-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Resource Policy Condition Keys - Handling it as non-case sensitive #353
Comments
Hi Fabio, Thank you for taking a closer look at the Guard rule example we have provided with the repository. We think that the Guard rule has clauses that will make the keys sensitive. Here's how: From the same AWS documentation you linked, it also states:
The guard rule in question applies to the keys
Now, for the templates where this rule is skipped meaning the four keys that we are checking are actually not used, where as We may need to either tweak the rule or add another clause applicable to ignore case condition operators as well. We will make the necessary changes and raise a PR for this change. HTH, |
Describe the issue
There are a few Guard Rules examples in this repo that are not handling Resource Policies Condition keys correctly. As a result, the rule enforcement can easily be bypassed by defining condition keys mixing it with upper/lower case.
Any examples
Please supply:
https://github.com/aws-cloudformation/cloudformation-guard/blob/main/guard-examples/cross-account/sns-cross-account.guard
The above regex will handle a few key combinations. I will list some of them for SourceAccount as an example:
The problem here is that Condition key name is not case sensitive as documented here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
With the above rule, if the user specifies in their resource policy the condition key as aws:SOURCEACCOUNT, allowing an account not specified in the allowed_accounts variable, the rule result will be SKIP instead of FAIL.
The Regex could be rewritten from:
to the following which addresses the case sensitive problem:
It could be further enhanced to prevent invalid prefix/suffix in the condition key as follows:
Operating System:
Amazon Linux 2
OS Version
Amazon Linux 2
Guard Version 2.1.3
The text was updated successfully, but these errors were encountered: