Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(queries): add new aws iam privilege escalation queries #5423

Merged
merged 14 commits into from
Aug 22, 2022
Merged

feat(queries): add new aws iam privilege escalation queries #5423

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
5a19c0b
feat(queries): add new aws iam privilege escalation queries
gafnit May 31, 2022
beef033
change to KICS query file structure
gafnit Jun 26, 2022
18aa0f6
add functions get_group, get_role, get_user, unrecommended_permission…
gafnit Jun 27, 2022
7be4bb7
Titling queryName
gafnit Jun 27, 2022
961f9f8
fix descriptionUrl
gafnit Jun 27, 2022
498db88
fix positive tests
gafnit Jun 27, 2022
b3e49fd
fix positive tests expected result
gafnit Jun 27, 2022
31262b4
fix conflict common.rego
gafnit Jun 28, 2022
e269e7f
change iam privilege escalation folders names
gafnit Jul 3, 2022
06e132e
add resourceType and resourceName
gafnit Jul 3, 2022
bbf6469
fix rego import and role/user/group reference
gafnit Jul 28, 2022
d06eabe
Merge branch 'Checkmarx:master' into feature/aws_iam_privilege_escala…
gafnit-lightspin Aug 8, 2022
6bd3222
Add links in description
gafnit Aug 17, 2022
013e1d7
Merge branch 'Checkmarx:master' into feature/aws_iam_privilege_escala…
gafnit-lightspin Aug 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions ...queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"id": "8f3c16b3-354d-45db-8ad5-5066778a9485",
"queryName": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint'",
rafaela-soares marked this conversation as resolved.
Show resolved Hide resolved
"severity": "MEDIUM",
"category": "Access Control",
"descriptionText": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'",
rafaela-soares marked this conversation as resolved.
Show resolved Hide resolved
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group",
"platform": "Terraform",
"descriptionID": "10f17e18",
"cloudProvider": "aws"
}
rafaela-soares marked this conversation as resolved.
Show resolved Hide resolved
73 changes: 73 additions & 0 deletions ...ts/queries/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
package Cx

import data.generic.common as common_lib

CxPolicy[result] {

# get a AWS IAM group
input.document[i].resource.aws_iam_group[targetGroup]

unrecommended_permission_policy_scenarios(targetGroup, "glue:UpdateDevEndpoint")


result := {
"documentId": input.document[i].id,
"searchKey": sprintf("aws_iam_group[%s]", [targetGroup]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]),
"keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]),
"searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []),
}
}


unrecommended_permission_policy(resourcePolicy, permission) {
policy := common_lib.json_unmarshal(resourcePolicy.policy)

st := common_lib.get_statement(policy)
statement := st[_]

common_lib.is_allow_effect(statement)

common_lib.equalsOrInArray(statement.Resource, "*")
common_lib.equalsOrInArray(statement.Action, lower(permission))
}

get_group(attachment) = group {
group := split(attachment.groups[_], ".")[1]
} else = group {
group := split(attachment.group, ".")[1]
}


unrecommended_permission_policy_scenarios(targetGroup, permission) {
# get the IAM group policy
groupPolicy := input.document[_].resource.aws_iam_group_policy[_]

# get the group referenced in IAM group policy and confirm it is the target group
group := split(groupPolicy.group, ".")[1]
group == targetGroup

# verify that the policy is unrecommended
unrecommended_permission_policy(groupPolicy, permission)
} else {

# find attachment
attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"}
attachment := input.document[_].resource[attachments[_]][_]

# get the group referenced in IAM policy attachment and confirm it is the target group
group := get_group(attachment)
group == targetGroup

# confirm that policy associated is unrecommend
policy := split(attachment.policy_arn, ".")[1]

policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"}
resourcePolicy := input.document[_].resource[policies[_]][policy]

# verify that the policy is unrecommended
unrecommended_permission_policy(resourcePolicy, permission)

}

rafaela-soares marked this conversation as resolved.
Show resolved Hide resolved
21 changes: 21 additions & 0 deletions ...ies/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/negative1.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}

resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
29 changes: 29 additions & 0 deletions ...ies/terraform/aws/iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive1.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
resource "aws_iam_user" "cosmic" {
name = "cosmic"
}

resource "aws_iam_user_policy" "test_inline_policy" {
name = "test_inline_policy"
user = aws_iam_user.cosmic.name

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"glue:UpdateDevEndpoint",
]
Effect = "Allow"
Resource = "*"
},
]
})
}


resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
users = [aws_iam_user.cosmic.name]
roles = [aws_iam_role.role.name]
groups = [aws_iam_group.group.name]
}
8 changes: 8 additions & 0 deletions .../iam_privilege_escalation/group/glue-UpdateDevEndpoint/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[
{
"queryName": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint'",
"severity": "MEDIUM",
"line": 1,
"fileName": "positive1.tf"
}
]
11 changes: 11 additions & 0 deletions assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"id": "970ed7a2-0aca-4425-acf1-0453c9ecbca1",
"queryName": "Group with privilege escalation by actions 'iam:AddUserToGroup'",
"severity": "MEDIUM",
"category": "Access Control",
"descriptionText": "Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group",
"platform": "Terraform",
"descriptionID": "576ba016",
"cloudProvider": "aws"
}
73 changes: 73 additions & 0 deletions assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
package Cx

import data.generic.common as common_lib

CxPolicy[result] {

# get a AWS IAM group
input.document[i].resource.aws_iam_group[targetGroup]

unrecommended_permission_policy_scenarios(targetGroup, "iam:AddUserToGroup")


result := {
"documentId": input.document[i].id,
"searchKey": sprintf("aws_iam_group[%s]", [targetGroup]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]),
"keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]),
"searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []),
}
}


unrecommended_permission_policy(resourcePolicy, permission) {
policy := common_lib.json_unmarshal(resourcePolicy.policy)

st := common_lib.get_statement(policy)
statement := st[_]

common_lib.is_allow_effect(statement)

common_lib.equalsOrInArray(statement.Resource, "*")
common_lib.equalsOrInArray(statement.Action, lower(permission))
}

get_group(attachment) = group {
group := split(attachment.groups[_], ".")[1]
} else = group {
group := split(attachment.group, ".")[1]
}


unrecommended_permission_policy_scenarios(targetGroup, permission) {
# get the IAM group policy
groupPolicy := input.document[_].resource.aws_iam_group_policy[_]

# get the group referenced in IAM group policy and confirm it is the target group
group := split(groupPolicy.group, ".")[1]
group == targetGroup

# verify that the policy is unrecommended
unrecommended_permission_policy(groupPolicy, permission)
} else {

# find attachment
attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"}
attachment := input.document[_].resource[attachments[_]][_]

# get the group referenced in IAM policy attachment and confirm it is the target group
group := get_group(attachment)
group == targetGroup

# confirm that policy associated is unrecommend
policy := split(attachment.policy_arn, ".")[1]

policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"}
resourcePolicy := input.document[_].resource[policies[_]][policy]

# verify that the policy is unrecommended
unrecommended_permission_policy(resourcePolicy, permission)

}

21 changes: 21 additions & 0 deletions ...queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/negative1.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}

resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
29 changes: 29 additions & 0 deletions ...queries/terraform/aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive1.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
resource "aws_iam_user" "cosmic" {
name = "cosmic"
}

resource "aws_iam_user_policy" "test_inline_policy" {
name = "test_inline_policy"
user = aws_iam_user.cosmic.name

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"iam:AddUserToGroup",
]
Effect = "Allow"
Resource = "*"
},
]
})
}


resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
users = [aws_iam_user.cosmic.name]
roles = [aws_iam_role.role.name]
groups = [aws_iam_group.group.name]
}
8 changes: 8 additions & 0 deletions .../aws/iam_privilege_escalation/group/iam-AddUserToGroup/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[
{
"queryName": "Group with privilege escalation by actions 'iam:AddUserToGroup'",
"severity": "MEDIUM",
"line": 1,
"fileName": "positive1.tf"
}
]
11 changes: 11 additions & 0 deletions .../queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"id": "70b42736-efee-4bce-80d5-50358ed94990",
"queryName": "Group with privilege escalation by actions 'iam:AttachGroupPolicy'",
"severity": "MEDIUM",
"category": "Access Control",
"descriptionText": "Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group",
"platform": "Terraform",
"descriptionID": "e42aec0c",
"cloudProvider": "aws"
}
73 changes: 73 additions & 0 deletions assets/queries/terraform/aws/iam_privilege_escalation/group/iam-AttachGroupPolicy/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
package Cx

import data.generic.common as common_lib

CxPolicy[result] {

# get a AWS IAM group
input.document[i].resource.aws_iam_group[targetGroup]

unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachGroupPolicy")


result := {
"documentId": input.document[i].id,
"searchKey": sprintf("aws_iam_group[%s]", [targetGroup]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]),
"keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]),
"searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []),
}
}


unrecommended_permission_policy(resourcePolicy, permission) {
policy := common_lib.json_unmarshal(resourcePolicy.policy)

st := common_lib.get_statement(policy)
statement := st[_]

common_lib.is_allow_effect(statement)

common_lib.equalsOrInArray(statement.Resource, "*")
common_lib.equalsOrInArray(statement.Action, lower(permission))
}

get_group(attachment) = group {
group := split(attachment.groups[_], ".")[1]
} else = group {
group := split(attachment.group, ".")[1]
}


unrecommended_permission_policy_scenarios(targetGroup, permission) {
# get the IAM group policy
groupPolicy := input.document[_].resource.aws_iam_group_policy[_]

# get the group referenced in IAM group policy and confirm it is the target group
group := split(groupPolicy.group, ".")[1]
group == targetGroup

# verify that the policy is unrecommended
unrecommended_permission_policy(groupPolicy, permission)
} else {

# find attachment
attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"}
attachment := input.document[_].resource[attachments[_]][_]

# get the group referenced in IAM policy attachment and confirm it is the target group
group := get_group(attachment)
group == targetGroup

# confirm that policy associated is unrecommend
policy := split(attachment.policy_arn, ".")[1]

policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"}
resourcePolicy := input.document[_].resource[policies[_]][policy]

# verify that the policy is unrecommended
unrecommended_permission_policy(resourcePolicy, permission)

}

Loading