Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update queries to check policy attachment & separation to validate all vs custom iam policies. Fixes #277 Closes #280 #281

Merged
merged 2 commits into from
Sep 27, 2021
Merged

Update queries to check policy attachment & separation to validate all vs custom iam policies. Fixes #277 Closes #280 #281

merged 2 commits into from
Sep 27, 2021

Conversation

rajlearner17
Copy link
Contributor

@rajlearner17 rajlearner17 commented Sep 16, 2021
edited
Loading

Checklist

  1. foundational_security_iam_1 earlier using iam_policy_no_star_star.sql was not valid, as it was not checking attachment, now it will use query iam_custom_policy_no_star_star.sql which is added with attachment check and restricted to customer managed policies.

  2. iam_policy_no_star_star has occurrences in other compliance mods, hence retaining it as is. iam_custom_policy_no_star_star.sql is only used in iam.sp file hence safe.

  3. foundational_security_iam_21 , now uses new query iam_custom_policy_no_service_wild_card.sql . Earlier it was using the query iam_custom_policy_no_star_star.sql which was used by foundational_security_iam_1 (mentioned above). As per foundational_security_iam_21 requirement, control checks for service:* pattern.
    (This new query is a single occurrence, safe to proceed)

  4. Introduced new query iam_all_policy_no_star_star.sql for cis_v140_1_16 earlier it was using the wrong query i.e. iam_policy_no_star_star.sql (this was again restrictive to the only customer managed and there was no attachment check), cis_v140_1_16 should check all policies inclusive AWS ones which are attached.

@rajlearner17 rajlearner17 self-assigned this Sep 16, 2021
This was linked to issues Sep 16, 2021
cis_v140_1_16 conflict with foundational_security_iam_1 #277
Closed
foundational_security_iam_21 control query name change for better clarity #280
Closed
khushboo9024
khushboo9024 reviewed Sep 23, 2021
View reviewed changes
query/iam/iam_custom_policy_no_service_wild_card.sql Outdated
aws_iam_policy as a
left join wildcard_action_policies as b on a.arn = b.arn
where
a.arn not like 'arn:aws:iam::aws:policy%'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
a.arn not like 'arn:aws:iam::aws:policy%'
a.arn not like 'arn:aws:iam::aws:policy%';

Base automatically changed from release/v0.14 to main September 23, 2021 17:09
@rajlearner17 rajlearner17 changed the base branch from main to release/v0.15 September 24, 2021 11:27
@misraved misraved merged commit b59a904 into release/v0.15 Sep 27, 2021
@misraved misraved deleted the issue#277and280-star-policy branch September 27, 2021 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@khushboo9024 khushboo9024 khushboo9024 approved these changes

Assignees

@rajlearner17 rajlearner17

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@rajlearner17 @khushboo9024 @misraved