search

awslabs / aws-cloudformation-iam-policy-validator

MIT No Attribution
133 stars 18 forks source link

Bugfix - Error when template only contains a role trust policy and no other supported resources #44

Closed alankuo-aws closed 2 months ago

alankuo-aws commented 2 months ago

Description of changes: Bugfix for UnboundLocalError: local variable 'resource' referenced before assignment error when checking a template that only contains a role with trust policy and no other supported resource types.

Tested fix against a template containing only a role with trust policy and no other supported resource types. Tested against roles with no expected findings and public access findings and received expected results.

Input:

  MyRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS: 
            - "*"
          Action: 
          - sts:AssumeRole

Result:

{
    "BlockingFindings": [
        {
            "findingType": "SECURITY_WARNING",
            "code": "policy-analysis-CheckNoPublicAccess",
            "message": "The resource policy grants public access for the given resource type.",

Input:

MyRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            Service: 
            - ec2.amazonaws.com
          Action: 
          - sts:AssumeRole

Result:

{
    "BlockingFindings": [],
    "NonBlockingFindings": []
}

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.