-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict RAM IAM permissions in pivot role #1195
Comments
Hi @mourya-33 thanks for opening an issue. I have quickly looked into the docs and actions such as So, we cannot restrict permissions based on tags, but we can use the Resource share name, because all data.all RAM shares will be using Lake Formation and will have a name such as |
@mourya-33 Any updates on this? |
Describe the bug
Pivot Role (auto created and custom) has the following unrestricted permissions on KMS and RAM shares. This role needs to be added as an exception until the following are remediated.
Effect: Allow
Action:
- "ram:AcceptResourceShareInvitation"
- "ram:RejectResourceShareInvitation"
- "ram:EnableSharingWithAwsOrganization"
Resource: '*'
How to Reproduce
Run checkov scan for auto created pivot role or custom pivot role - deploy/pivot_role/pivotRole.yaml. The scan will FAIL with the following message.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy0
File: /deploy/pivot_role/pivotRole.yaml:{line numbers}
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints"
FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy0
File: /deploy/pivot_role/pivotRole.yaml:{line numbers}
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
Expected behavior
Once remediated, the checkov scan should not contain the above mentioned failures.
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.10
AWS data.all version
2.3
Additional context
No response
The text was updated successfully, but these errors were encountered: