search

aws-cloudformation / cloudformation-guard

Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
Apache License 2.0
1.28k stars 181 forks source link

Check Bucket PolicyDocument with a conditional #226

Closed saiprasanthrajavarapu closed 1 year ago

saiprasanthrajavarapu commented 2 years ago

Hello Team,

I am looking for guidance around rule for making sure bucket policy has secure transport false

template:

s3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref s3Bucket
      PolicyDocument: !If
        - UseBucketPolicyCondtion
        - !Ref AWSS3BucketPolicyPolicyDocument
        - Statement:
            - Sid: AllowSSLRequestsOnly
              Action:
                - 's3:*'
              Effect: Deny
              Resource:
                - !Sub "arn:aws:s3:::${s3Bucket}/*"
                - !Sub "arn:aws:s3:::${s3Bucket}"
              Principal: '*'
              Condition:
                Bool:
                  aws:SecureTransport: 'false'

existing rule

rule aws_s3_bucket_policy when %aws_s3_bucket_policy !empty {
    %aws_s3_bucket_policy{
        Properties{
           when PolicyDocument.Statement exists{
                some PolicyDocument.Statement[*].Condition.Bool.'aws:SecureTransport' == "false"
            }
        }
    }
}

Cfn-guard skips the rule for the above template because of If condition. Is there anyway it can validate the statement that is hardcoded even there is a If condition?

akumar-99 commented 2 years ago

@saiprasanthrajavarapu I hope this helps.

let s3_bucketpolicies = Resources.*[
    Type == "AWS::S3::BucketPolicy"
]

rule aws_s3_bucket_policy when %s3_bucketpolicies !empty {
    %s3_bucketpolicies {
        Properties {
            when PolicyDocument is_list {
                PolicyDocument.* {
                    when Statement exists {
                        Statement.* {
                            Condition {
                                Bool {
                                    'aws:SecureTransport' == 'false'
                                }
                            }
                        }
                    }
                }
            } OR
            PolicyDocument {
                Statement.* {
                    Condition {
                        Bool {
                            'aws:SecureTransport' == 'false'
                        }
                    }
                }
            }
        }
    }
}
joshfried-aws commented 1 year ago

Hi @saiprasanthrajavarapu since the above comment seems to have provided you with a sufficient answer.

Thanks,