Checkov should run validation on JSON policy files

[jkatic85]

Describe the issue

At work, we keep our IAM policies defined in policy.json file that lives next to a terragrunt.hcl file that applies it on our infrastructure. And, even though Checkov is useful to go through HCL files, it completely ignores the JSON file. Currently, the check only works if the policy is defined within the HCL file.

It would be nice to have a way to would parse JSON policy files and trigger if the file is too permissive, malformed, etc.

Existing AWS IAM policy checks that trigger when defining a policy inside the HCL file could be re-used to run through a JSON file. Some are mentioned below.

Examples

Keeping the policy inside an HCL file would trigger Checkov, i.e.:

    FAILED for resource: aws_iam_policy_document.example
    File: /terragrunt.hcl:1-12
    Guide: https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-data-exfiltration

        1  | data "aws_iam_policy_document" "example" {
        2  |  statement {
        3  |    sid = "1"
        4  |    effect = "Allow"
        5  |    actions = [
        6  |      "*"
        7  |    ]
        8  |    resources = [
        9  |      "*",
        10 |    ]
        11 |  }
        12 | }

This triggers the following checks to fail (redacted for readability):

• Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
• Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
• Check: CKV_AWS_49: "Ensure no IAM policies documents allow "*" as a statement's actions"
• Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
• Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
• Check: CKV_AWS_1: "Ensure IAM policies that allow full "-" administrative privileges are not created"
• Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
• Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"

But, if I have the same permissive policy in policy.json and I call it from terragrunt.hcl it all passes:

policy.json contents:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TriggerCheckov",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

terragrunt.hcl contents:

terraform {
  source = "../modules/aws-iam-policy/"
}

# Include all settings from the root terraform.tfvars file
include {
  path = find_in_parent_folders()
}

inputs = {
  name        = "example-lambda-secrets-manager-policy"
  description = "Test Example"
  policy      = "${file("policy.json")}"
}

Manually running Checkov:

~ checkov -d .
[ kubernetes framework ]: 100%|████████████████████|[1/1], Current File Scanned=policy.json
[ terraform framework ]: 100%|████████████████████|[1/1], Current File Scanned=terragrunt.hcl
[ secrets framework ]: 100%|████████████████████|[2/2], Current File Scanned=./terragrunt.hcl

       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By bridgecrew.io | version: 2.3.96

The outcome should be the same as the one mentioned above - Failed checks because the policy is too permissive.

Version (please complete the following information):

• Checkov Version [2.3.96]

Additional context

This is a feature request (unless there is a way to run checks against JSON files which I am not aware of, in which case, please let me know how) to make Checkov a more complete tool.

Thank you!

[gruebel]

Hi @jkatic85 thanks for reaching out.

I think we had that request in the past, but I can't find the GH issue. I will keep it open, till we either support it or I find the older issue. Nevertheless we don't plan to support terragrunt any time soon, therefore it won't help you much, when we implement it for terraform. You can still scan the generated plan file to get results for the policy.

[jkatic85]

Hey @gruebel 👋🏻

Thanks for responding so quickly! As for terragrunt/terraform they are interchangeable, and everything that works for terraform already works in terragrunt from my investigation (i.e. all our manifests were scanned and we got feedback from Checkov for things that can be improved). Also, plans would look the same whether it's terraform plan or terragrunt plan.

As for scanning the generated plan, if I understand correctly, you are saying this is already supported? Can you point me to the documentation that explains how to implement this?

[nimrodkor]

@gruebel Would supporting the file() tf operator solve this issue? @jkatic85 checkov can scan terraform plan files just like it scans HCL, you can run checkov with --framework terraform_plan to see for yourself

[gruebel]

I think I was not precise enough. We don't support the special terragrunt syntax. So, when we would implement the support of the file() function, then we would just scan them, if they directly used with Terraform resource, like aws_iam_role_policy but here it is referenced via the inputs block, which we don't evaluate.

[jkatic85]

Thanks for your inputs @nimrodkor and @gruebel, I've managed to write a custom action that scans the terraform/terragrunt plan output and Checkov works great with that.

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

[stale[bot]]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!