search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7k stars 1.1k forks source link

Edit: Checkov utility returns no output on specific cloudformation check #457

Closed mrudrara closed 3 years ago

mrudrara commented 4 years ago

*Description of the Issue

Trying to run checkov utility on my cloudformation template and this returns no output Please find the cloudformation template below

To Reproduce Steps to reproduce the behavior:

  1. Run the cli command on my yaml file
❯ export LOG_LEVEL="warning"
❯ checkov -f mycheckov.yaml --framework cloudformation

       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

by bridgecrew.io | version: 1.0.451

❯ checkov -f mycheckov.yaml
DEBUG:root:Got guidelines form Bridgecrew BE
2020-07-19 19:16:41,976 [MainThread  ] [DEBUG]  Got guidelines form Bridgecrew BE
DEBUG:root:Template Dump for mycheckov.yaml: {'AWSTemplateFormatVersion': '2010-09-09', 'Description': 'CloudFormation template for IAM SAML Role and associated policies', 'Parameters': {'RoleName': {'Type': 'String', 'Description': 'Suffix for IAM Saml role name', '__startline__': 6, '__endline__': 8}, '__startline__': 5, '__endline__': 8}, 'Resources': {'CloudFormationRolePolicy1': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'AllowAll', 'Effect': 'Allow', 'Action': '*', 'Resource': '*', '__startline__': 15, '__endline__': 19}, {'Sid': 'DenySamlRolesNpaloAlto', 'Effect': 'Deny', 'Action': ['iam:CreateRole', 'iam:UpdateAssumeRolePolicy', 'iam:DetachRolePolicy', 'iam:DeleteRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:DeleteRole', 'iam:UpdateRole', 'iam:AttachRolePolicy', 'iam:PutRolePolicy', 'ec2:*'], 'Resource': ['arn:aws:iam::*:role/Group-AWS*', 'arn:aws:iam::*:role/regn-cld-ssm-managed*', 'arn:aws:iam::*:policy/regn-cld-ssm-managed*', 'arn:aws:iam::*:role/StackSet*', 'arn:aws:iam::*:policy/StackSet*', 'arn:aws:iam::*:policy/SAMLAssumeRolePolicy*', 'arn:aws:iam::*:policy/*SAML*', 'arn:aws:iam::*:policy/*saml*', 'arn:aws:iam::*:policy/CloudFormationRolePolicy*'], '__startline__': 19, '__endline__': 43}], '__startline__': 13, '__endline__': 43}, '__startline__': 12, '__endline__': 43}, '__startline__': 10, '__endline__': 43}, 'CloudFormationRolePolicy': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'DenyVpc', 'Effect': 'Deny', 'Action': ['ssm:*', 'ec2:AcceptReservedInstancesExchangeQuote', 'ec2:AcceptTransitGatewayVpcAttachment', 'ec2:AcceptVpc*', 'ec2:AdvertiseByoipCidr', 'ec2:AllocateAddress', 'ec2:ApplySecurityGroupsToClientVpnTargetNetwork', 'ec2:AssociateClientVpnTargetNetwork', 'ec2:AssociateDhcpOptions', 'ec2:AssociateRouteTable', 'ec2:AssociateSubnetCidrBlock', 'ec2:AssociateTransitGatewayRouteTable', 'ec2:AssociateVpcCidrBlock', 'ec2:AttachClassicLinkVpc', 'ec2:AttachInternetGateway', 'ec2:AttachVpnGateway', 'ec2:AuthorizeClientVpnIngress', 'ec2:CreateClientVpn*', 'ec2:CreateCustomerGateway', 'ec2:CreateDefaultSubnet', 'ec2:CreateDefaultVpc', 'ec2:CreateEgressOnlyInternetGateway', 'ec2:CreateFlowLogs', 'ec2:CreateKeyPair', 'ec2:CreateNetworkAcl*', 'ec2:CreateRoute*', 'ec2:CreateTransitGateway*', 'ec2:CreateVpc*', 'ec2:CreateVpn*', 'ec2:CreateReservedInstancesListing', 'ec2:CreateSubnet', 'ec2:CreateTraffic*', 'ec2:DeleteKeyPair', 'ec2:ModifyTraffic*', 'ec2:ModifyVpn*', 'ec2:PurchaseReservedInstancesOffering', 'ec2:PurchaseHostReservation', 'ec2:CreateInternetGateway', 'ec2:DeleteClientVpn*', 'ec2:DeleteCustomerGateway', 'ec2:DeleteDhcpOptions', 'ec2:DeleteEgressOnlyInternetGateway', 'ec2:DeleteFlowLogs', 'ec2:DeleteInternetGateway', 'ec2:DeleteNatGateway', 'ec2:DeleteNetworkAcl*', 'ec2:DeleteRoute*', 'ec2:DeleteSubnet', 'ec2:DeleteTrafficMirror*', 'ec2:DeleteTransitGateway*', 'ec2:DeleteVpc*', 'ec2:DeleteVpn*', 'ec2:DeprovisionByoipCidr', 'ec2:DetachClassicLinkVpc', 'ec2:DetachInternetGateway', 'ec2:DetachVpnGateway', 'ec2:DisableTransitGatewayRouteTablePropagation', 'ec2:DisableVgwRoutePropagation', 'ec2:DisableVpcClassicLink', 'ec2:DisableVpcClassicLinkDnsSupport', 'ec2:DisassociateClientVpnTargetNetwork', 'ec2:DisassociateRouteTable', 'ec2:DisassociateSubnetCidrBlock', 'ec2:DisassociateTransitGatewayRouteTable', 'ec2:DisassociateVpcCidrBlock', 'ec2:EnableTransitGatewayRouteTablePropagation', 'ec2:EnableVgwRoutePropagation', 'ec2:EnableVpcClassicLink', 'ec2:EnableVpcClassicLinkDnsSupport', 'ec2:ExportTransitGatewayRoutes', 'ec2:ImportClientVpnClientCertificateRevocationList', 'ec2:ModifyClientVpnEndpoint', 'ec2:ModifyTransitGatewayVpcAttachment', 'ec2:ModifyVpc*', 'ec2:ModifyVpnConnection', 'ec2:MoveAddressToVpc', 'ec2:ProvisionByoipCidr', 'ec2:RejectTransitGatewayVpcAttachment', 'ec2:RejectVpcEndpointConnections', 'ec2:RejectVpcPeeringConnection', 'ec2:ReplaceNetworkAcl*', 'ec2:ReplaceRoute*', 'ec2:ReplaceTransitGatewayRoute', 'ec2:RevokeClientVpnIngress', 'ec2:TerminateClientVpnConnections', 'ec2:UnassignIpv6Addresses', 'ec2:WithdrawByoipCidr', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:DeleteAccountAlias', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteServerCertificate', 'iam:DeleteServiceLinkedRole', 'iam:DeleteServiceSpecificCredential', 'iam:DeleteSigningCertificate', 'iam:DeleteSSHPublicKey', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice', 'iam:SetSecurityTokenServicePreferences', 'iam:UpdateSAMLProvider', 'iam:UpdateServerCertificate', 'iam:UpdateServiceSpecificCredential', 'iam:UpdateSigningCertificate', 'iam:UpdateSSHPublicKey', 'iam:UploadServerCertificate', 'iam:UploadSigningCertificate', 'iam:UploadSSHPublicKey', 'organizations:*', 'ec2:CreateDhcpOptions'], 'Resource': '*', '__startline__': 49, '__endline__': 166}], '__startline__': 47, '__endline__': 166}, '__startline__': 46, '__endline__': 166}, '__startline__': 44, '__endline__': 166}, 'CloudFormationServiceRole': {'Type': 'AWS::IAM::Role', 'Properties': {'RoleName': {'Fn::Join': ['-', ['Group-AWS-CFNServiceRole', {'Ref': 'RoleName', '__startline__': 173, '__endline__': 174}]]}, 'AssumeRolePolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': 'cloudformation.amazonaws.com', '__startline__': 180, '__endline__': 181}, 'Action': 'sts:AssumeRole', '__startline__': 177, '__endline__': 182}], '__startline__': 175, '__endline__': 182}, 'Path': '/', 'ManagedPolicyArns': [{'Ref': 'CloudFormationRolePolicy', '__startline__': 184, '__endline__': 185}, {'Ref': 'CloudFormationRolePolicy1', '__startline__': 185, '__endline__': 186}], '__startline__': 169, '__endline__': 186}, 'DependsOn': ['CloudFormationRolePolicy'], '__startline__': 167, '__endline__': 188}, 'SAMLAssumeRolePolicy': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'cfnassumerole', 'Effect': 'Allow', 'Action': 'sts:AssumeRole', 'Resource': {'Fn::GetAtt': ['CloudFormationServiceRole', 'Arn'], '__startline__': 198, '__endline__': 201}, '__startline__': 194, '__endline__': 201}, {'Sid': 'cloudformation', 'Effect': 'Allow', 'Action': ['ec2:*', 'kms:*', 'acm:ImportCertificate', 'cloudformation:CancelUpdateStack', 'cloudformation:ContinueUpdateRollback', 'cloudformation:CreateChangeSet', 'cloudformation:CreateUploadBucket', 'cloudformation:DeleteChangeSet', 'cloudformation:Describe*', 'cloudformation:DetectStackDrift', 'cloudformation:DetectStackResourceDrift', 'cloudformation:EstimateTemplateCost', 'cloudformation:ExecuteChangeSet', 'cloudformation:Get*', 'cloudformation:List*', 'cloudformation:SetStackPolicy', 'cloudformation:SignalResource', 'cloudformation:UpdateTerminationProtection', 'cloudformation:ValidateTemplate'], 'Resource': '*', '__startline__': 201, '__endline__': 224}, {'Sid': 'cfnadmin', 'Effect': 'Allow', 'Action': ['cloudformation:DeleteStack', 'cloudformation:UpdateStack', 'cloudformation:CreateStack'], 'Resource': 'arn:aws:cloudformation:*:*:stack/dbops*/*', '__startline__': 224, '__endline__': 231}, {'Sid': 'denymanualtasks', 'Effect': 'Deny', 'Action': ['rds:CreateDBCluster', 'rds:CreateDBInstance', 'redshift:CreateCluster', 'ec2:RunInstances', 'kms:DeleteCustomKeyStore', 'kms:ScheduleKeyDeletion', 'kms:DeleteImportedKeyMaterial', 'kms:DeleteAlias', 'kms:DisableKey', 'kms:DisableKeyRotation', 'kms:CreateKey'], 'Resource': '*', '__startline__': 231, '__endline__': 247}], '__startline__': 192, '__endline__': 247}, '__startline__': 191, '__endline__': 247}, '__startline__': 189, '__endline__': 247}, 'SAMLAssumeRolePolicy2': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'denyops', 'Effect': 'Deny', 'Action': ['ec2:StartInstances', 'ec2:StopInstances', 'ec2:TerminateInstances'], 'Resource': ['arn:aws:ec2:*:*:instance/*'], 'Condition': {'StringNotLike': {'ec2:ResourceTag/ManagedBy': 'DataOps', '__startline__': 263, '__endline__': 264}, '__startline__': 262, '__endline__': 264}, '__startline__': 253, '__endline__': 264}], '__startline__': 251, '__endline__': 264}, '__startline__': 250, '__endline__': 264}, '__startline__': 248, '__endline__': 264}, 'SAMLAssumeRolePolicy1': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'denyvpc', 'Effect': 'Deny', 'Action': ['ec2:AcceptReservedInstancesExchangeQuote', 'ec2:AcceptTransitGatewayVpcAttachment', 'ec2:AcceptVpc*', 'ec2:AdvertiseByoipCidr', 'ec2:AllocateAddress', 'ec2:ApplySecurityGroupsToClientVpnTargetNetwork', 'ec2:AssociateClientVpnTargetNetwork', 'ec2:AssociateDhcpOptions', 'ec2:AssociateRouteTable', 'ec2:AssociateSubnetCidrBlock', 'ec2:AssociateTransitGatewayRouteTable', 'ec2:AssociateVpcCidrBlock', 'ec2:AttachClassicLinkVpc', 'ec2:AttachInternetGateway', 'ec2:AttachVpnGateway', 'ec2:AuthorizeClientVpnIngress', 'ec2:CreateClientVpn*', 'ec2:CreateCustomerGateway', 'ec2:CreateDefaultSubnet', 'ec2:CreateDefaultVpc', 'ec2:CreateEgressOnlyInternetGateway', 'ec2:CreateFlowLogs', 'ec2:CreateKeyPair', 'ec2:CreateNetworkAcl*', 'ec2:CreateRoute*', 'ec2:CreateTransitGateway*', 'ec2:CreateVpc*', 'ec2:CreateVpn*', 'ec2:CreateReservedInstancesListing', 'ec2:CreateSubnet', 'ec2:CreateTraffic*', 'ec2:DeleteKeyPair', 'ec2:ModifyTraffic*', 'ec2:ModifyVpn*', 'ec2:PurchaseReservedInstancesOffering', 'ec2:PurchaseHostReservation', 'ec2:CreateInternetGateway', 'ec2:DeleteClientVpn*', 'ec2:DeleteCustomerGateway', 'ec2:DeleteDhcpOptions', 'ec2:DeleteEgressOnlyInternetGateway', 'ec2:DeleteFlowLogs', 'ec2:DeleteInternetGateway', 'ec2:DeleteNatGateway', 'ec2:DeleteNetworkAcl*', 'ec2:DeleteRoute*', 'ec2:DeleteSubnet', 'ec2:DeleteTrafficMirror*', 'ec2:DeleteTransitGateway*', 'ec2:DeleteVpc*', 'ec2:DeleteVpn*', 'ec2:DeprovisionByoipCidr', 'ec2:DetachClassicLinkVpc', 'ec2:DetachInternetGateway', 'ec2:DetachVpnGateway', 'ec2:DisableTransitGatewayRouteTablePropagation', 'ec2:DisableVgwRoutePropagation', 'ec2:DisableVpcClassicLink', 'ec2:DisableVpcClassicLinkDnsSupport', 'ec2:DisassociateClientVpnTargetNetwork', 'ec2:DisassociateRouteTable', 'ec2:DisassociateSubnetCidrBlock', 'ec2:DisassociateTransitGatewayRouteTable', 'ec2:DisassociateVpcCidrBlock', 'ec2:EnableTransitGatewayRouteTablePropagation', 'ec2:EnableVgwRoutePropagation', 'ec2:EnableVpcClassicLink', 'ec2:EnableVpcClassicLinkDnsSupport', 'ec2:ExportTransitGatewayRoutes', 'ec2:ImportClientVpnClientCertificateRevocationList', 'ec2:ModifyClientVpnEndpoint', 'ec2:ModifyTransitGatewayVpcAttachment', 'ec2:ModifyVpc*', 'ec2:ModifyVpnConnection', 'ec2:MoveAddressToVpc', 'ec2:ProvisionByoipCidr', 'ec2:RejectTransitGatewayVpcAttachment', 'ec2:RejectVpcEndpointConnections', 'ec2:RejectVpcPeeringConnection', 'ec2:ReplaceNetworkAcl*', 'ec2:ReplaceRoute*', 'ec2:ReplaceTransitGatewayRoute', 'ec2:RevokeClientVpnIngress', 'ec2:TerminateClientVpnConnections', 'ec2:UnassignIpv6Addresses', 'ec2:WithdrawByoipCidr', 'ec2:CreateDhcpOptions'], 'Resource': '*', '__startline__': 270, '__endline__': 361}, {'Sid': 'ssmreadonly', 'Effect': 'Allow', 'Action': ['ssm:CancelCommand', 'ssm:PutInventory', 'ssm:UpdateInstanceInformation', 'ssm:SendAutomationSignal', 'ssm:CreateActivation', 'ssm:PutConfigurePackageResult', 'ssm:List*', 'ssm:PutComplianceItems', 'ssm:StopAutomationExecution', 'ssm:DeregisterManagedInstance', 'ssm:Describe*', 'ssm:RemoveTagsFromResource', 'ssm:AddTagsToResource', 'ssm:Get*'], 'Resource': '*', '__startline__': 361, '__endline__': 379}, {'Sid': 'cfns3access', 'Effect': 'Allow', 'Action': ['s3:PutObject', 's3:ListBucket', 's3:GetObject'], 'Resource': ['arn:aws:s3:::cf-templates*'], '__startline__': 379, '__endline__': 387}], '__startline__': 268, '__endline__': 387}, '__startline__': 267, '__endline__': 387}, '__startline__': 265, '__endline__': 387}, '__startline__': 9, '__endline__': 387}, '__startline__': 2, '__endline__': 387}
2020-07-19 19:16:41,984 [MainThread  ] [DEBUG]  Template Dump for mycheckov.yaml: {'AWSTemplateFormatVersion': '2010-09-09', 'Description': 'CloudFormation template for IAM SAML Role and associated policies', 'Parameters': {'RoleName': {'Type': 'String', 'Description': 'Suffix for IAM Saml role name', '__startline__': 6, '__endline__': 8}, '__startline__': 5, '__endline__': 8}, 'Resources': {'CloudFormationRolePolicy1': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'AllowAll', 'Effect': 'Allow', 'Action': '*', 'Resource': '*', '__startline__': 15, '__endline__': 19}, {'Sid': 'DenySamlRolesNpaloAlto', 'Effect': 'Deny', 'Action': ['iam:CreateRole', 'iam:UpdateAssumeRolePolicy', 'iam:DetachRolePolicy', 'iam:DeleteRolePolicy', 'iam:PutRolePermissionsBoundary', 'iam:DeleteRole', 'iam:UpdateRole', 'iam:AttachRolePolicy', 'iam:PutRolePolicy', 'ec2:*'], 'Resource': ['arn:aws:iam::*:role/Group-AWS*', 'arn:aws:iam::*:role/regn-cld-ssm-managed*', 'arn:aws:iam::*:policy/regn-cld-ssm-managed*', 'arn:aws:iam::*:role/StackSet*', 'arn:aws:iam::*:policy/StackSet*', 'arn:aws:iam::*:policy/SAMLAssumeRolePolicy*', 'arn:aws:iam::*:policy/*SAML*', 'arn:aws:iam::*:policy/*saml*', 'arn:aws:iam::*:policy/CloudFormationRolePolicy*'], '__startline__': 19, '__endline__': 43}], '__startline__': 13, '__endline__': 43}, '__startline__': 12, '__endline__': 43}, '__startline__': 10, '__endline__': 43}, 'CloudFormationRolePolicy': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'DenyVpc', 'Effect': 'Deny', 'Action': ['ssm:*', 'ec2:AcceptReservedInstancesExchangeQuote', 'ec2:AcceptTransitGatewayVpcAttachment', 'ec2:AcceptVpc*', 'ec2:AdvertiseByoipCidr', 'ec2:AllocateAddress', 'ec2:ApplySecurityGroupsToClientVpnTargetNetwork', 'ec2:AssociateClientVpnTargetNetwork', 'ec2:AssociateDhcpOptions', 'ec2:AssociateRouteTable', 'ec2:AssociateSubnetCidrBlock', 'ec2:AssociateTransitGatewayRouteTable', 'ec2:AssociateVpcCidrBlock', 'ec2:AttachClassicLinkVpc', 'ec2:AttachInternetGateway', 'ec2:AttachVpnGateway', 'ec2:AuthorizeClientVpnIngress', 'ec2:CreateClientVpn*', 'ec2:CreateCustomerGateway', 'ec2:CreateDefaultSubnet', 'ec2:CreateDefaultVpc', 'ec2:CreateEgressOnlyInternetGateway', 'ec2:CreateFlowLogs', 'ec2:CreateKeyPair', 'ec2:CreateNetworkAcl*', 'ec2:CreateRoute*', 'ec2:CreateTransitGateway*', 'ec2:CreateVpc*', 'ec2:CreateVpn*', 'ec2:CreateReservedInstancesListing', 'ec2:CreateSubnet', 'ec2:CreateTraffic*', 'ec2:DeleteKeyPair', 'ec2:ModifyTraffic*', 'ec2:ModifyVpn*', 'ec2:PurchaseReservedInstancesOffering', 'ec2:PurchaseHostReservation', 'ec2:CreateInternetGateway', 'ec2:DeleteClientVpn*', 'ec2:DeleteCustomerGateway', 'ec2:DeleteDhcpOptions', 'ec2:DeleteEgressOnlyInternetGateway', 'ec2:DeleteFlowLogs', 'ec2:DeleteInternetGateway', 'ec2:DeleteNatGateway', 'ec2:DeleteNetworkAcl*', 'ec2:DeleteRoute*', 'ec2:DeleteSubnet', 'ec2:DeleteTrafficMirror*', 'ec2:DeleteTransitGateway*', 'ec2:DeleteVpc*', 'ec2:DeleteVpn*', 'ec2:DeprovisionByoipCidr', 'ec2:DetachClassicLinkVpc', 'ec2:DetachInternetGateway', 'ec2:DetachVpnGateway', 'ec2:DisableTransitGatewayRouteTablePropagation', 'ec2:DisableVgwRoutePropagation', 'ec2:DisableVpcClassicLink', 'ec2:DisableVpcClassicLinkDnsSupport', 'ec2:DisassociateClientVpnTargetNetwork', 'ec2:DisassociateRouteTable', 'ec2:DisassociateSubnetCidrBlock', 'ec2:DisassociateTransitGatewayRouteTable', 'ec2:DisassociateVpcCidrBlock', 'ec2:EnableTransitGatewayRouteTablePropagation', 'ec2:EnableVgwRoutePropagation', 'ec2:EnableVpcClassicLink', 'ec2:EnableVpcClassicLinkDnsSupport', 'ec2:ExportTransitGatewayRoutes', 'ec2:ImportClientVpnClientCertificateRevocationList', 'ec2:ModifyClientVpnEndpoint', 'ec2:ModifyTransitGatewayVpcAttachment', 'ec2:ModifyVpc*', 'ec2:ModifyVpnConnection', 'ec2:MoveAddressToVpc', 'ec2:ProvisionByoipCidr', 'ec2:RejectTransitGatewayVpcAttachment', 'ec2:RejectVpcEndpointConnections', 'ec2:RejectVpcPeeringConnection', 'ec2:ReplaceNetworkAcl*', 'ec2:ReplaceRoute*', 'ec2:ReplaceTransitGatewayRoute', 'ec2:RevokeClientVpnIngress', 'ec2:TerminateClientVpnConnections', 'ec2:UnassignIpv6Addresses', 'ec2:WithdrawByoipCidr', 'iam:AddClientIDToOpenIDConnectProvider', 'iam:CreateLoginProfile', 'iam:CreateOpenIDConnectProvider', 'iam:CreateSAMLProvider', 'iam:CreateUser', 'iam:DeleteAccountAlias', 'iam:DeleteOpenIDConnectProvider', 'iam:DeleteSAMLProvider', 'iam:DeleteServerCertificate', 'iam:DeleteServiceLinkedRole', 'iam:DeleteServiceSpecificCredential', 'iam:DeleteSigningCertificate', 'iam:DeleteSSHPublicKey', 'iam:DeleteUser', 'iam:DeleteVirtualMFADevice', 'iam:SetSecurityTokenServicePreferences', 'iam:UpdateSAMLProvider', 'iam:UpdateServerCertificate', 'iam:UpdateServiceSpecificCredential', 'iam:UpdateSigningCertificate', 'iam:UpdateSSHPublicKey', 'iam:UploadServerCertificate', 'iam:UploadSigningCertificate', 'iam:UploadSSHPublicKey', 'organizations:*', 'ec2:CreateDhcpOptions'], 'Resource': '*', '__startline__': 49, '__endline__': 166}], '__startline__': 47, '__endline__': 166}, '__startline__': 46, '__endline__': 166}, '__startline__': 44, '__endline__': 166}, 'CloudFormationServiceRole': {'Type': 'AWS::IAM::Role', 'Properties': {'RoleName': {'Fn::Join': ['-', ['Group-AWS-CFNServiceRole', {'Ref': 'RoleName', '__startline__': 173, '__endline__': 174}]]}, 'AssumeRolePolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': '', 'Effect': 'Allow', 'Principal': {'Service': 'cloudformation.amazonaws.com', '__startline__': 180, '__endline__': 181}, 'Action': 'sts:AssumeRole', '__startline__': 177, '__endline__': 182}], '__startline__': 175, '__endline__': 182}, 'Path': '/', 'ManagedPolicyArns': [{'Ref': 'CloudFormationRolePolicy', '__startline__': 184, '__endline__': 185}, {'Ref': 'CloudFormationRolePolicy1', '__startline__': 185, '__endline__': 186}], '__startline__': 169, '__endline__': 186}, 'DependsOn': ['CloudFormationRolePolicy'], '__startline__': 167, '__endline__': 188}, 'SAMLAssumeRolePolicy': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'cfnassumerole', 'Effect': 'Allow', 'Action': 'sts:AssumeRole', 'Resource': {'Fn::GetAtt': ['CloudFormationServiceRole', 'Arn'], '__startline__': 198, '__endline__': 201}, '__startline__': 194, '__endline__': 201}, {'Sid': 'cloudformation', 'Effect': 'Allow', 'Action': ['ec2:*', 'kms:*', 'acm:ImportCertificate', 'cloudformation:CancelUpdateStack', 'cloudformation:ContinueUpdateRollback', 'cloudformation:CreateChangeSet', 'cloudformation:CreateUploadBucket', 'cloudformation:DeleteChangeSet', 'cloudformation:Describe*', 'cloudformation:DetectStackDrift', 'cloudformation:DetectStackResourceDrift', 'cloudformation:EstimateTemplateCost', 'cloudformation:ExecuteChangeSet', 'cloudformation:Get*', 'cloudformation:List*', 'cloudformation:SetStackPolicy', 'cloudformation:SignalResource', 'cloudformation:UpdateTerminationProtection', 'cloudformation:ValidateTemplate'], 'Resource': '*', '__startline__': 201, '__endline__': 224}, {'Sid': 'cfnadmin', 'Effect': 'Allow', 'Action': ['cloudformation:DeleteStack', 'cloudformation:UpdateStack', 'cloudformation:CreateStack'], 'Resource': 'arn:aws:cloudformation:*:*:stack/dbops*/*', '__startline__': 224, '__endline__': 231}, {'Sid': 'denymanualtasks', 'Effect': 'Deny', 'Action': ['rds:CreateDBCluster', 'rds:CreateDBInstance', 'redshift:CreateCluster', 'ec2:RunInstances', 'kms:DeleteCustomKeyStore', 'kms:ScheduleKeyDeletion', 'kms:DeleteImportedKeyMaterial', 'kms:DeleteAlias', 'kms:DisableKey', 'kms:DisableKeyRotation', 'kms:CreateKey'], 'Resource': '*', '__startline__': 231, '__endline__': 247}], '__startline__': 192, '__endline__': 247}, '__startline__': 191, '__endline__': 247}, '__startline__': 189, '__endline__': 247}, 'SAMLAssumeRolePolicy2': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'denyops', 'Effect': 'Deny', 'Action': ['ec2:StartInstances', 'ec2:StopInstances', 'ec2:TerminateInstances'], 'Resource': ['arn:aws:ec2:*:*:instance/*'], 'Condition': {'StringNotLike': {'ec2:ResourceTag/ManagedBy': 'DataOps', '__startline__': 263, '__endline__': 264}, '__startline__': 262, '__endline__': 264}, '__startline__': 253, '__endline__': 264}], '__startline__': 251, '__endline__': 264}, '__startline__': 250, '__endline__': 264}, '__startline__': 248, '__endline__': 264}, 'SAMLAssumeRolePolicy1': {'Type': 'AWS::IAM::ManagedPolicy', 'Properties': {'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Sid': 'denyvpc', 'Effect': 'Deny', 'Action': ['ec2:AcceptReservedInstancesExchangeQuote', 'ec2:AcceptTransitGatewayVpcAttachment', 'ec2:AcceptVpc*', 'ec2:AdvertiseByoipCidr', 'ec2:AllocateAddress', 'ec2:ApplySecurityGroupsToClientVpnTargetNetwork', 'ec2:AssociateClientVpnTargetNetwork', 'ec2:AssociateDhcpOptions', 'ec2:AssociateRouteTable', 'ec2:AssociateSubnetCidrBlock', 'ec2:AssociateTransitGatewayRouteTable', 'ec2:AssociateVpcCidrBlock', 'ec2:AttachClassicLinkVpc', 'ec2:AttachInternetGateway', 'ec2:AttachVpnGateway', 'ec2:AuthorizeClientVpnIngress', 'ec2:CreateClientVpn*', 'ec2:CreateCustomerGateway', 'ec2:CreateDefaultSubnet', 'ec2:CreateDefaultVpc', 'ec2:CreateEgressOnlyInternetGateway', 'ec2:CreateFlowLogs', 'ec2:CreateKeyPair', 'ec2:CreateNetworkAcl*', 'ec2:CreateRoute*', 'ec2:CreateTransitGateway*', 'ec2:CreateVpc*', 'ec2:CreateVpn*', 'ec2:CreateReservedInstancesListing', 'ec2:CreateSubnet', 'ec2:CreateTraffic*', 'ec2:DeleteKeyPair', 'ec2:ModifyTraffic*', 'ec2:ModifyVpn*', 'ec2:PurchaseReservedInstancesOffering', 'ec2:PurchaseHostReservation', 'ec2:CreateInternetGateway', 'ec2:DeleteClientVpn*', 'ec2:DeleteCustomerGateway', 'ec2:DeleteDhcpOptions', 'ec2:DeleteEgressOnlyInternetGateway', 'ec2:DeleteFlowLogs', 'ec2:DeleteInternetGateway', 'ec2:DeleteNatGateway', 'ec2:DeleteNetworkAcl*', 'ec2:DeleteRoute*', 'ec2:DeleteSubnet', 'ec2:DeleteTrafficMirror*', 'ec2:DeleteTransitGateway*', 'ec2:DeleteVpc*', 'ec2:DeleteVpn*', 'ec2:DeprovisionByoipCidr', 'ec2:DetachClassicLinkVpc', 'ec2:DetachInternetGateway', 'ec2:DetachVpnGateway', 'ec2:DisableTransitGatewayRouteTablePropagation', 'ec2:DisableVgwRoutePropagation', 'ec2:DisableVpcClassicLink', 'ec2:DisableVpcClassicLinkDnsSupport', 'ec2:DisassociateClientVpnTargetNetwork', 'ec2:DisassociateRouteTable', 'ec2:DisassociateSubnetCidrBlock', 'ec2:DisassociateTransitGatewayRouteTable', 'ec2:DisassociateVpcCidrBlock', 'ec2:EnableTransitGatewayRouteTablePropagation', 'ec2:EnableVgwRoutePropagation', 'ec2:EnableVpcClassicLink', 'ec2:EnableVpcClassicLinkDnsSupport', 'ec2:ExportTransitGatewayRoutes', 'ec2:ImportClientVpnClientCertificateRevocationList', 'ec2:ModifyClientVpnEndpoint', 'ec2:ModifyTransitGatewayVpcAttachment', 'ec2:ModifyVpc*', 'ec2:ModifyVpnConnection', 'ec2:MoveAddressToVpc', 'ec2:ProvisionByoipCidr', 'ec2:RejectTransitGatewayVpcAttachment', 'ec2:RejectVpcEndpointConnections', 'ec2:RejectVpcPeeringConnection', 'ec2:ReplaceNetworkAcl*', 'ec2:ReplaceRoute*', 'ec2:ReplaceTransitGatewayRoute', 'ec2:RevokeClientVpnIngress', 'ec2:TerminateClientVpnConnections', 'ec2:UnassignIpv6Addresses', 'ec2:WithdrawByoipCidr', 'ec2:CreateDhcpOptions'], 'Resource': '*', '__startline__': 270, '__endline__': 361}, {'Sid': 'ssmreadonly', 'Effect': 'Allow', 'Action': ['ssm:CancelCommand', 'ssm:PutInventory', 'ssm:UpdateInstanceInformation', 'ssm:SendAutomationSignal', 'ssm:CreateActivation', 'ssm:PutConfigurePackageResult', 'ssm:List*', 'ssm:PutComplianceItems', 'ssm:StopAutomationExecution', 'ssm:DeregisterManagedInstance', 'ssm:Describe*', 'ssm:RemoveTagsFromResource', 'ssm:AddTagsToResource', 'ssm:Get*'], 'Resource': '*', '__startline__': 361, '__endline__': 379}, {'Sid': 'cfns3access', 'Effect': 'Allow', 'Action': ['s3:PutObject', 's3:ListBucket', 's3:GetObject'], 'Resource': ['arn:aws:s3:::cf-templates*'], '__startline__': 379, '__endline__': 387}], '__startline__': 268, '__endline__': 387}, '__startline__': 267, '__endline__': 387}, '__startline__': 265, '__endline__': 387}, '__startline__': 9, '__endline__': 387}, '__startline__': 2, '__endline__': 387}
DEBUG:checkov.kubernetes.parser.parser:Cannot read file contents: mycheckov.yaml - is it a yaml?
2020-07-19 19:16:42,031 [MainThread  ] [DEBUG]  Cannot read file contents: mycheckov.yaml - is it a yaml?

       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

by bridgecrew.io | version: 1.0.451

Expected behavior I expect to see some output 

---
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template for IAM SAML Role and associated policies
Parameters:
  RoleName:
    Type: String
    Description: Suffix for IAM Saml role name
Resources:
  CloudFormationRolePolicy1:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AllowAll
            Effect: Allow
            Action: '*'
            Resource: '*'
          - Sid: DenySamlRolesNpaloAlto
            Effect: Deny
            Action:
              - iam:CreateRole
              - iam:UpdateAssumeRolePolicy
              - iam:DetachRolePolicy
              - iam:DeleteRolePolicy
              - iam:PutRolePermissionsBoundary
              - iam:DeleteRole
              - iam:UpdateRole
              - iam:AttachRolePolicy
              - iam:PutRolePolicy
              - ec2:*
            Resource:

              - 'arn:aws:iam::*:role/Group-AWS*'
              - 'arn:aws:iam::*:role/regn-cld-ssm-managed*'
              - 'arn:aws:iam::*:policy/regn-cld-ssm-managed*'
              - 'arn:aws:iam::*:role/StackSet*'
              - 'arn:aws:iam::*:policy/StackSet*'
              - 'arn:aws:iam::*:policy/SAMLAssumeRolePolicy*'
              - 'arn:aws:iam::*:policy/*SAML*'
              - 'arn:aws:iam::*:policy/*saml*'
              - 'arn:aws:iam::*:policy/CloudFormationRolePolicy*'
  CloudFormationRolePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: DenyVpc
            Effect: Deny
            Action:
              - 'ssm:*'
              - 'ec2:AcceptReservedInstancesExchangeQuote'
              - 'ec2:AcceptTransitGatewayVpcAttachment'
              - 'ec2:AcceptVpc*'
              - 'ec2:AdvertiseByoipCidr'
              - 'ec2:AllocateAddress'
              - 'ec2:ApplySecurityGroupsToClientVpnTargetNetwork'
              - 'ec2:AssociateClientVpnTargetNetwork'
              - 'ec2:AssociateDhcpOptions'
              - 'ec2:AssociateRouteTable'
              - 'ec2:AssociateSubnetCidrBlock'
              - 'ec2:AssociateTransitGatewayRouteTable'
              - 'ec2:AssociateVpcCidrBlock'
              - 'ec2:AttachClassicLinkVpc'
              - 'ec2:AttachInternetGateway'
              - 'ec2:AttachVpnGateway'
              - 'ec2:AuthorizeClientVpnIngress'
              - 'ec2:CreateClientVpn*'
              - 'ec2:CreateCustomerGateway'
              - 'ec2:CreateDefaultSubnet'
              - 'ec2:CreateDefaultVpc'
              - 'ec2:CreateEgressOnlyInternetGateway'
              - 'ec2:CreateFlowLogs'
              - 'ec2:CreateKeyPair'
              - 'ec2:CreateNetworkAcl*'
              - 'ec2:CreateRoute*'
              - 'ec2:CreateTransitGateway*'
              - 'ec2:CreateVpc*'
              - 'ec2:CreateVpn*'
              - 'ec2:CreateReservedInstancesListing'
              - 'ec2:CreateSubnet'
              - 'ec2:CreateTraffic*'
              - 'ec2:DeleteKeyPair'
              - 'ec2:ModifyTraffic*'
              - 'ec2:ModifyVpn*'
              - 'ec2:PurchaseReservedInstancesOffering'
              - 'ec2:PurchaseHostReservation'
              - 'ec2:CreateInternetGateway'
              - 'ec2:DeleteClientVpn*'
              - 'ec2:DeleteCustomerGateway'
              - 'ec2:DeleteDhcpOptions'
              - 'ec2:DeleteEgressOnlyInternetGateway'
              - 'ec2:DeleteFlowLogs'
              - 'ec2:DeleteInternetGateway'
              - 'ec2:DeleteNatGateway'
              - 'ec2:DeleteNetworkAcl*'
              - 'ec2:DeleteRoute*'
              - 'ec2:DeleteSubnet'
              - 'ec2:DeleteTrafficMirror*'
              - 'ec2:DeleteTransitGateway*'
              - 'ec2:DeleteVpc*'
              - 'ec2:DeleteVpn*'
              - 'ec2:DeprovisionByoipCidr'
              - 'ec2:DetachClassicLinkVpc'
              - 'ec2:DetachInternetGateway'
              - 'ec2:DetachVpnGateway'
              - 'ec2:DisableTransitGatewayRouteTablePropagation'
              - 'ec2:DisableVgwRoutePropagation'
              - 'ec2:DisableVpcClassicLink'
              - 'ec2:DisableVpcClassicLinkDnsSupport'
              - 'ec2:DisassociateClientVpnTargetNetwork'
              - 'ec2:DisassociateRouteTable'
              - 'ec2:DisassociateSubnetCidrBlock'
              - 'ec2:DisassociateTransitGatewayRouteTable'
              - 'ec2:DisassociateVpcCidrBlock'
              - 'ec2:EnableTransitGatewayRouteTablePropagation'
              - 'ec2:EnableVgwRoutePropagation'
              - 'ec2:EnableVpcClassicLink'
              - 'ec2:EnableVpcClassicLinkDnsSupport'
              - 'ec2:ExportTransitGatewayRoutes'
              - 'ec2:ImportClientVpnClientCertificateRevocationList'
              - 'ec2:ModifyClientVpnEndpoint'
              - 'ec2:ModifyTransitGatewayVpcAttachment'
              - 'ec2:ModifyVpc*'
              - 'ec2:ModifyVpnConnection'
              - 'ec2:MoveAddressToVpc'
              - 'ec2:ProvisionByoipCidr'
              - 'ec2:RejectTransitGatewayVpcAttachment'
              - 'ec2:RejectVpcEndpointConnections'
              - 'ec2:RejectVpcPeeringConnection'
              - 'ec2:ReplaceNetworkAcl*'
              - 'ec2:ReplaceRoute*'
              - 'ec2:ReplaceTransitGatewayRoute'
              - 'ec2:RevokeClientVpnIngress'
              - 'ec2:TerminateClientVpnConnections'
              - 'ec2:UnassignIpv6Addresses'
              - 'ec2:WithdrawByoipCidr'
              - 'iam:AddClientIDToOpenIDConnectProvider'
              - 'iam:CreateLoginProfile'
              - 'iam:CreateOpenIDConnectProvider'
              - 'iam:CreateSAMLProvider'
              - 'iam:CreateUser'
              - 'iam:DeleteAccountAlias'
              - 'iam:DeleteOpenIDConnectProvider'
              - 'iam:DeleteSAMLProvider'
              - 'iam:DeleteServerCertificate'
              - 'iam:DeleteServiceLinkedRole'
              - 'iam:DeleteServiceSpecificCredential'
              - 'iam:DeleteSigningCertificate'
              - 'iam:DeleteSSHPublicKey'
              - 'iam:DeleteUser'
              - 'iam:DeleteVirtualMFADevice'
              - 'iam:SetSecurityTokenServicePreferences'
              - 'iam:UpdateSAMLProvider'
              - 'iam:UpdateServerCertificate'
              - 'iam:UpdateServiceSpecificCredential'
              - 'iam:UpdateSigningCertificate'
              - 'iam:UpdateSSHPublicKey'
              - 'iam:UploadServerCertificate'
              - 'iam:UploadSigningCertificate'
              - 'iam:UploadSSHPublicKey'
              - 'organizations:*'
              - 'ec2:CreateDhcpOptions'
            Resource: '*'
  CloudFormationServiceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName:
       !Join
         - '-'
         - - 'Group-AWS-CFNServiceRole'
           - Ref: RoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Sid: ''
          Effect: Allow
          Principal:
            Service: cloudformation.amazonaws.com
          Action: sts:AssumeRole
      Path: "/"
      ManagedPolicyArns:
      - Ref: CloudFormationRolePolicy
      - Ref: CloudFormationRolePolicy1
    DependsOn:
    - CloudFormationRolePolicy
  SAMLAssumeRolePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: cfnassumerole
            Effect: Allow
            Action: sts:AssumeRole
            Resource:
              Fn::GetAtt:
              - CloudFormationServiceRole
              - Arn
          - Sid: cloudformation
            Effect: Allow
            Action:
              - ec2:*
              - kms:*
              - acm:ImportCertificate
              - cloudformation:CancelUpdateStack
              - cloudformation:ContinueUpdateRollback
              - cloudformation:CreateChangeSet
              - cloudformation:CreateUploadBucket
              - cloudformation:DeleteChangeSet
              - cloudformation:Describe*
              - cloudformation:DetectStackDrift
              - cloudformation:DetectStackResourceDrift
              - cloudformation:EstimateTemplateCost
              - cloudformation:ExecuteChangeSet
              - cloudformation:Get*
              - cloudformation:List*
              - cloudformation:SetStackPolicy
              - cloudformation:SignalResource
              - cloudformation:UpdateTerminationProtection
              - cloudformation:ValidateTemplate
            Resource: "*"
          - Sid: cfnadmin
            Effect: Allow
            Action:
              - cloudformation:DeleteStack
              - cloudformation:UpdateStack
              - cloudformation:CreateStack
            Resource: arn:aws:cloudformation:*:*:stack/dbops*/*
          - Sid: denymanualtasks
            Effect: Deny
            Action:
              - rds:CreateDBCluster
              - rds:CreateDBInstance
              - redshift:CreateCluster
              - ec2:RunInstances
              - kms:DeleteCustomKeyStore
              - kms:ScheduleKeyDeletion
              - kms:DeleteImportedKeyMaterial
              - kms:DeleteAlias
              - kms:DisableKey
              - kms:DisableKeyRotation
              - kms:CreateKey
            Resource: "*"

  SAMLAssumeRolePolicy2:
     Type: AWS::IAM::ManagedPolicy
     Properties:
       PolicyDocument:
         Version: '2012-10-17'
         Statement:
            - Sid: denyops
              Effect: Deny
              Action:
                - 'ec2:StartInstances'
                - 'ec2:StopInstances'
                - 'ec2:TerminateInstances'
              Resource:
                - 'arn:aws:ec2:*:*:instance/*'
              Condition:
                StringNotLike:
                 "ec2:ResourceTag/ManagedBy": "DataOps"
  SAMLAssumeRolePolicy1:
     Type: AWS::IAM::ManagedPolicy
     Properties:
       PolicyDocument:
         Version: '2012-10-17'
         Statement:
            - Sid: denyvpc
              Effect: Deny
              Action:
                - 'ec2:AcceptReservedInstancesExchangeQuote'
                - 'ec2:AcceptTransitGatewayVpcAttachment'
                - 'ec2:AcceptVpc*'
                - 'ec2:AdvertiseByoipCidr'
                - 'ec2:AllocateAddress'
                - 'ec2:ApplySecurityGroupsToClientVpnTargetNetwork'
                - 'ec2:AssociateClientVpnTargetNetwork'
                - 'ec2:AssociateDhcpOptions'
                - 'ec2:AssociateRouteTable'
                - 'ec2:AssociateSubnetCidrBlock'
                - 'ec2:AssociateTransitGatewayRouteTable'
                - 'ec2:AssociateVpcCidrBlock'
                - 'ec2:AttachClassicLinkVpc'
                - 'ec2:AttachInternetGateway'
                - 'ec2:AttachVpnGateway'
                - 'ec2:AuthorizeClientVpnIngress'
                - 'ec2:CreateClientVpn*'
                - 'ec2:CreateCustomerGateway'
                - 'ec2:CreateDefaultSubnet'
                - 'ec2:CreateDefaultVpc'
                - 'ec2:CreateEgressOnlyInternetGateway'
                - 'ec2:CreateFlowLogs'
                - 'ec2:CreateKeyPair'
                - 'ec2:CreateNetworkAcl*'
                - 'ec2:CreateRoute*'
                - 'ec2:CreateTransitGateway*'
                - 'ec2:CreateVpc*'
                - 'ec2:CreateVpn*'
                - 'ec2:CreateReservedInstancesListing'
                - 'ec2:CreateSubnet'
                - 'ec2:CreateTraffic*'
                - 'ec2:DeleteKeyPair'
                - 'ec2:ModifyTraffic*'
                - 'ec2:ModifyVpn*'
                - 'ec2:PurchaseReservedInstancesOffering'
                - 'ec2:PurchaseHostReservation'
                - 'ec2:CreateInternetGateway'
                - 'ec2:DeleteClientVpn*'
                - 'ec2:DeleteCustomerGateway'
                - 'ec2:DeleteDhcpOptions'
                - 'ec2:DeleteEgressOnlyInternetGateway'
                - 'ec2:DeleteFlowLogs'
                - 'ec2:DeleteInternetGateway'
                - 'ec2:DeleteNatGateway'
                - 'ec2:DeleteNetworkAcl*'
                - 'ec2:DeleteRoute*'
                - 'ec2:DeleteSubnet'
                - 'ec2:DeleteTrafficMirror*'
                - 'ec2:DeleteTransitGateway*'
                - 'ec2:DeleteVpc*'
                - 'ec2:DeleteVpn*'
                - 'ec2:DeprovisionByoipCidr'
                - 'ec2:DetachClassicLinkVpc'
                - 'ec2:DetachInternetGateway'
                - 'ec2:DetachVpnGateway'
                - 'ec2:DisableTransitGatewayRouteTablePropagation'
                - 'ec2:DisableVgwRoutePropagation'
                - 'ec2:DisableVpcClassicLink'
                - 'ec2:DisableVpcClassicLinkDnsSupport'
                - 'ec2:DisassociateClientVpnTargetNetwork'
                - 'ec2:DisassociateRouteTable'
                - 'ec2:DisassociateSubnetCidrBlock'
                - 'ec2:DisassociateTransitGatewayRouteTable'
                - 'ec2:DisassociateVpcCidrBlock'
                - 'ec2:EnableTransitGatewayRouteTablePropagation'
                - 'ec2:EnableVgwRoutePropagation'
                - 'ec2:EnableVpcClassicLink'
                - 'ec2:EnableVpcClassicLinkDnsSupport'
                - 'ec2:ExportTransitGatewayRoutes'
                - 'ec2:ImportClientVpnClientCertificateRevocationList'
                - 'ec2:ModifyClientVpnEndpoint'
                - 'ec2:ModifyTransitGatewayVpcAttachment'
                - 'ec2:ModifyVpc*'
                - 'ec2:ModifyVpnConnection'
                - 'ec2:MoveAddressToVpc'
                - 'ec2:ProvisionByoipCidr'
                - 'ec2:RejectTransitGatewayVpcAttachment'
                - 'ec2:RejectVpcEndpointConnections'
                - 'ec2:RejectVpcPeeringConnection'
                - 'ec2:ReplaceNetworkAcl*'
                - 'ec2:ReplaceRoute*'
                - 'ec2:ReplaceTransitGatewayRoute'
                - 'ec2:RevokeClientVpnIngress'
                - 'ec2:TerminateClientVpnConnections'
                - 'ec2:UnassignIpv6Addresses'
                - 'ec2:WithdrawByoipCidr'
                - 'ec2:CreateDhcpOptions'
              Resource: '*'
            - Sid: ssmreadonly
              Effect: Allow
              Action:
                - ssm:CancelCommand
                - ssm:PutInventory
                - ssm:UpdateInstanceInformation
                - ssm:SendAutomationSignal
                - ssm:CreateActivation
                - ssm:PutConfigurePackageResult
                - ssm:List*
                - ssm:PutComplianceItems
                - ssm:StopAutomationExecution
                - ssm:DeregisterManagedInstance
                - ssm:Describe*
                - ssm:RemoveTagsFromResource
                - ssm:AddTagsToResource
                - ssm:Get*
              Resource: "*"
            - Sid: cfns3access
              Effect: Allow
              Action:
                - s3:PutObject
                - s3:ListBucket
                - s3:GetObject
              Resource:
                - arn:aws:s3:::cf-templates*
schosterbarak commented 4 years ago

hi @mrudrara , thank you for reporting this. i guess the detection you are expecting to find is around: " - Sid: AllowAll Effect: Allow Action: '' Resource: '' "

right?

mrudrara commented 4 years ago

@schosterbarak Correct! I was hoping to see some form of validation like Pass/Failed

schosterbarak commented 4 years ago

@mrudrara checkov currently does not cover this specifically in cloudformation, but it does in terraform. for a full list of checks across frameworks see: https://www.checkov.io/3.Scans/resource-scans.html

metahertz commented 3 years ago

Seems we're not reading in your file:

2020-07-19 19:16:42,031 [MainThread  ] [DEBUG]  Cannot read file contents: mycheckov.yaml - is it a yaml?

The contents pasted above are indeed valid yaml, Can you try checkov -d . in the directory containing mycheckov.yaml to rule out filename stuff with debug enabled?

stale[bot] commented 3 years ago

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] commented 3 years ago

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!