Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict RAM IAM permissions in pivot role #1195

Open
mourya-33 opened this issue Apr 19, 2024 · 2 comments
Open

Restrict RAM IAM permissions in pivot role #1195

mourya-33 opened this issue Apr 19, 2024 · 2 comments
Assignees
@mourya-33
Labels
effort: low priority: medium type: enhancement Feature enhacement

Comments

@mourya-33
Copy link
Contributor

mourya-33 commented Apr 19, 2024
edited

Describe the bug

Pivot Role (auto created and custom) has the following unrestricted permissions on KMS and RAM shares. This role needs to be added as an exception until the following are remediated.

  • Sid: RamInvitations
    Effect: Allow
    Action:
    - "ram:AcceptResourceShareInvitation"
    - "ram:RejectResourceShareInvitation"
    - "ram:EnableSharingWithAwsOrganization"
    Resource: '*'

How to Reproduce

Run checkov scan for auto created pivot role or custom pivot role - deploy/pivot_role/pivotRole.yaml. The scan will FAIL with the following message.

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy0
File: /deploy/pivot_role/pivotRole.yaml:{line numbers}
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

	Code lines for this resource are too many. Please use IDE of your choice to review the file.

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints"
FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy0
File: /deploy/pivot_role/pivotRole.yaml:{line numbers}
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

Expected behavior

Once remediated, the checkov scan should not contain the above mentioned failures.

Your project

No response

Screenshots

No response

OS

Mac

Python version

3.10

AWS data.all version

2.3

Additional context

No response
@mourya-33 mourya-33 changed the title Restrict KMS and RAM IAM permissions in pivot role Restrict RAM IAM permissions in pivot role Apr 19, 2024
@mourya-33 mourya-33 mentioned this issue Apr 19, 2024
Open
@dlpzx
Copy link
Contributor

dlpzx commented Apr 24, 2024

Hi @mourya-33 thanks for opening an issue. I have quickly looked into the docs and actions such as ram:AcceptResourceShareInvitation can only be limited to ram:ShareOwnerAccountId and ram:ResourceShareName.

So, we cannot restrict permissions based on tags, but we can use the Resource share name, because all data.all RAM shares will be using Lake Formation and will have a name such as LakeFormation-VX-UNIQUEIDENTIFIER. Is that what you are looking for? Or do you just need to include the policy as an exception in checkov?

@anmolsgandhi
Copy link
Contributor

@mourya-33 Any updates on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mourya-33 mourya-33

Labels
effort: low priority: medium type: enhancement Feature enhacement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dlpzx @anmolsgandhi @mourya-33