_iam_PutUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-PutUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/metadata.json rename to assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/query.rego rename to assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-SetDefaultPolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json rename to assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego rename to assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/metadata.json rename to assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/query.rego rename to assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/iam-UpdateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/metadata.json rename to assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/query.rego rename to assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/negative1.tf rename to assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive1.tf rename to assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/group/lambda-UpdateFunctionCode/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/query.rego rename to assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/glue-UpdateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/metadata.json b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/metadata.json rename to assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/query.rego b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/query.rego rename to assets/queries/terraform/aws/role_with_iam_AddUserToGroup/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AddUserToGroup/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/query.rego rename to assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/metadata.json rename to assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/query.rego rename to assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/query.rego rename to assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-AttachUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/metadata.json b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/metadata.json rename to assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/query.rego b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/query.rego rename to assets/queries/terraform/aws/role_with_iam_CreateAccessKey/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateAccessKey/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/metadata.json rename to assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/query.rego rename to assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/metadata.json rename to assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/query.rego rename to assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-CreatePolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/metadata.json rename to assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/query.rego b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/query.rego rename to assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/metadata.json rename to assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/query.rego b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/query.rego rename to assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/query.rego rename to assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json rename to assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego rename to assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/query.rego rename to assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/metadata.json rename to assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/query.rego rename to assets/queries/terraform/aws/role_with_iam_PutRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/query.rego rename to assets/queries/terraform/aws/role_with_iam_PutUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-PutUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/metadata.json rename to assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/query.rego rename to assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-SetDefaultPolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json rename to assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego rename to assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/metadata.json rename to assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/query.rego rename to assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/iam-UpdateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/metadata.json rename to assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/query.rego rename to assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/negative1.tf rename to assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive1.tf rename to assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/role/lambda-UpdateFunctionCode/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/query.rego rename to assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/glue-UpdateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/metadata.json b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/metadata.json rename to assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/query.rego b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/query.rego rename to assets/queries/terraform/aws/user_with_iam_AddUserToGroup/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AddUserToGroup/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/query.rego rename to assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/metadata.json rename to assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/query.rego rename to assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/query.rego rename to assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-AttachUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/metadata.json b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/metadata.json rename to assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/query.rego b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/query.rego rename to assets/queries/terraform/aws/user_with_iam_CreateAccessKey/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateAccessKey/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/metadata.json rename to assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/query.rego rename to assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/metadata.json rename to assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/query.rego rename to assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-CreatePolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/metadata.json rename to assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/query.rego b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/query.rego rename to assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-cloudformation-CreateStack/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/metadata.json rename to assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/query.rego b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/query.rego rename to assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-ec2-RunInstances/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/query.rego rename to assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-glue-CreateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/metadata.json rename to assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/query.rego rename to assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PassRole-lambda-CreateFunction-lambda-InvokeFunction/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/query.rego rename to assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/metadata.json rename to assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/query.rego rename to assets/queries/terraform/aws/user_with_iam_PutRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/query.rego rename to assets/queries/terraform/aws/user_with_iam_PutUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-PutUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/metadata.json rename to assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/query.rego rename to assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-SetDefaultPolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/metadata.json rename to assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/query.rego rename to assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateAssumeRolePolicy-sts-AssumeRole/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/metadata.json rename to assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/query.rego rename to assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/iam-UpdateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/metadata.json rename to assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/query.rego similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/query.rego rename to assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/query.rego diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/negative1.tf rename to assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive1.tf rename to assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/iam_privilege_escalation/user/lambda-UpdateFunctionCode/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive_expected_result.json From 18aa0f6298780f3aa666c4d6af55465762883db3 Mon Sep 17 00:00:00 2001 From: gafnit Date: Mon, 27 Jun 2022 13:49:46 +0300 Subject: [PATCH 03/11] add functions get_group, get_role, get_user, unrecommended_permission_policy_scenarios, unrecommended_permission_policy to common library --- assets/libraries/common.rego | 123 ++++++++++++++++++ .../query.rego | 56 +------- .../group_with_iam_AddUserToGroup/query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 56 +------- .../group_with_iam_CreateAccessKey/query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 58 +-------- .../query.rego | 58 +-------- .../query.rego | 58 +-------- .../query.rego | 60 +-------- .../group_with_iam_PutGroupPolicy/query.rego | 56 +------- .../group_with_iam_PutRolePolicy/query.rego | 56 +------- .../group_with_iam_PutUserPolicy/query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 58 +-------- .../query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 56 +------- .../role_with_iam_AddUserToGroup/query.rego | 56 +------- .../query.rego | 56 +------- .../role_with_iam_AttachRolePolicy/query.rego | 56 +------- .../role_with_iam_AttachUserPolicy/query.rego | 56 +------- .../role_with_iam_CreateAccessKey/query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 58 +-------- .../query.rego | 58 +-------- .../query.rego | 58 +-------- .../query.rego | 60 +-------- .../role_with_iam_PutGroupPolicy/query.rego | 56 +------- .../role_with_iam_PutRolePolicy/query.rego | 56 +------- .../role_with_iam_PutUserPolicy/query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 58 +-------- .../query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 56 +------- .../user_with_iam_AddUserToGroup/query.rego | 56 +------- .../query.rego | 56 +------- .../user_with_iam_AttachRolePolicy/query.rego | 56 +------- .../user_with_iam_AttachUserPolicy/query.rego | 56 +------- .../user_with_iam_CreateAccessKey/query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 58 +-------- .../query.rego | 58 +-------- .../query.rego | 58 +-------- .../query.rego | 60 +-------- .../user_with_iam_PutGroupPolicy/query.rego | 56 +------- .../user_with_iam_PutRolePolicy/query.rego | 56 +------- .../user_with_iam_PutUserPolicy/query.rego | 56 +------- .../query.rego | 56 +------- .../query.rego | 58 +-------- .../query.rego | 56 +------- .../query.rego | 56 +------- 58 files changed, 255 insertions(+), 3096 deletions(-) diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego index 6840e6057d7..0e455786939 100644 --- a/assets/libraries/common.rego +++ b/assets/libraries/common.rego @@ -776,3 +776,126 @@ get_bom_output(bom_output, policy) = output { is_aws_ebs_optimized_by_default(instanceType) { inArray(data.common_lib.aws_ebs_optimized_by_default, instanceType) } + +get_group_from_policy_attachment(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + +get_role_from_policy_attachment(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + +get_user_from_policy_attachment(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := json_unmarshal(resourcePolicy.policy) + + st := get_statement(policy) + statement := st[_] + + is_allow_effect(statement) + + equalsOrInArray(statement.Resource, "*") + equalsOrInArray(statement.Action, lower(permission)) +} + +group_unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group_from_policy_attachment(attachment) + group == targetGroup + + # confirm that policy associated is unrecommended + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + +role_unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role_from_policy_attachment(attachment) + role == targetRole + + # confirm that policy associated is unrecommended + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + +user_unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user_from_policy_attachment(attachment) + user == targetUser + + # confirm that policy associated is unrecommended + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/query.rego index 13648ae6d71..4faef078268 100644 --- a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "glue:UpdateDevEndpoint") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:UpdateDevEndpoint") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/query.rego index a61e1acbac9..730f4bb6cf5 100644 --- a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:AddUserToGroup") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AddUserToGroup") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/query.rego index 4f9b15d733b..d81c989a51f 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachGroupPolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachGroupPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/query.rego index 3e075bf0673..a77787d2fb7 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachRolePolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachRolePolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/query.rego index 450282774ab..cdad3d2b513 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachUserPolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachUserPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/query.rego index dac82f14120..c5fe77f373d 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateAccessKey") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateAccessKey") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/query.rego index abc0ff9e857..ae8c1f85b2b 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateLoginProfile") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateLoginProfile") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/query.rego index cb0eb352b67..947e0b1c942 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:CreatePolicyVersion") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreatePolicyVersion") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/query.rego index 970173dd814..175382ae0c2 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "cloudformation:CreateStack") - unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "cloudformation:CreateStack") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/query.rego index 3e7d982e8a5..d3d6145af8a 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "ec2:RunInstances") - unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "ec2:RunInstances") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/query.rego index d0fbd61d251..74dfa9399f1 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "glue:CreateDevEndpoint") - unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:CreateDevEndpoint") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego index 45fa3eec5fb..7cdc136dea3 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego @@ -7,10 +7,10 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "lambda:CreateFunction") - unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") - unrecommended_permission_policy_scenarios(targetGroup, "lambda:InvokeFunction") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:CreateFunction") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:InvokeFunction") + result := { "documentId": input.document[i].id, @@ -21,55 +21,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/query.rego index ce74fb83784..bc23843319d 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:PutGroupPolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutGroupPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/query.rego index 8c3daaa849c..e764aeb2623 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:PutRolePolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutRolePolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/query.rego index 9d810f9c2ec..b88473c1dad 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:PutUserPolicy") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutUserPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/query.rego index 18ffbb169c4..74d132dbe3f 100644 --- a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:SetDefaultPolicyVersion") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:SetDefaultPolicyVersion") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego index d0f20e77e94..041093a883f 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateAssumeRolePolicy") - unrecommended_permission_policy_scenarios(targetGroup, "sts:AssumeRole") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateAssumeRolePolicy") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "sts:AssumeRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/query.rego index 8576accab64..3f01364ab60 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateLoginProfile") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateLoginProfile") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/query.rego index c1c67257389..488e86986ff 100644 --- a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM group input.document[i].resource.aws_iam_group[targetGroup] - unrecommended_permission_policy_scenarios(targetGroup, "lambda:UpdateFunctionCode") - + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:UpdateFunctionCode") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_group(attachment) = group { - group := split(attachment.groups[_], ".")[1] -} else = group { - group := split(attachment.group, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetGroup, permission) { - # get the IAM group policy - groupPolicy := input.document[_].resource.aws_iam_group_policy[_] - - # get the group referenced in IAM group policy and confirm it is the target group - group := split(groupPolicy.group, ".")[1] - group == targetGroup - - # verify that the policy is unrecommended - unrecommended_permission_policy(groupPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the group referenced in IAM policy attachment and confirm it is the target group - group := get_group(attachment) - group == targetGroup - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/query.rego index 504f9356e74..780c090f759 100644 --- a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "glue:UpdateDevEndpoint") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:UpdateDevEndpoint") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/query.rego index 852a7895527..e79e1f329e4 100644 --- a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:AddUserToGroup") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AddUserToGroup") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/query.rego index bb68ae00eac..203d5e607ad 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:AttachGroupPolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachGroupPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/query.rego index b660a3ea805..1ec6851c4b5 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:AttachRolePolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachRolePolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/query.rego index baae8beb84c..e300ec18669 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:AttachUserPolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachUserPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/query.rego index 40c3de82548..fbfd2c603a3 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:CreateAccessKey") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateAccessKey") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/query.rego index 8c2a5e3b8b3..b603422da5c 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:CreateLoginProfile") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateLoginProfile") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/query.rego index 8928bedcedb..9c9d9fa5a85 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:CreatePolicyVersion") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreatePolicyVersion") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/query.rego index abf65bc9726..10919fc6778 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "cloudformation:CreateStack") - unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "cloudformation:CreateStack") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/query.rego index 9fc369ee090..40e32744824 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "ec2:RunInstances") - unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "ec2:RunInstances") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/query.rego index 9abd1675e87..100abe44e95 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "glue:CreateDevEndpoint") - unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:CreateDevEndpoint") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego index f4c17c6720d..44854e559af 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego @@ -7,10 +7,10 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "lambda:CreateFunction") - unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") - unrecommended_permission_policy_scenarios(targetRole, "lambda:InvokeFunction") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:CreateFunction") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:InvokeFunction") + result := { "documentId": input.document[i].id, @@ -21,55 +21,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/query.rego index c67ef175d37..c60af01d4bb 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:PutGroupPolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutGroupPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/query.rego index 0474a778538..93a3c729217 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:PutRolePolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutRolePolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/query.rego index 7f6b3932aef..d17aef8e27e 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:PutUserPolicy") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutUserPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/query.rego index 790947810be..66c51a15685 100644 --- a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:SetDefaultPolicyVersion") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:SetDefaultPolicyVersion") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego index 71d19e4e4f4..76fd17abafa 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateAssumeRolePolicy") - unrecommended_permission_policy_scenarios(targetRole, "sts:AssumeRole") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateAssumeRolePolicy") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "sts:AssumeRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/query.rego index ca28064b587..b843ba211fb 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateLoginProfile") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateLoginProfile") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/query.rego index ad882be3165..3e6dd6ec8db 100644 --- a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM role input.document[i].resource.aws_iam_role[targetRole] - unrecommended_permission_policy_scenarios(targetRole, "lambda:UpdateFunctionCode") - + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:UpdateFunctionCode") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_role(attachment) = role { - role := split(attachment.roles[_], ".")[1] -} else = role { - role := split(attachment.role, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetRole, permission) { - # get the IAM role policy - rolePolicy := input.document[_].resource.aws_iam_role_policy[_] - - # get the role referenced in IAM role policy and confirm it is the target role - role := split(rolePolicy.role, ".")[1] - role == targetRole - - # verify that the policy is unrecommended - unrecommended_permission_policy(rolePolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the role referenced in IAM policy attachment and confirm it is the target role - role := get_role(attachment) - role == targetRole - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/query.rego index 2a3b98cc356..deacc549698 100644 --- a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "glue:UpdateDevEndpoint") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:UpdateDevEndpoint") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/query.rego index 34590997dc8..f16936e2b42 100644 --- a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:AddUserToGroup") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AddUserToGroup") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/query.rego index be13c496248..27249e6ea11 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:AttachGroupPolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachGroupPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/query.rego index cccf562fde4..61264defd02 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:AttachRolePolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachRolePolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/query.rego index 82b1a4ed6e4..b086f0d60a6 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:AttachUserPolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachUserPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/query.rego index 5f191fa6ccc..233e58f9cf0 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:CreateAccessKey") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateAccessKey") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/query.rego index 2960d6a5b12..e8821c465f7 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:CreateLoginProfile") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateLoginProfile") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/query.rego index 3bf1feabd25..1b709f3e5e5 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:CreatePolicyVersion") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreatePolicyVersion") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/query.rego index 8b084987e41..50b312048a2 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "cloudformation:CreateStack") - unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "cloudformation:CreateStack") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/query.rego index a3c41ec40e0..a5fbd8f27b7 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "ec2:RunInstances") - unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "ec2:RunInstances") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/query.rego index 70c9c71746b..9415d49651d 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "glue:CreateDevEndpoint") - unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:CreateDevEndpoint") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego index 0bc396a054e..f1d9da90ebf 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego @@ -7,10 +7,10 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "lambda:CreateFunction") - unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") - unrecommended_permission_policy_scenarios(targetUser, "lambda:InvokeFunction") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:CreateFunction") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:InvokeFunction") + result := { "documentId": input.document[i].id, @@ -21,55 +21,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/query.rego index c4f75479dd3..2d03038f70f 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:PutGroupPolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutGroupPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/query.rego index 0d37a03980e..6eccc5da942 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:PutRolePolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutRolePolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/query.rego index af25dc8dd15..b4e9b64ea2a 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:PutUserPolicy") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutUserPolicy") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/query.rego index df7c2e2fa53..dd9202f5509 100644 --- a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:SetDefaultPolicyVersion") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:SetDefaultPolicyVersion") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego index 9da3cfc48d7..ecf919dd16a 100644 --- a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego @@ -7,9 +7,9 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateAssumeRolePolicy") - unrecommended_permission_policy_scenarios(targetUser, "sts:AssumeRole") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateAssumeRolePolicy") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "sts:AssumeRole") + result := { "documentId": input.document[i].id, @@ -20,55 +20,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/query.rego index 32e315feb9e..7b0da0e7913 100644 --- a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateLoginProfile") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateLoginProfile") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/query.rego index a73cf0e175a..f92b04d1d03 100644 --- a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/query.rego @@ -7,8 +7,8 @@ CxPolicy[result] { # get a AWS IAM user input.document[i].resource.aws_iam_user[targetUser] - unrecommended_permission_policy_scenarios(targetUser, "lambda:UpdateFunctionCode") - + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:UpdateFunctionCode") + result := { "documentId": input.document[i].id, @@ -19,55 +19,3 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), } } - - -unrecommended_permission_policy(resourcePolicy, permission) { - policy := common_lib.json_unmarshal(resourcePolicy.policy) - - st := common_lib.get_statement(policy) - statement := st[_] - - common_lib.is_allow_effect(statement) - - common_lib.equalsOrInArray(statement.Resource, "*") - common_lib.equalsOrInArray(statement.Action, lower(permission)) -} - -get_user(attachment) = user { - user := split(attachment.users[_], ".")[1] -} else = user { - user := split(attachment.user, ".")[1] -} - - -unrecommended_permission_policy_scenarios(targetUser, permission) { - # get the IAM user policy - userPolicy := input.document[_].resource.aws_iam_user_policy[_] - - # get the user referenced in IAM user policy and confirm it is the target user - user := split(userPolicy.user, ".")[1] - user == targetUser - - # verify that the policy is unrecommended - unrecommended_permission_policy(userPolicy, permission) -} else { - - # find attachment - attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} - attachment := input.document[_].resource[attachments[_]][_] - - # get the user referenced in IAM policy attachment and confirm it is the target user - user := get_user(attachment) - user == targetUser - - # confirm that policy associated is unrecommend - policy := split(attachment.policy_arn, ".")[1] - - policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} - resourcePolicy := input.document[_].resource[policies[_]][policy] - - # verify that the policy is unrecommended - unrecommended_permission_policy(resourcePolicy, permission) - -} - \ No newline at end of file From 7be4bb7033baf8e9b5c9541ea162d4b3a21cc34b Mon Sep 17 00:00:00 2001 From: gafnit Date: Mon, 27 Jun 2022 14:01:36 +0300 Subject: [PATCH 04/11] Titling queryName --- .../aws/group_with_glue_UpdateDevEndpoint/metadata.json | 2 +- .../terraform/aws/group_with_iam_AddUserToGroup/metadata.json | 2 +- .../aws/group_with_iam_AttachGroupPolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_AttachRolePolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_AttachUserPolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_CreateAccessKey/metadata.json | 2 +- .../aws/group_with_iam_CreateLoginProfile/metadata.json | 2 +- .../aws/group_with_iam_CreatePolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/group_with_iam_PutGroupPolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_PutRolePolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_PutUserPolicy/metadata.json | 2 +- .../aws/group_with_iam_SetDefaultPolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/group_with_iam_UpdateLoginProfile/metadata.json | 2 +- .../aws/group_with_lambda_UpdateFunctionCode/metadata.json | 2 +- .../aws/role_with_glue_UpdateDevEndpoint/metadata.json | 2 +- .../terraform/aws/role_with_iam_AddUserToGroup/metadata.json | 2 +- .../terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_AttachRolePolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_AttachUserPolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_CreateAccessKey/metadata.json | 2 +- .../aws/role_with_iam_CreateLoginProfile/metadata.json | 2 +- .../aws/role_with_iam_CreatePolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json | 2 +- .../role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/role_with_iam_PutGroupPolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_PutRolePolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_PutUserPolicy/metadata.json | 2 +- .../aws/role_with_iam_SetDefaultPolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/role_with_iam_UpdateLoginProfile/metadata.json | 2 +- .../aws/role_with_lambda_UpdateFunctionCode/metadata.json | 2 +- .../aws/user_with_glue_UpdateDevEndpoint/metadata.json | 2 +- .../terraform/aws/user_with_iam_AddUserToGroup/metadata.json | 2 +- .../terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_AttachRolePolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_AttachUserPolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_CreateAccessKey/metadata.json | 2 +- .../aws/user_with_iam_CreateLoginProfile/metadata.json | 2 +- .../aws/user_with_iam_CreatePolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json | 2 +- .../user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/user_with_iam_PutGroupPolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_PutRolePolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_PutUserPolicy/metadata.json | 2 +- .../aws/user_with_iam_SetDefaultPolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/user_with_iam_UpdateLoginProfile/metadata.json | 2 +- .../aws/user_with_lambda_UpdateFunctionCode/metadata.json | 2 +- 57 files changed, 57 insertions(+), 57 deletions(-) diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json index b62c68f43a6..2b090574363 100644 --- a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json @@ -1,6 +1,6 @@ { "id": "8f3c16b3-354d-45db-8ad5-5066778a9485", - "queryName": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "queryName": "Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json index 30f79045476..6ce2d25177a 100644 --- a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json @@ -1,6 +1,6 @@ { "id": "970ed7a2-0aca-4425-acf1-0453c9ecbca1", - "queryName": "Group with privilege escalation by actions 'iam:AddUserToGroup'", + "queryName": "Group With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json index 10a0c0ed88e..d328d0e91e2 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "70b42736-efee-4bce-80d5-50358ed94990", - "queryName": "Group with privilege escalation by actions 'iam:AttachGroupPolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json index a34def349d5..319bdbf4070 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "3dd96caa-0b5f-4a85-b929-acfac4646cc2", - "queryName": "Group with privilege escalation by actions 'iam:AttachRolePolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json index 728651fe63b..4c9f0bc91ef 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "db78d14b-10e5-4e6e-84b1-dace6327b1ec", - "queryName": "Group with privilege escalation by actions 'iam:AttachUserPolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json index c1af2af4230..1e74b5c6fe4 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json @@ -1,6 +1,6 @@ { "id": "846646e3-2af1-428c-ac5d-271eccfa6faf", - "queryName": "Group with privilege escalation by actions 'iam:CreateAccessKey'", + "queryName": "Group With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json index 0efac05f688..1511717decf 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json @@ -1,6 +1,6 @@ { "id": "04c686f1-e0cd-4812-88e1-4e038410074c", - "queryName": "Group with privilege escalation by actions 'iam:CreateLoginProfile'", + "queryName": "Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json index 22c6477c8d5..c284cd5d3e1 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json @@ -1,6 +1,6 @@ { "id": "ec49cbfd-fae4-45f3-81b1-860526d66e3f", - "queryName": "Group with privilege escalation by actions 'iam:CreatePolicyVersion'", + "queryName": "Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json index 2272f43c90a..4a0a178e460 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json @@ -1,6 +1,6 @@ { "id": "9b0ffadc-a61f-4c2a-b1e6-68fab60f6267", - "queryName": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "queryName": "Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json index faf77a07640..d5178c3338e 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json @@ -1,6 +1,6 @@ { "id": "15e6ad8c-f420-49a6-bafb-074f5eb1ec74", - "queryName": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "queryName": "Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json index fead0dd5cbb..00264167b61 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json @@ -1,6 +1,6 @@ { "id": "7d544dad-8a6c-431c-84c1-5f07fe9afc0e", - "queryName": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "queryName": "Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json index 43e82cebc48..7089543e286 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -1,6 +1,6 @@ { "id": "034d0aee-620f-4bf7-b7fb-efdf661fdb9e", - "queryName": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "queryName": "Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json index 1f0f32012de..3e92644e97d 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "e77c89f6-9c85-49ea-b95b-5f960fe5be92", - "queryName": "Group with privilege escalation by actions 'iam:PutGroupPolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json index 6685bb2a125..83d213e7c39 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "c0c1e744-0f37-445e-924a-1846f0839f69", - "queryName": "Group with privilege escalation by actions 'iam:PutRolePolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json index e2d4b777a9f..4478087e871 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "60263b4a-6801-4587-911d-919c37ed733b", - "queryName": "Group with privilege escalation by actions 'iam:PutUserPolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json index aa81d39f277..fb40389fd45 100644 --- a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json @@ -1,6 +1,6 @@ { "id": "7782d4b3-e23e-432b-9742-d9528432e771", - "queryName": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "queryName": "Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json index b33fcdccda3..8bfcee221c8 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json @@ -1,6 +1,6 @@ { "id": "78f1ec6f-5659-41ea-bd48-d0a142dce4f2", - "queryName": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json index f0fdde8d214..d8040879be5 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json @@ -1,6 +1,6 @@ { "id": "ad296c0d-8131-4d6b-b030-1b0e73a99ad3", - "queryName": "Group with privilege escalation by actions 'iam:UpdateLoginProfile'", + "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json index 6bb4707da38..a6e26073ec0 100644 --- a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json @@ -1,6 +1,6 @@ { "id": "571254d8-aa6a-432e-9725-535d3ef04d69", - "queryName": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "queryName": "Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json index 8459b203feb..5facab2f2b3 100644 --- a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json @@ -1,6 +1,6 @@ { "id": "eda48c88-2b7d-4e34-b6ca-04c0194aee17", - "queryName": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "queryName": "Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json index 57a74916142..ee4eec21983 100644 --- a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json @@ -1,6 +1,6 @@ { "id": "b8a31292-509d-4b61-bc40-13b167db7e9c", - "queryName": "Role with privilege escalation by actions 'iam:AddUserToGroup'", + "queryName": "Role With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json index 6a58d254385..abccccad7b3 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "f906113d-cdc0-415a-ba60-609cc6daaf4d", - "queryName": "Role with privilege escalation by actions 'iam:AttachGroupPolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json index b71ca46b354..95114bb74dd 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "f465fff1-0a0f-457d-aa4d-1bddb6f204ff", - "queryName": "Role with privilege escalation by actions 'iam:AttachRolePolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json index 95460861dfb..8a8b6f5eb74 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "7c96920c-6fd0-449d-9a52-0aa431b6beaf", - "queryName": "Role with privilege escalation by actions 'iam:AttachUserPolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json index 71351245d08..077ce006f45 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json @@ -1,6 +1,6 @@ { "id": "5b4d4aee-ac94-4810-9611-833636e5916d", - "queryName": "Role with privilege escalation by actions 'iam:CreateAccessKey'", + "queryName": "Role With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json index 55b21cce6ca..cf8bce11c2c 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json @@ -1,6 +1,6 @@ { "id": "9a205ba3-0dd1-42eb-8d54-2ffec836b51a", - "queryName": "Role with privilege escalation by actions 'iam:CreateLoginProfile'", + "queryName": "Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json index 29587d4a5ce..a1161a0ce8d 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json @@ -1,6 +1,6 @@ { "id": "ee49557d-750c-4cc1-aa95-94ab36cbefde", - "queryName": "Role with privilege escalation by actions 'iam:CreatePolicyVersion'", + "queryName": "Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json index b81309ec665..5b674990d15 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json @@ -1,6 +1,6 @@ { "id": "be2aa235-bd93-4b68-978a-1cc65d49082f", - "queryName": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "queryName": "Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json index 6d38b7d0046..3d597e1c494 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json @@ -1,6 +1,6 @@ { "id": "30b88745-eebe-4ecb-a3a9-5cf886e96204", - "queryName": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "queryName": "Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json index 3aa078f45ce..c3e8579dfb5 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json @@ -1,6 +1,6 @@ { "id": "0a592060-8166-49f5-8e65-99ac6dce9871", - "queryName": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "queryName": "Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json index 74d5cb09707..b276d42bb3b 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -1,6 +1,6 @@ { "id": "fa62ac4f-f5b9-45b9-97c1-625c8b6253ca", - "queryName": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "queryName": "Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json index b1b80bd0285..0be5820ea50 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "d6047119-a0b2-4b59-a4f2-127a36fb685b", - "queryName": "Role with privilege escalation by actions 'iam:PutGroupPolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json index 9c3a5a8e861..0d6def036d7 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7", - "queryName": "Role with privilege escalation by actions 'iam:PutRolePolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json index 074201d875f..3bebba2434a 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "8f75840d-9ee7-42f3-b203-b40e3979eb12", - "queryName": "Role with privilege escalation by actions 'iam:PutUserPolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json index 52d06d5d6c6..5f9e43a11f6 100644 --- a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json @@ -1,6 +1,6 @@ { "id": "118281d0-6471-422e-a7c5-051bc667926e", - "queryName": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "queryName": "Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json index 7ab3ada3888..c1682cf2251 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json @@ -1,6 +1,6 @@ { "id": "f1173d8c-3264-4148-9fdb-61181e031b51", - "queryName": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json index 74f3e0ad416..f4f68ca7e17 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json @@ -1,6 +1,6 @@ { "id": "35ccf766-0e4d-41ed-9ec4-2dab155082b4", - "queryName": "Role with privilege escalation by actions 'iam:UpdateLoginProfile'", + "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json index 0ab9989018b..bb23ce13a17 100644 --- a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json @@ -1,6 +1,6 @@ { "id": "c583f0f9-7dfd-476b-a056-f47c62b47b46", - "queryName": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "queryName": "Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json index 586fad3da6e..84adc71c4d3 100644 --- a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json @@ -1,6 +1,6 @@ { "id": "9b877bd8-94b4-4c10-a060-8e0436cc09fa", - "queryName": "User with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "queryName": "User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json index 0eb1be15a57..0dcd514cfd7 100644 --- a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json @@ -1,6 +1,6 @@ { "id": "bf9d42c7-c2f9-4dfe-942c-c8cc8249a081", - "queryName": "User with privilege escalation by actions 'iam:AddUserToGroup'", + "queryName": "User With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json index 85a59954a13..887e3cbe04d 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "6d23d87e-1c5b-4308-b224-92624300f29b", - "queryName": "User with privilege escalation by actions 'iam:AttachGroupPolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json index 0eb7f6c3497..5fbc9e6ec34 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "e227091e-2228-4b40-b046-fc13650d8e88", - "queryName": "User with privilege escalation by actions 'iam:AttachRolePolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json index fb897d46bf2..e88711cf5d7 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "70cb518c-d990-46f6-bc05-44a5041493d6", - "queryName": "User with privilege escalation by actions 'iam:AttachUserPolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json index 2729c9012af..2478d729ff4 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json @@ -1,6 +1,6 @@ { "id": "113208f2-a886-4526-9ecc-f3218600e12c", - "queryName": "User with privilege escalation by actions 'iam:CreateAccessKey'", + "queryName": "User With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json index 093c23431ef..5de200432f3 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json @@ -1,6 +1,6 @@ { "id": "0fd7d920-4711-46bd-aff2-d307d82cd8b7", - "queryName": "User with privilege escalation by actions 'iam:CreateLoginProfile'", + "queryName": "User With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json index 8e68ac461a4..eade1507488 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json @@ -1,6 +1,6 @@ { "id": "1743f5f1-0bb0-4934-acef-c80baa5dadfa", - "queryName": "User with privilege escalation by actions 'iam:CreatePolicyVersion'", + "queryName": "User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json index d5b7491f89d..6a999695835 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json @@ -1,6 +1,6 @@ { "id": "19ffbe31-9d72-4379-9768-431195eae328", - "queryName": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "queryName": "User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json index 633a7dda4d7..e0b364a6b59 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json @@ -1,6 +1,6 @@ { "id": "89561b03-cb35-44a9-a7e9-8356e71606f4", - "queryName": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "queryName": "User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json index 1c56ce748c6..aaeaea7c653 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json @@ -1,6 +1,6 @@ { "id": "94fbe150-27e3-4eba-9ca6-af32865e4503", - "queryName": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "queryName": "User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json index 2cff3f56c1b..c0403f1478b 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -1,6 +1,6 @@ { "id": "8055dec2-efb8-4fe6-8837-d9bed6ff202a", - "queryName": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "queryName": "User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json index 3b60bbf29a7..35e502422f3 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "8bfbf7ab-d5e8-4100-8618-798956e101e0", - "queryName": "User with privilege escalation by actions 'iam:PutGroupPolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json index 5990826d397..bd30ebef9b7 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "eeb4d37a-3c59-4789-a00c-1509bc3af1e5", - "queryName": "User with privilege escalation by actions 'iam:PutRolePolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json index 8121cf132c3..2379b887749 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json @@ -1,6 +1,6 @@ { "id": "0c10d7da-85c4-4d62-b2a8-d6c104f1bd77", - "queryName": "User with privilege escalation by actions 'iam:PutUserPolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json index 77f9fad78ef..56ea2e2e516 100644 --- a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json @@ -1,6 +1,6 @@ { "id": "43a41523-386a-4cb1-becb-42af6b414433", - "queryName": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "queryName": "User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json index f9974aad023..0c978cbd481 100644 --- a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json @@ -1,6 +1,6 @@ { "id": "33627268-1445-4385-988a-318fd9d1a512", - "queryName": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "queryName": "User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json index a17b1582ea7..60ff5aeab32 100644 --- a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json @@ -1,6 +1,6 @@ { "id": "6deb34e2-5d9c-499a-801b-ea6d9eda894f", - "queryName": "User with privilege escalation by actions 'iam:UpdateLoginProfile'", + "queryName": "User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", diff --git a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json index 9de1a145d03..3c4e56fdcfb 100644 --- a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json @@ -1,6 +1,6 @@ { "id": "b69247e5-7e73-464e-ba74-ec9b715c6e12", - "queryName": "User with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "queryName": "User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", From 961f9f813f4faa5ccb489705ba3b9bdc5febe8d1 Mon Sep 17 00:00:00 2001 From: gafnit Date: Mon, 27 Jun 2022 14:45:41 +0300 Subject: [PATCH 05/11] fix descriptionUrl --- .../aws/group_with_glue_UpdateDevEndpoint/metadata.json | 2 +- .../terraform/aws/group_with_iam_AddUserToGroup/metadata.json | 2 +- .../aws/group_with_iam_AttachGroupPolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_AttachRolePolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_AttachUserPolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_CreateAccessKey/metadata.json | 2 +- .../aws/group_with_iam_CreateLoginProfile/metadata.json | 2 +- .../aws/group_with_iam_CreatePolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/group_with_iam_PutGroupPolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_PutRolePolicy/metadata.json | 2 +- .../terraform/aws/group_with_iam_PutUserPolicy/metadata.json | 2 +- .../aws/group_with_iam_SetDefaultPolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/group_with_iam_UpdateLoginProfile/metadata.json | 2 +- .../aws/group_with_lambda_UpdateFunctionCode/metadata.json | 2 +- .../aws/role_with_glue_UpdateDevEndpoint/metadata.json | 2 +- .../terraform/aws/role_with_iam_AddUserToGroup/metadata.json | 2 +- .../terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_AttachRolePolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_AttachUserPolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_CreateAccessKey/metadata.json | 2 +- .../aws/role_with_iam_CreateLoginProfile/metadata.json | 2 +- .../aws/role_with_iam_CreatePolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json | 2 +- .../role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/role_with_iam_PutGroupPolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_PutRolePolicy/metadata.json | 2 +- .../terraform/aws/role_with_iam_PutUserPolicy/metadata.json | 2 +- .../aws/role_with_iam_SetDefaultPolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/role_with_iam_UpdateLoginProfile/metadata.json | 2 +- .../aws/role_with_lambda_UpdateFunctionCode/metadata.json | 2 +- .../aws/user_with_glue_UpdateDevEndpoint/metadata.json | 2 +- .../terraform/aws/user_with_iam_AddUserToGroup/metadata.json | 2 +- .../terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_AttachRolePolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_AttachUserPolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_CreateAccessKey/metadata.json | 2 +- .../aws/user_with_iam_CreateLoginProfile/metadata.json | 2 +- .../aws/user_with_iam_CreatePolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json | 2 +- .../user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json | 2 +- .../metadata.json | 2 +- .../terraform/aws/user_with_iam_PutGroupPolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_PutRolePolicy/metadata.json | 2 +- .../terraform/aws/user_with_iam_PutUserPolicy/metadata.json | 2 +- .../aws/user_with_iam_SetDefaultPolicyVersion/metadata.json | 2 +- .../metadata.json | 2 +- .../aws/user_with_iam_UpdateLoginProfile/metadata.json | 2 +- .../aws/user_with_lambda_UpdateFunctionCode/metadata.json | 2 +- 57 files changed, 57 insertions(+), 57 deletions(-) diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json index 2b090574363..ade04f97d0e 100644 --- a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "10f17e18", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json index 6ce2d25177a..c56af85c7f0 100644 --- a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "576ba016", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json index d328d0e91e2..6e6007394b6 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "e42aec0c", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json index 319bdbf4070..e8769412061 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "5e39f36b", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json index 4c9f0bc91ef..6d5399b5079 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "25a0ad8b", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json index 1e74b5c6fe4..cd99240209f 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "5182dbde", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json index 1511717decf..ed3bbac709a 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "13604723", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json index c284cd5d3e1..29bb28926c6 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "04f8f6ca", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json index 4a0a178e460..1defdb47af8 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "b02d4e3c", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json index d5178c3338e..7a35afd722b 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "e6e9e8eb", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json index 00264167b61..b8834911109 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "59598729", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json index 7089543e286..0e5727840f2 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "2a7afde0", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json index 3e92644e97d..dad96cae5a2 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "6ee8a28a", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json index 83d213e7c39..156fc14f1e5 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "3a6914a5", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json index 4478087e871..263afa0a862 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "fdfe7031", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json index fb40389fd45..a1072310e45 100644 --- a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "2be560bc", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json index 8bfcee221c8..33d65a588a4 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "7fec1740", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json index d8040879be5..2048be8a174 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "06985b1b", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json index a6e26073ec0..5a4e7524f8d 100644 --- a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "1a80fe5c", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json index 5facab2f2b3..33e03d6957d 100644 --- a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "bff18777", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json index ee4eec21983..68dc7815c17 100644 --- a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "058bc100", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json index abccccad7b3..4ba6dcd252c 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "54b22492", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json index 95114bb74dd..09c41ae461a 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "aaf96d6e", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json index 8a8b6f5eb74..0fa944bbd1b 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "4efcf3e9", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json index 077ce006f45..6c3f6d501fc 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "0d94441c", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json index cf8bce11c2c..5bd719e15d0 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "0e9af0ce", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json index a1161a0ce8d..415aaa96b37 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "fe987a1d", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json index 5b674990d15..aff661b89a0 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "779be66e", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json index 3d597e1c494..6ff329f809c 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "b3d6f7cf", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json index c3e8579dfb5..d08a41f75c8 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "0bc279fe", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json index b276d42bb3b..0be6457d4d0 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "628b0909", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json index 0be5820ea50..2e5a3a8d925 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "ce1bbaeb", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json index 0d6def036d7..991c9c36420 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "2d361444", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json index 3bebba2434a..1f111e0e333 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "48764f87", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json index 5f9e43a11f6..2978dff4a88 100644 --- a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "a0ddfb38", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json index c1682cf2251..45d6fd68342 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "2d747022", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json index f4f68ca7e17..13581fe74a5 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "8bf480db", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json index bb23ce13a17..69fcb4f440f 100644 --- a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "d6861f3e", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json index 84adc71c4d3..7519b862c2a 100644 --- a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "1a48ac37", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json index 0dcd514cfd7..ccf8f795605 100644 --- a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "b201d168", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json index 887e3cbe04d..f050d962862 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "9f22319f", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json index 5fbc9e6ec34..9fe101f3949 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "a33a40e2", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json index e88711cf5d7..46c907cb74f 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "98aa676c", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json index 2478d729ff4..0edbb6ef58c 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "29b987f3", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json index 5de200432f3..aa87bc66580 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "43ba4982", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json index eade1507488..83adee55ab6 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "e894d408", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json index 6a999695835..9c5b8be5bab 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "c878232c", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json index e0b364a6b59..fe8399f2653 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "05f5544f", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json index aaeaea7c653..2038bcea7c6 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "8d9e01f1", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json index c0403f1478b..e8fce1ea6c5 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "da252d8a", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json index 35e502422f3..9d5d0651f8c 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "024a2d0d", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json index bd30ebef9b7..3e2ec4d2839 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "367257fe", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json index 2379b887749..1a2b8cbb4be 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "b99501af", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json index 56ea2e2e516..93cb0e93efa 100644 --- a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "85e8d749", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json index 0c978cbd481..804188a4903 100644 --- a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "7ab86e7e", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json index 60ff5aeab32..baef74603cc 100644 --- a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "559f74f0", "cloudProvider": "aws" diff --git a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json index 3c4e56fdcfb..4e41b853a47 100644 --- a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json @@ -4,7 +4,7 @@ "severity": "MEDIUM", "category": "Access Control", "descriptionText": "User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "f5d372a0", "cloudProvider": "aws" From 498db8859dcf3649dd8122d1b6d0da4a8ea7ccbd Mon Sep 17 00:00:00 2001 From: gafnit Date: Mon, 27 Jun 2022 16:10:56 +0300 Subject: [PATCH 06/11] fix positive tests --- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 13 +++---------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 13 +++---------- .../test/positive1.tf | 12 +++++------- .../test/positive1.tf | 12 +++++------- .../test/positive1.tf | 12 +++++------- .../test/positive1.tf | 13 ++++++------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 12 +++++------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 15 +++------------ .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 13 +++---------- .../test/positive1.tf | 13 +++---------- .../test/positive1.tf | 15 +++------------ .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 13 +++---------- .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 12 +++++------- .../test/positive1.tf | 12 +++++------- .../test/positive1.tf | 12 +++++------- .../test/positive1.tf | 13 ++++++------- .../test/positive1.tf | 14 +++----------- .../role_with_iam_PutRolePolicy/test/positive1.tf | 14 +++----------- .../role_with_iam_PutUserPolicy/test/positive1.tf | 15 +++------------ .../test/positive1.tf | 14 +++----------- .../test/positive1.tf | 12 +++++------- .../test/positive1.tf | 13 +++---------- .../test/positive1.tf | 13 +++---------- .../test/positive1.tf | 3 ++- 39 files changed, 138 insertions(+), 375 deletions(-) diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive1.tf index 6c56310f4ee..afc00fbf03c 100644 --- a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -19,11 +19,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { ] }) } - - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} \ No newline at end of file diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive1.tf index b71e0166b16..6f8e37d38f9 100644 --- a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -19,11 +19,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { ] }) } - - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive1.tf index fddabd66a73..1165d914a6a 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -21,11 +21,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { } -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - - diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive1.tf index c7d8fe2316a..85e037dc0c4 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,11 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive1.tf index 11b1a6047bc..8fab90734f2 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -19,11 +19,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { ] }) } - - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive1.tf index 6bf052a9631..4a07b39ef11 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -21,10 +21,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { } -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive1.tf index 6976b4215cc..7f2ea9300b6 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,11 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive1.tf index f652e0936e8..7752dd96fb0 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,10 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf index 7bf8fb48688..b5ba1fa0a56 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -23,9 +23,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + groups = [aws_iam_group.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +31,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive1.tf index 1db184aa245..ad6cc30fdc9 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -23,9 +23,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + groups = [aws_iam_group.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +31,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf index 4b53cde802b..137004a85fd 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -23,9 +23,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + groups = [aws_iam_group.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +31,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf index 3be4c197c9e..e94dde5adad 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -12,6 +12,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { { Action = [ "lambda:CreateFunction", + "lambda:InvokeFunction" ] Effect = "Allow" Resource = "*" @@ -23,9 +24,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + groups = [aws_iam_group.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +32,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive1.tf index fd0ea4df28b..519b60c37aa 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,11 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive1.tf index 89411b4a9cd..f1afa71ac68 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -21,11 +21,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { } -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - - diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive1.tf index edd49854001..9c8127ef341 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -21,11 +21,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { } -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - - diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive1.tf index 193341e24ee..8ecedfb5e21 100644 --- a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,11 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf index 99663d5260e..630fdb6522a 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -23,9 +23,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + groups = [aws_iam_group.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +31,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive1.tf index a21d05bf9c9..7d10cbd0dcc 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,11 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive1.tf index 8e9a4e1cd86..408b2c82b85 100644 --- a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive1.tf +++ b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_group" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_group_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + group = aws_iam_group.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -19,12 +19,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { ] }) } - - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive1.tf index 6c56310f4ee..18df0aeb618 100644 --- a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -19,11 +19,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { ] }) } - - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} \ No newline at end of file diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive1.tf index b71e0166b16..d858fc83c92 100644 --- a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,10 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive1.tf index fddabd66a73..17065aa9bf9 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -21,11 +21,4 @@ resource "aws_iam_user_policy" "test_inline_policy" { } -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive1.tf index c7d8fe2316a..2cacd60b923 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -19,12 +19,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { ] }) } - - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive1.tf index 11b1a6047bc..80aa241f409 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -19,11 +19,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { ] }) } - - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive1.tf index 6bf052a9631..5e6e58822bf 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,11 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive1.tf index 6976b4215cc..f59a8ac1761 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -21,10 +21,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { } -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive1.tf index f652e0936e8..2143c1caa27 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -19,11 +19,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { ] }) } - - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf index 7bf8fb48688..93323198e5e 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -23,9 +23,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + roles = [aws_iam_role.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +31,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive1.tf index 1db184aa245..980fceb6b1f 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -23,9 +23,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + roles = [aws_iam_role.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +31,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf index 4b53cde802b..71ca1742eef 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -23,9 +23,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + roles = [aws_iam_role.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +31,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf index 3be4c197c9e..620960fd62e 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -12,6 +12,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { { Action = [ "lambda:CreateFunction", + "lambda:InvokeFunction" ] Effect = "Allow" Resource = "*" @@ -23,9 +24,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + roles = [aws_iam_role.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +32,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive1.tf index fd0ea4df28b..88a2d3ecd16 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,11 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive1.tf index 89411b4a9cd..e8ba070ff83 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -21,11 +21,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { } -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - - diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive1.tf index edd49854001..aca7b0be485 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,12 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - - diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive1.tf index 193341e24ee..713b6b7996e 100644 --- a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -20,11 +20,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { }) } - -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf index 99663d5260e..251aa49957e 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -23,9 +23,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { resource "aws_iam_policy_attachment" "test-attach" { name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] + roles = [aws_iam_role.cosmic.name] policy_arn = aws_iam_policy.policy.arn } @@ -33,7 +31,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive1.tf index a21d05bf9c9..4b486019144 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -21,10 +21,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { } -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive1.tf index 8e9a4e1cd86..eadf2c5e400 100644 --- a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive1.tf +++ b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive1.tf @@ -1,10 +1,10 @@ -resource "aws_iam_user" "cosmic" { +resource "aws_iam_role" "cosmic" { name = "cosmic" } -resource "aws_iam_user_policy" "test_inline_policy" { +resource "aws_iam_role_policy" "test_inline_policy" { name = "test_inline_policy" - user = aws_iam_user.cosmic.name + role = aws_iam_role.cosmic.name policy = jsonencode({ Version = "2012-10-17" @@ -21,10 +21,3 @@ resource "aws_iam_user_policy" "test_inline_policy" { } -resource "aws_iam_policy_attachment" "test-attach" { - name = "test-attachment" - users = [aws_iam_user.cosmic.name] - roles = [aws_iam_role.role.name] - groups = [aws_iam_group.group.name] -} - diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf index 3be4c197c9e..0f6b83b4571 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf @@ -12,6 +12,7 @@ resource "aws_iam_user_policy" "test_inline_policy" { { Action = [ "lambda:CreateFunction", + "lambda:InvokeFunction" ] Effect = "Allow" Resource = "*" @@ -33,7 +34,7 @@ resource "aws_iam_policy_attachment" "test-attach" { resource "aws_iam_policy" "policy" { name = "test-policy" description = "A test policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ From b3e49fd950fd08a378ef5dcc1996ec1284089ac3 Mon Sep 17 00:00:00 2001 From: gafnit Date: Mon, 27 Jun 2022 19:03:12 +0300 Subject: [PATCH 07/11] fix positive tests expected result --- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- .../test/positive_expected_result.json | 2 +- 57 files changed, 57 insertions(+), 57 deletions(-) diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive_expected_result.json index 6d5d2b1b863..767d9dbbb2a 100644 --- a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "queryName": "Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive_expected_result.json index 60394264553..dca2ecc1114 100644 --- a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:AddUserToGroup'", + "queryName": "Group With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive_expected_result.json index a314d21b5a0..3c3fd030c44 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:AttachGroupPolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive_expected_result.json index f66511eccdb..1e87698084e 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:AttachRolePolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive_expected_result.json index 8718a4ec4de..528dfaa32ea 100644 --- a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:AttachUserPolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive_expected_result.json index 783abe59770..96eba745bcc 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:CreateAccessKey'", + "queryName": "Group With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive_expected_result.json index 8ac9ee6c07c..423c580bd76 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:CreateLoginProfile'", + "queryName": "Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive_expected_result.json index 4106cf0419b..b08389ad245 100644 --- a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:CreatePolicyVersion'", + "queryName": "Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json index 29b05ef90c5..e012e5db9e4 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "queryName": "Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json index 05fd1f4a1ac..e269c9d79e7 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "queryName": "Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json index 7efa7e55da3..03396830fe3 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "queryName": "Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json index dd418a345f9..3a5cbe039fe 100644 --- a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "queryName": "Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive_expected_result.json index dcc41bea208..e9e97ad162b 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:PutGroupPolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive_expected_result.json index d9244ebfbc4..a989eecfd2a 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:PutRolePolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive_expected_result.json index f409ed65c74..490028dfcbc 100644 --- a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:PutUserPolicy'", + "queryName": "Group With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 4b5dcbc2028..891da8391d0 100644 --- a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "queryName": "Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json index 3e4a13cf3c1..d94146558e8 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive_expected_result.json index 9637c2ff201..550cd399885 100644 --- a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'iam:UpdateLoginProfile'", + "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive_expected_result.json index 891c1f92eaf..87b739574ab 100644 --- a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "queryName": "Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive_expected_result.json index 58588f764e6..b9701be2aa2 100644 --- a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "queryName": "Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive_expected_result.json index bc3922e764a..87e158ac96f 100644 --- a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:AddUserToGroup'", + "queryName": "Role With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive_expected_result.json index 28f4da8c535..a5ef5c51455 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:AttachGroupPolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive_expected_result.json index cae0fce001d..778b7cad94f 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:AttachRolePolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive_expected_result.json index a8e4bb6e46b..235e2957902 100644 --- a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:AttachUserPolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive_expected_result.json index 1e3e2e7dd4f..26052310d14 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:CreateAccessKey'", + "queryName": "Role With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive_expected_result.json index e762db6c47d..b95a680f239 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:CreateLoginProfile'", + "queryName": "Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive_expected_result.json index 6ef6cc14602..ed344d9f4b6 100644 --- a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:CreatePolicyVersion'", + "queryName": "Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json index f724c1a76ff..525fe5c1c92 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "queryName": "Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json index f8218cc677e..832085a4c0e 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "queryName": "Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json index dc2d79c09cc..ab36af18cc2 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "queryName": "Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json index b2319ba5efb..15cbd75d72d 100644 --- a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "queryName": "Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive_expected_result.json index 114036547f6..fd4e74f0462 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:PutGroupPolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive_expected_result.json index 5cf41b2ae24..6d0b68ceaa4 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:PutRolePolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive_expected_result.json index f3aaf96efac..f69e886cad1 100644 --- a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:PutUserPolicy'", + "queryName": "Role With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 29388fd6135..4c3ee4591ee 100644 --- a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "queryName": "Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json index 03fbd49e0a5..eff25985df7 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive_expected_result.json index 0517d751604..d8772c4e53d 100644 --- a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'iam:UpdateLoginProfile'", + "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive_expected_result.json index c693a51b460..c0d1c5dc6c7 100644 --- a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "queryName": "Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive_expected_result.json index de910f04e63..a5187a85df5 100644 --- a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'glue:UpdateDevEndpoint'", + "queryName": "User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive_expected_result.json index ecbbec92c26..fadf1f82e70 100644 --- a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:AddUserToGroup'", + "queryName": "User With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive_expected_result.json index 6b5179d5985..cc364849975 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:AttachGroupPolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive_expected_result.json index 61048c46271..f13a564510c 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:AttachRolePolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive_expected_result.json index 1572618a513..cfa007e434e 100644 --- a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:AttachUserPolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive_expected_result.json index ab2be55b221..91f4cdc0430 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:CreateAccessKey'", + "queryName": "User With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive_expected_result.json index b58d9e20f70..143dfff1de7 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:CreateLoginProfile'", + "queryName": "User With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive_expected_result.json index d8e6e2be621..b352f43641b 100644 --- a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:CreatePolicyVersion'", + "queryName": "User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json index 79a553eb8da..879bd188148 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole'", + "queryName": "User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json index 75d24faf48f..0c13f4076a7 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole'", + "queryName": "User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json index cd605f27b82..1a3d09d345f 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole'", + "queryName": "User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json index 9ad15fbd1b3..4cee4fa0fd8 100644 --- a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction'", + "queryName": "User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive_expected_result.json index 1f7232e4531..a91dbda2cc9 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:PutGroupPolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive_expected_result.json index f5778473431..8b92368e2b1 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:PutRolePolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive_expected_result.json index 450ee8bf701..77d75f77411 100644 --- a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:PutUserPolicy'", + "queryName": "User With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json index 8cd3c8640d6..2f7cf644813 100644 --- a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion'", + "queryName": "User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json index 1c2fb05c0b3..89f59bd7941 100644 --- a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole'", + "queryName": "User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive_expected_result.json index bb816011aac..f7792753ab7 100644 --- a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'iam:UpdateLoginProfile'", + "queryName": "User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" diff --git a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive_expected_result.json index 92547d6f67e..86b7d699b34 100644 --- a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -1,6 +1,6 @@ [ { - "queryName": "User with privilege escalation by actions 'lambda:UpdateFunctionCode'", + "queryName": "User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "line": 1, "fileName": "positive1.tf" From e269e7f609dd5af06ca8c71eeaa24cd6e7d2b7e7 Mon Sep 17 00:00:00 2001 From: gafnit Date: Sun, 3 Jul 2022 13:28:54 +0300 Subject: [PATCH 08/11] change iam privilege escalation folders names --- .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 0 .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 285 files changed, 0 insertions(+), 0 deletions(-) rename assets/queries/terraform/aws/{group_with_glue_UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_glue_UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_glue_UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_glue_UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_glue_UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_AddUserToGroup => group_with_privilege_escalation_by_actions_iam:AddUserToGroup}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_AddUserToGroup => group_with_privilege_escalation_by_actions_iam:AddUserToGroup}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_AddUserToGroup => group_with_privilege_escalation_by_actions_iam:AddUserToGroup}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_AddUserToGroup => group_with_privilege_escalation_by_actions_iam:AddUserToGroup}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_AddUserToGroup => group_with_privilege_escalation_by_actions_iam:AddUserToGroup}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachRolePolicy => group_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachRolePolicy => group_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachRolePolicy => group_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachRolePolicy => group_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachRolePolicy => group_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachUserPolicy => group_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachUserPolicy => group_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachUserPolicy => group_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachUserPolicy => group_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_AttachUserPolicy => group_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateAccessKey => group_with_privilege_escalation_by_actions_iam:CreateAccessKey}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateAccessKey => group_with_privilege_escalation_by_actions_iam:CreateAccessKey}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateAccessKey => group_with_privilege_escalation_by_actions_iam:CreateAccessKey}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateAccessKey => group_with_privilege_escalation_by_actions_iam:CreateAccessKey}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateAccessKey => group_with_privilege_escalation_by_actions_iam:CreateAccessKey}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateLoginProfile => group_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateLoginProfile => group_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateLoginProfile => group_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateLoginProfile => group_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_CreateLoginProfile => group_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_cloudformation_CreateStack => group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_cloudformation_CreateStack => group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_cloudformation_CreateStack => group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_cloudformation_CreateStack => group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_cloudformation_CreateStack => group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_ec2_RunInstances => group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_ec2_RunInstances => group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_ec2_RunInstances => group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_ec2_RunInstances => group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_ec2_RunInstances => group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_glue_CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_glue_CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_glue_CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_glue_CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_glue_CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PutGroupPolicy => group_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PutGroupPolicy => group_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_PutGroupPolicy => group_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PutGroupPolicy => group_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PutGroupPolicy => group_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PutRolePolicy => group_with_privilege_escalation_by_actions_iam:PutRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PutRolePolicy => group_with_privilege_escalation_by_actions_iam:PutRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_PutRolePolicy => group_with_privilege_escalation_by_actions_iam:PutRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PutRolePolicy => group_with_privilege_escalation_by_actions_iam:PutRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PutRolePolicy => group_with_privilege_escalation_by_actions_iam:PutRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PutUserPolicy => group_with_privilege_escalation_by_actions_iam:PutUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_PutUserPolicy => group_with_privilege_escalation_by_actions_iam:PutUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_PutUserPolicy => group_with_privilege_escalation_by_actions_iam:PutUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PutUserPolicy => group_with_privilege_escalation_by_actions_iam:PutUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_PutUserPolicy => group_with_privilege_escalation_by_actions_iam:PutUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_iam_UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_lambda_UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_lambda_UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/query.rego (100%) rename assets/queries/terraform/aws/{group_with_lambda_UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_lambda_UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_lambda_UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_glue_UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_glue_UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_glue_UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_glue_UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_glue_UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_AddUserToGroup => role_with_privilege_escalation_by_actions_iam:AddUserToGroup}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_AddUserToGroup => role_with_privilege_escalation_by_actions_iam:AddUserToGroup}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_AddUserToGroup => role_with_privilege_escalation_by_actions_iam:AddUserToGroup}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_AddUserToGroup => role_with_privilege_escalation_by_actions_iam:AddUserToGroup}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_AddUserToGroup => role_with_privilege_escalation_by_actions_iam:AddUserToGroup}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachRolePolicy => role_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachRolePolicy => role_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachRolePolicy => role_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachRolePolicy => role_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachRolePolicy => role_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachUserPolicy => role_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachUserPolicy => role_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachUserPolicy => role_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachUserPolicy => role_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_AttachUserPolicy => role_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateAccessKey => role_with_privilege_escalation_by_actions_iam:CreateAccessKey}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateAccessKey => role_with_privilege_escalation_by_actions_iam:CreateAccessKey}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateAccessKey => role_with_privilege_escalation_by_actions_iam:CreateAccessKey}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateAccessKey => role_with_privilege_escalation_by_actions_iam:CreateAccessKey}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateAccessKey => role_with_privilege_escalation_by_actions_iam:CreateAccessKey}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateLoginProfile => role_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateLoginProfile => role_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateLoginProfile => role_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateLoginProfile => role_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_CreateLoginProfile => role_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_cloudformation_CreateStack => role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_cloudformation_CreateStack => role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_cloudformation_CreateStack => role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_cloudformation_CreateStack => role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_cloudformation_CreateStack => role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_ec2_RunInstances => role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_ec2_RunInstances => role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_ec2_RunInstances => role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_ec2_RunInstances => role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_ec2_RunInstances => role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_glue_CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_glue_CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_glue_CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_glue_CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_glue_CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PutGroupPolicy => role_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PutGroupPolicy => role_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_PutGroupPolicy => role_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PutGroupPolicy => role_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PutGroupPolicy => role_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PutRolePolicy => role_with_privilege_escalation_by_actions_iam:PutRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PutRolePolicy => role_with_privilege_escalation_by_actions_iam:PutRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_PutRolePolicy => role_with_privilege_escalation_by_actions_iam:PutRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PutRolePolicy => role_with_privilege_escalation_by_actions_iam:PutRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PutRolePolicy => role_with_privilege_escalation_by_actions_iam:PutRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PutUserPolicy => role_with_privilege_escalation_by_actions_iam:PutUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_PutUserPolicy => role_with_privilege_escalation_by_actions_iam:PutUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_PutUserPolicy => role_with_privilege_escalation_by_actions_iam:PutUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PutUserPolicy => role_with_privilege_escalation_by_actions_iam:PutUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_PutUserPolicy => role_with_privilege_escalation_by_actions_iam:PutUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_iam_UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_lambda_UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_lambda_UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/query.rego (100%) rename assets/queries/terraform/aws/{role_with_lambda_UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_lambda_UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_lambda_UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_glue_UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_glue_UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_glue_UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_glue_UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_glue_UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_AddUserToGroup => user_with_privilege_escalation_by_actions_iam:AddUserToGroup}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_AddUserToGroup => user_with_privilege_escalation_by_actions_iam:AddUserToGroup}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_AddUserToGroup => user_with_privilege_escalation_by_actions_iam:AddUserToGroup}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_AddUserToGroup => user_with_privilege_escalation_by_actions_iam:AddUserToGroup}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_AddUserToGroup => user_with_privilege_escalation_by_actions_iam:AddUserToGroup}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachRolePolicy => user_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachRolePolicy => user_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachRolePolicy => user_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachRolePolicy => user_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachRolePolicy => user_with_privilege_escalation_by_actions_iam:AttachRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachUserPolicy => user_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachUserPolicy => user_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachUserPolicy => user_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachUserPolicy => user_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_AttachUserPolicy => user_with_privilege_escalation_by_actions_iam:AttachUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateAccessKey => user_with_privilege_escalation_by_actions_iam:CreateAccessKey}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateAccessKey => user_with_privilege_escalation_by_actions_iam:CreateAccessKey}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateAccessKey => user_with_privilege_escalation_by_actions_iam:CreateAccessKey}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateAccessKey => user_with_privilege_escalation_by_actions_iam:CreateAccessKey}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateAccessKey => user_with_privilege_escalation_by_actions_iam:CreateAccessKey}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateLoginProfile => user_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateLoginProfile => user_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateLoginProfile => user_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateLoginProfile => user_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_CreateLoginProfile => user_with_privilege_escalation_by_actions_iam:CreateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_cloudformation_CreateStack => user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_cloudformation_CreateStack => user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_cloudformation_CreateStack => user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_cloudformation_CreateStack => user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_cloudformation_CreateStack => user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_ec2_RunInstances => user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_ec2_RunInstances => user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_ec2_RunInstances => user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_ec2_RunInstances => user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_ec2_RunInstances => user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_glue_CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_glue_CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_glue_CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_glue_CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_glue_CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction => user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PutGroupPolicy => user_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PutGroupPolicy => user_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_PutGroupPolicy => user_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PutGroupPolicy => user_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PutGroupPolicy => user_with_privilege_escalation_by_actions_iam:PutGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PutRolePolicy => user_with_privilege_escalation_by_actions_iam:PutRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PutRolePolicy => user_with_privilege_escalation_by_actions_iam:PutRolePolicy}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_PutRolePolicy => user_with_privilege_escalation_by_actions_iam:PutRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PutRolePolicy => user_with_privilege_escalation_by_actions_iam:PutRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PutRolePolicy => user_with_privilege_escalation_by_actions_iam:PutRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PutUserPolicy => user_with_privilege_escalation_by_actions_iam:PutUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_PutUserPolicy => user_with_privilege_escalation_by_actions_iam:PutUserPolicy}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_PutUserPolicy => user_with_privilege_escalation_by_actions_iam:PutUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PutUserPolicy => user_with_privilege_escalation_by_actions_iam:PutUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_PutUserPolicy => user_with_privilege_escalation_by_actions_iam:PutUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole => user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_iam_UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_lambda_UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_lambda_UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/query.rego (100%) rename assets/queries/terraform/aws/{user_with_lambda_UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_lambda_UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_lambda_UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode}/test/positive_expected_result.json (100%) diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_glue_UpdateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AddUserToGroup/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AddUserToGroup/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AddUserToGroup/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_AttachUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateAccessKey/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateAccessKey/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateAccessKey/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_CreatePolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutRolePolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutRolePolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutUserPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutUserPolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_PutUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_iam_UpdateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego similarity index 100% rename from assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_lambda_UpdateFunctionCode/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_glue_UpdateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AddUserToGroup/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AddUserToGroup/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AddUserToGroup/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_AttachUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateAccessKey/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateAccessKey/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateAccessKey/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_CreatePolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutRolePolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutRolePolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutUserPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutUserPolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_PutUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_iam_UpdateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego similarity index 100% rename from assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_lambda_UpdateFunctionCode/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_glue_UpdateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AddUserToGroup/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AddUserToGroup/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AddUserToGroup/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_AttachUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateAccessKey/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateAccessKey/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateAccessKey/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_CreatePolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_cloudformation_CreateStack/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_ec2_RunInstances/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_glue_CreateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PassRole_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutRolePolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutRolePolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutUserPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutUserPolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_PutUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_SetDefaultPolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateAssumeRolePolicy_sts_AssumeRole/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_iam_UpdateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json diff --git a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego similarity index 100% rename from assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego diff --git a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_lambda_UpdateFunctionCode/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json From 06e132e13da2860ce05fab0fc583972b636f924c Mon Sep 17 00:00:00 2001 From: gafnit Date: Sun, 3 Jul 2022 13:47:26 +0300 Subject: [PATCH 09/11] add resourceType and resourceName --- .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ .../query.rego | 2 ++ 57 files changed, 114 insertions(+) diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego index 4faef078268..23221e20a8b 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego index 730f4bb6cf5..a942e058dfb 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego index d81c989a51f..e40479a3b5a 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego index a77787d2fb7..42ba360723e 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego index cdad3d2b513..0351722e257 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego index c5fe77f373d..357ce739c4c 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego index ae8c1f85b2b..6f0b54aafb7 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego index 947e0b1c942..9910380f49a 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego index 175382ae0c2..7887d5e06a5 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego index d3d6145af8a..015009a34ba 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego index 74dfa9399f1..10701131da4 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego index 7cdc136dea3..80a038b0283 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego @@ -14,6 +14,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego index bc23843319d..b2a7d1f0185 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego index e764aeb2623..79bd133933e 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego index b88473c1dad..a1d53983039 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego index 74d132dbe3f..1e50bf80af8 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego index 041093a883f..38e76077e2f 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego index 3f01364ab60..676edcb6fde 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego index 488e86986ff..e65bb73f765 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetGroup]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego index 780c090f759..ba44f60a758 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego index e79e1f329e4..1b17d696ac2 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego index 203d5e607ad..5b15f87a164 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego index 1ec6851c4b5..46d9534f52e 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego index e300ec18669..a73c9f3e830 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego index fbfd2c603a3..e0f31a562b6 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego index b603422da5c..e1b1a33b98c 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego index 9c9d9fa5a85..8aa81593b61 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego index 10919fc6778..70eb44a6242 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego index 40e32744824..46f6aa776fa 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego index 100abe44e95..4e32732bd67 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/query.rego index 44854e559af..45046d8a386 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/query.rego @@ -14,6 +14,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego index c60af01d4bb..927a9779e00 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego index 93a3c729217..b4336d8ec89 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego index d17aef8e27e..d768af73e87 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego index 66c51a15685..26d741e9ae6 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego index 76fd17abafa..6660839b411 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego index b843ba211fb..7eea840e963 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego index 3e6dd6ec8db..62f98f2aa88 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetRole]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego index deacc549698..030e3878cff 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego index f16936e2b42..972033ef5ea 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego index 27249e6ea11..ce0699ac96a 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego index 61264defd02..061b83a42f7 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego index b086f0d60a6..961880f55b5 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego index 233e58f9cf0..a1d567edda0 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego index e8821c465f7..3e950cb25e2 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego index 1b709f3e5e5..f0e284b6028 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego index 50b312048a2..c148b6f6927 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego index a5fbd8f27b7..c90821137c3 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego index 9415d49651d..3e622fd75e1 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego index f1d9da90ebf..916e05c2b54 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego @@ -14,6 +14,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego index 2d03038f70f..105f9e8a7ba 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego index 6eccc5da942..a42320f1eb1 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego index b4e9b64ea2a..df4e114899a 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego index dd9202f5509..a2c565b0dfa 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego index ecf919dd16a..096980cc4d3 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego @@ -13,6 +13,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego index 7b0da0e7913..9bbb3fb3c2a 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetUser]), diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego index f92b04d1d03..f68ac9dc110 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego @@ -12,6 +12,8 @@ CxPolicy[result] { result := { "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetUser]), From bbf6469fdc71f088e365b13bf5eb15c6625b9009 Mon Sep 17 00:00:00 2001 From: gafnit Date: Thu, 28 Jul 2022 13:01:13 +0300 Subject: [PATCH 10/11] fix rego import and role/user/group reference --- .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 .../metadata.json | 0 .../query.rego | 3 ++- .../test/negative1.tf | 0 .../test/positive1.tf | 0 .../test/positive_expected_result.json | 0 285 files changed, 114 insertions(+), 57 deletions(-) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AddUserToGroup => group_with_privilege_escalation_by_actions_iam_AddUserToGroup}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AddUserToGroup => group_with_privilege_escalation_by_actions_iam_AddUserToGroup}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AddUserToGroup => group_with_privilege_escalation_by_actions_iam_AddUserToGroup}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AddUserToGroup => group_with_privilege_escalation_by_actions_iam_AddUserToGroup}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AddUserToGroup => group_with_privilege_escalation_by_actions_iam_AddUserToGroup}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachRolePolicy => group_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachRolePolicy => group_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachRolePolicy => group_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachRolePolicy => group_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachRolePolicy => group_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachUserPolicy => group_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachUserPolicy => group_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachUserPolicy => group_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachUserPolicy => group_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:AttachUserPolicy => group_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateAccessKey => group_with_privilege_escalation_by_actions_iam_CreateAccessKey}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateAccessKey => group_with_privilege_escalation_by_actions_iam_CreateAccessKey}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateAccessKey => group_with_privilege_escalation_by_actions_iam_CreateAccessKey}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateAccessKey => group_with_privilege_escalation_by_actions_iam_CreateAccessKey}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateAccessKey => group_with_privilege_escalation_by_actions_iam_CreateAccessKey}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateLoginProfile => group_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateLoginProfile => group_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateLoginProfile => group_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateLoginProfile => group_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreateLoginProfile => group_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/query.rego (90%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/query.rego (90%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/query.rego (90%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/query.rego (91%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutGroupPolicy => group_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutGroupPolicy => group_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutGroupPolicy => group_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutGroupPolicy => group_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutGroupPolicy => group_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutRolePolicy => group_with_privilege_escalation_by_actions_iam_PutRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutRolePolicy => group_with_privilege_escalation_by_actions_iam_PutRolePolicy}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutRolePolicy => group_with_privilege_escalation_by_actions_iam_PutRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutRolePolicy => group_with_privilege_escalation_by_actions_iam_PutRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutRolePolicy => group_with_privilege_escalation_by_actions_iam_PutRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutUserPolicy => group_with_privilege_escalation_by_actions_iam_PutUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutUserPolicy => group_with_privilege_escalation_by_actions_iam_PutUserPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutUserPolicy => group_with_privilege_escalation_by_actions_iam_PutUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutUserPolicy => group_with_privilege_escalation_by_actions_iam_PutUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:PutUserPolicy => group_with_privilege_escalation_by_actions_iam_PutUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/query.rego (90%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/metadata.json (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/query.rego (89%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AddUserToGroup => role_with_privilege_escalation_by_actions_iam_AddUserToGroup}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AddUserToGroup => role_with_privilege_escalation_by_actions_iam_AddUserToGroup}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AddUserToGroup => role_with_privilege_escalation_by_actions_iam_AddUserToGroup}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AddUserToGroup => role_with_privilege_escalation_by_actions_iam_AddUserToGroup}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AddUserToGroup => role_with_privilege_escalation_by_actions_iam_AddUserToGroup}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachRolePolicy => role_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachRolePolicy => role_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachRolePolicy => role_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachRolePolicy => role_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachRolePolicy => role_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachUserPolicy => role_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachUserPolicy => role_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachUserPolicy => role_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachUserPolicy => role_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:AttachUserPolicy => role_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateAccessKey => role_with_privilege_escalation_by_actions_iam_CreateAccessKey}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateAccessKey => role_with_privilege_escalation_by_actions_iam_CreateAccessKey}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateAccessKey => role_with_privilege_escalation_by_actions_iam_CreateAccessKey}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateAccessKey => role_with_privilege_escalation_by_actions_iam_CreateAccessKey}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateAccessKey => role_with_privilege_escalation_by_actions_iam_CreateAccessKey}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateLoginProfile => role_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateLoginProfile => role_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateLoginProfile => role_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateLoginProfile => role_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreateLoginProfile => role_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/query.rego (90%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/query.rego (90%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/query.rego (90%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction => role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction => role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction}/query.rego (91%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction => role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction => role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction => role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutGroupPolicy => role_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutGroupPolicy => role_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutGroupPolicy => role_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutGroupPolicy => role_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutGroupPolicy => role_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutRolePolicy => role_with_privilege_escalation_by_actions_iam_PutRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutRolePolicy => role_with_privilege_escalation_by_actions_iam_PutRolePolicy}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutRolePolicy => role_with_privilege_escalation_by_actions_iam_PutRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutRolePolicy => role_with_privilege_escalation_by_actions_iam_PutRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutRolePolicy => role_with_privilege_escalation_by_actions_iam_PutRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutUserPolicy => role_with_privilege_escalation_by_actions_iam_PutUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutUserPolicy => role_with_privilege_escalation_by_actions_iam_PutUserPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutUserPolicy => role_with_privilege_escalation_by_actions_iam_PutUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutUserPolicy => role_with_privilege_escalation_by_actions_iam_PutUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:PutUserPolicy => role_with_privilege_escalation_by_actions_iam_PutUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/query.rego (90%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/metadata.json (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/query.rego (89%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint => user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AddUserToGroup => user_with_privilege_escalation_by_actions_iam_AddUserToGroup}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AddUserToGroup => user_with_privilege_escalation_by_actions_iam_AddUserToGroup}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AddUserToGroup => user_with_privilege_escalation_by_actions_iam_AddUserToGroup}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AddUserToGroup => user_with_privilege_escalation_by_actions_iam_AddUserToGroup}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AddUserToGroup => user_with_privilege_escalation_by_actions_iam_AddUserToGroup}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy => user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachRolePolicy => user_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachRolePolicy => user_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachRolePolicy => user_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachRolePolicy => user_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachRolePolicy => user_with_privilege_escalation_by_actions_iam_AttachRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachUserPolicy => user_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachUserPolicy => user_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachUserPolicy => user_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachUserPolicy => user_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:AttachUserPolicy => user_with_privilege_escalation_by_actions_iam_AttachUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateAccessKey => user_with_privilege_escalation_by_actions_iam_CreateAccessKey}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateAccessKey => user_with_privilege_escalation_by_actions_iam_CreateAccessKey}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateAccessKey => user_with_privilege_escalation_by_actions_iam_CreateAccessKey}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateAccessKey => user_with_privilege_escalation_by_actions_iam_CreateAccessKey}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateAccessKey => user_with_privilege_escalation_by_actions_iam_CreateAccessKey}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateLoginProfile => user_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateLoginProfile => user_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateLoginProfile => user_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateLoginProfile => user_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreateLoginProfile => user_with_privilege_escalation_by_actions_iam_CreateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion => user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/query.rego (90%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack => user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/query.rego (90%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances => user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/query.rego (90%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint => user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/query.rego (91%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction => user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutGroupPolicy => user_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutGroupPolicy => user_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutGroupPolicy => user_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutGroupPolicy => user_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutGroupPolicy => user_with_privilege_escalation_by_actions_iam_PutGroupPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutRolePolicy => user_with_privilege_escalation_by_actions_iam_PutRolePolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutRolePolicy => user_with_privilege_escalation_by_actions_iam_PutRolePolicy}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutRolePolicy => user_with_privilege_escalation_by_actions_iam_PutRolePolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutRolePolicy => user_with_privilege_escalation_by_actions_iam_PutRolePolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutRolePolicy => user_with_privilege_escalation_by_actions_iam_PutRolePolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutUserPolicy => user_with_privilege_escalation_by_actions_iam_PutUserPolicy}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutUserPolicy => user_with_privilege_escalation_by_actions_iam_PutUserPolicy}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutUserPolicy => user_with_privilege_escalation_by_actions_iam_PutUserPolicy}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutUserPolicy => user_with_privilege_escalation_by_actions_iam_PutUserPolicy}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:PutUserPolicy => user_with_privilege_escalation_by_actions_iam_PutUserPolicy}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion => user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/query.rego (90%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole => user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile => user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile}/test/positive_expected_result.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/metadata.json (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/query.rego (89%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/test/negative1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/test/positive1.tf (100%) rename assets/queries/terraform/aws/{user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode => user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode}/test/positive_expected_result.json (100%) diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego index 23221e20a8b..7248a22fa9f 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:UpdateDevEndpoint") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego index a942e058dfb..7833a7a162d 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AddUserToGroup") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego index e40479a3b5a..782cb7b2e03 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachGroupPolicy") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego index 42ba360723e..c0d588c3c4c 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachRolePolicy") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego index 0351722e257..a31676e6544 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachUserPolicy") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego index 357ce739c4c..0678aed1724 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateAccessKey") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego index 6f0b54aafb7..97eabcf6c74 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateLoginProfile") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego index 9910380f49a..bc57a9aa926 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreatePolicyVersion") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego similarity index 90% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego index 7887d5e06a5..04a082a0ff9 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "cloudformation:CreateStack") common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego similarity index 90% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego index 015009a34ba..bd8a7447e68 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "ec2:RunInstances") common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego similarity index 90% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego index 10701131da4..3dcd89bf2b7 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:CreateDevEndpoint") common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego similarity index 91% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego index 80a038b0283..ca749a0ea74 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:CreateFunction") common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego index b2a7d1f0185..549ac5911c5 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutGroupPolicy") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego index 79bd133933e..1c11809930a 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutRolePolicy") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego index a1d53983039..ffc2f2c2c7b 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutUserPolicy") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego index 1e50bf80af8..25de71b0662 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:SetDefaultPolicyVersion") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego similarity index 90% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego index 38e76077e2f..8f4966c509d 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateAssumeRolePolicy") common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "sts:AssumeRole") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego index 676edcb6fde..461ff8ab842 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateLoginProfile") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego similarity index 89% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego index e65bb73f765..4eeaa99e44b 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM group - input.document[i].resource.aws_iam_group[targetGroup] + group := input.document[i].resource.aws_iam_group[targetGroup] common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:UpdateFunctionCode") diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json rename to assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego index ba44f60a758..56b15fb0bef 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:UpdateDevEndpoint") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego index 1b17d696ac2..58198360fa3 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AddUserToGroup") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego index 5b15f87a164..9a8922ee8df 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachGroupPolicy") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego index 46d9534f52e..ddd7a711e60 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachRolePolicy") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego index a73c9f3e830..7a6e0880990 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachUserPolicy") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego index e0f31a562b6..4f4cf19e059 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateAccessKey") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego index e1b1a33b98c..c6d1eb47219 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateLoginProfile") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego index 8aa81593b61..949f5a21b38 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreatePolicyVersion") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego similarity index 90% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego index 70eb44a6242..90927485015 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "cloudformation:CreateStack") common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego similarity index 90% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego index 46f6aa776fa..1f0f3614136 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "ec2:RunInstances") common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego similarity index 90% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego index 4e32732bd67..44fa920085f 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:CreateDevEndpoint") common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego similarity index 91% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego index 45046d8a386..fe28ba65771 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:CreateFunction") common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_lambda:InvokeFunction/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego index 927a9779e00..43539212a59 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutGroupPolicy") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego index b4336d8ec89..b207758df4f 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutRolePolicy") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego index d768af73e87..52d89989e3b 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutUserPolicy") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego index 26d741e9ae6..25c4a763722 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:SetDefaultPolicyVersion") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego similarity index 90% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego index 6660839b411..376b3e5e075 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateAssumeRolePolicy") common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "sts:AssumeRole") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego index 7eea840e963..786d452f9d4 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateLoginProfile") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego similarity index 89% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego index 62f98f2aa88..2b75d2333be 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM role - input.document[i].resource.aws_iam_role[targetRole] + role := input.document[i].resource.aws_iam_role[targetRole] common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:UpdateFunctionCode") diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json rename to assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego index 030e3878cff..33da9a0674b 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:UpdateDevEndpoint") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue:UpdateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego index 972033ef5ea..15aade0830f 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AddUserToGroup") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AddUserToGroup/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego index ce0699ac96a..a7fa7e23abc 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachGroupPolicy") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego index 061b83a42f7..ba7c18202cf 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachRolePolicy") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego index 961880f55b5..f63f832ef6f 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachUserPolicy") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:AttachUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego index a1d567edda0..fcfb6772781 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateAccessKey") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateAccessKey/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego index 3e950cb25e2..633881acb6a 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateLoginProfile") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego index f0e284b6028..a0c6310fdeb 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreatePolicyVersion") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:CreatePolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego similarity index 90% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego index c148b6f6927..9582ea49258 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "cloudformation:CreateStack") common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_cloudformation:CreateStack/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego similarity index 90% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego index c90821137c3..0a45ae04348 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "ec2:RunInstances") common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_ec2:RunInstances/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego similarity index 90% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego index 3e622fd75e1..fd6ffad525e 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:CreateDevEndpoint") common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_glue:CreateDevEndpoint/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego similarity index 91% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego index 916e05c2b54..687b039f221 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:CreateFunction") common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PassRole_and_lambda:CreateFunction_and_lambda:InvokeFunction/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego index 105f9e8a7ba..66bc53825e3 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutGroupPolicy") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutGroupPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego index a42320f1eb1..09b1a59e9fc 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutRolePolicy") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutRolePolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego index df4e114899a..9843200d46a 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutUserPolicy") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:PutUserPolicy/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego index a2c565b0dfa..f0ea1c64d3e 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:SetDefaultPolicyVersion") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:SetDefaultPolicyVersion/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego similarity index 90% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego index 096980cc4d3..b3d7be95032 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateAssumeRolePolicy") common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "sts:AssumeRole") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateAssumeRolePolicy_and_sts:AssumeRole/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego index 9bbb3fb3c2a..adaf15dc120 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateLoginProfile") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam:UpdateLoginProfile/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/metadata.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego similarity index 89% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego index f68ac9dc110..0e276c3b793 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/query.rego +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego @@ -1,11 +1,12 @@ package Cx import data.generic.common as common_lib +import data.generic.terraform as tf_lib CxPolicy[result] { # get a AWS IAM user - input.document[i].resource.aws_iam_user[targetUser] + user := input.document[i].resource.aws_iam_user[targetUser] common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:UpdateFunctionCode") diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/negative1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive1.tf rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda:UpdateFunctionCode/test/positive_expected_result.json rename to assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json From 6bd3222e2f8cb6b99692d61d185d9c67259af2a6 Mon Sep 17 00:00:00 2001 From: gafnit Date: Wed, 17 Aug 2022 18:56:38 +0300 Subject: [PATCH 11/11] Add links in description --- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- .../metadata.json | 2 +- 57 files changed, 57 insertions(+), 57 deletions(-) diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json index ade04f97d0e..2d6cc1ec5b1 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "10f17e18", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json index c56af85c7f0..7d9f988341a 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "576ba016", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json index 6e6007394b6..b08ee0642f3 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "e42aec0c", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json index e8769412061..a8b182da843 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "5e39f36b", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json index 6d5399b5079..08ee41d46b6 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "25a0ad8b", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json index cd99240209f..b20a91fef32 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "5182dbde", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json index ed3bbac709a..63a62419fde 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "13604723", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json index 29bb28926c6..f2da59ecb59 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "04f8f6ca", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json index 1defdb47af8..f77d0c8fedc 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "b02d4e3c", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json index 7a35afd722b..5984e33c9b8 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "e6e9e8eb", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json index b8834911109..cd3d066d7eb 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "59598729", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json index 0e5727840f2..d6fe3ecaaa4 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "2a7afde0", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json index dad96cae5a2..d0354ecc9f6 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "6ee8a28a", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json index 156fc14f1e5..6f1fcbbe40d 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "3a6914a5", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json index 263afa0a862..d6e76815c71 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "fdfe7031", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json index a1072310e45..1e9d44bfc7f 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "2be560bc", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json index 33d65a588a4..309b76a97d3 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "7fec1740", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json index 2048be8a174..23616a2faa7 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "06985b1b", diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json index 5a4e7524f8d..1c1aa0148cc 100644 --- a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -3,7 +3,7 @@ "queryName": "Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", + "descriptionText": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", "platform": "Terraform", "descriptionID": "1a80fe5c", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json index 33e03d6957d..c7d38a2fc23 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "bff18777", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json index 68dc7815c17..d7a44efd71b 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "058bc100", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json index 4ba6dcd252c..9fa743550b3 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "54b22492", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json index 09c41ae461a..bf7518ffdb8 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "aaf96d6e", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json index 0fa944bbd1b..335bf7a690c 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "4efcf3e9", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json index 6c3f6d501fc..7d6e098c1ae 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "0d94441c", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json index 5bd719e15d0..e9800a053d0 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "0e9af0ce", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json index 415aaa96b37..93f37d8d144 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "fe987a1d", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json index aff661b89a0..742a4b28370 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "779be66e", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json index 6ff329f809c..3c089a73438 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "b3d6f7cf", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json index d08a41f75c8..c64c4274e40 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "0bc279fe", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json index 0be6457d4d0..8d4ace67046 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "628b0909", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json index 2e5a3a8d925..241b0f1c0bf 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "ce1bbaeb", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json index 991c9c36420..68c8554b602 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "2d361444", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json index 1f111e0e333..08a8fcc557f 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "48764f87", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json index 2978dff4a88..d8af02498a2 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "a0ddfb38", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json index 45d6fd68342..d6635954e02 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "2d747022", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json index 13581fe74a5..aa71439baa9 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "8bf480db", diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json index 69fcb4f440f..bee58e3cd80 100644 --- a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -3,7 +3,7 @@ "queryName": "Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", + "descriptionText": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", "platform": "Terraform", "descriptionID": "d6861f3e", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json index 7519b862c2a..c8ed06faa0c 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "1a48ac37", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json index ccf8f795605..d884ca9756e 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AddUserToGroup'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "b201d168", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json index f050d962862..02e1f959e46 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "9f22319f", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json index 9fe101f3949..3b1b0a923a1 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachRolePolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "a33a40e2", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json index 46c907cb74f..345e1809133 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:AttachUserPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "98aa676c", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json index 0edbb6ef58c..9689aab8c99 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreateAccessKey'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "29b987f3", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json index aa87bc66580..81e03d1806e 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "43ba4982", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json index 83adee55ab6..673afac2bb6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "e894d408", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json index 9c5b8be5bab..1f05798663e 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "c878232c", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json index fe8399f2653..0c6f533728c 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "05f5544f", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json index 2038bcea7c6..a7f3c3f8d1c 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "8d9e01f1", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json index e8fce1ea6c5..136683b819e 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "da252d8a", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json index 9d5d0651f8c..d5543976726 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutGroupPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "024a2d0d", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json index 3e2ec4d2839..b7452c7fe20 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutRolePolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "367257fe", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json index 1a2b8cbb4be..1bad1d3ac1c 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:PutUserPolicy'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "b99501af", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json index 93cb0e93efa..7bcb5321fd6 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "85e8d749", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json index 804188a4903..b9b48531b80 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "7ab86e7e", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json index baef74603cc..99a7cd32378 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "559f74f0", diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json index 4e41b853a47..e78c79470e0 100644 --- a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -3,7 +3,7 @@ "queryName": "User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", "severity": "MEDIUM", "category": "Access Control", - "descriptionText": "User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'", + "descriptionText": "User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", "platform": "Terraform", "descriptionID": "f5d372a0",