From 3d092065294535d51291a57aac000c923b2510e3 Mon Sep 17 00:00:00 2001 From: rajmohanty17 Date: Thu, 23 Jun 2022 18:18:14 +0530 Subject: [PATCH 1/4] lambda_function_restrict_public_access.sql query not evaluating correctly Closes #421 --- ...lambda_function_restrict_public_access.sql | 49 +++++++++++-------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/query/lambda/lambda_function_restrict_public_access.sql b/query/lambda/lambda_function_restrict_public_access.sql index bf23e991..20d15948 100644 --- a/query/lambda/lambda_function_restrict_public_access.sql +++ b/query/lambda/lambda_function_restrict_public_access.sql @@ -1,25 +1,34 @@ +with wildcard_action_policies as ( + select + arn, + count(*) as statements_num + from + aws_lambda_function, + jsonb_array_elements(policy_std -> 'Statement') as s + where + s ->> 'Effect' = 'Allow' + and ( + ( s -> 'Principal' -> 'AWS') = '["*"]' + or s ->> 'Principal' = '*' + ) + group by + arn +) select - -- Required Columns - arn as resource, + -- Required columns + f.arn as resource, case - when policy_std -> 'Statement' ->> 'Effect' = 'Allow' - and ( - policy_std -> 'Statement' ->> 'Principal' = '*' - or ( policy_std -> 'Principal' -> 'AWS' ) :: text = '*' - ) then 'alarm' - else 'ok' + when p.arn is null then 'ok' + else 'alarm' end status, case - when policy_std is null then title || ' has no policy.' - when policy_std -> 'Statement' ->> 'Effect' = 'Allow' - and ( - policy_std -> 'Statement' ->> 'Principal' = '*' - or ( policy_std -> 'Principal' -> 'AWS' ) :: text = '*' - ) then title || ' allows public access.' - else title || ' does not allow public access.' - end reason, - -- Additional Dimensions - region, - account_id + when p.arn is null then title || ' does not allow public access.' + else title || ' contains ' || coalesce(p.statements_num,0) || + ' statements that allows public access.' + end as reason, + -- Additional columns + f.region, + f.account_id from - aws_lambda_function; + aws_lambda_function as f + left join wildcard_action_policies as p on p.arn = f.arn; \ No newline at end of file From 86613cee366387d67bf012b8f64248fd4c6bf71d Mon Sep 17 00:00:00 2001 From: rajmohanty17 Date: Thu, 23 Jun 2022 18:23:34 +0530 Subject: [PATCH 2/4] Typo updates --- query/lambda/lambda_function_restrict_public_access.sql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/query/lambda/lambda_function_restrict_public_access.sql b/query/lambda/lambda_function_restrict_public_access.sql index 20d15948..f775229e 100644 --- a/query/lambda/lambda_function_restrict_public_access.sql +++ b/query/lambda/lambda_function_restrict_public_access.sql @@ -15,7 +15,7 @@ with wildcard_action_policies as ( arn ) select - -- Required columns + -- Required Columns f.arn as resource, case when p.arn is null then 'ok' @@ -26,7 +26,7 @@ select else title || ' contains ' || coalesce(p.statements_num,0) || ' statements that allows public access.' end as reason, - -- Additional columns + -- Additional Columns f.region, f.account_id from From 84057d249baf72537092aaa6efce1790f6f9b8f9 Mon Sep 17 00:00:00 2001 From: rajmohanty17 Date: Thu, 23 Jun 2022 18:26:22 +0530 Subject: [PATCH 3/4] Tidy up comments --- query/lambda/lambda_function_restrict_public_access.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/query/lambda/lambda_function_restrict_public_access.sql b/query/lambda/lambda_function_restrict_public_access.sql index f775229e..3ea33eef 100644 --- a/query/lambda/lambda_function_restrict_public_access.sql +++ b/query/lambda/lambda_function_restrict_public_access.sql @@ -26,7 +26,7 @@ select else title || ' contains ' || coalesce(p.statements_num,0) || ' statements that allows public access.' end as reason, - -- Additional Columns + -- Additional Dimensions f.region, f.account_id from From 3c59a79d8934f58bca4e4bcf6bc729bcbd734756 Mon Sep 17 00:00:00 2001 From: rajmohanty17 Date: Thu, 23 Jun 2022 18:37:14 +0530 Subject: [PATCH 4/4] Format query --- query/lambda/lambda_function_restrict_public_access.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/query/lambda/lambda_function_restrict_public_access.sql b/query/lambda/lambda_function_restrict_public_access.sql index 3ea33eef..11d7fa33 100644 --- a/query/lambda/lambda_function_restrict_public_access.sql +++ b/query/lambda/lambda_function_restrict_public_access.sql @@ -20,7 +20,7 @@ select case when p.arn is null then 'ok' else 'alarm' - end status, + end as status, case when p.arn is null then title || ' does not allow public access.' else title || ' contains ' || coalesce(p.statements_num,0) ||