search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.02k stars 1.1k forks source link

Support OrganizationId as a principal for Lambda Resource Policy #6500

Open srikanthm-1 opened 3 months ago

srikanthm-1 commented 3 months ago

Describe the issue Relevant check Id: CKV_AWS_364 AWS Lambda supports having an organization as a principal (See here) but the check is not handling that.

Examples Please share an example code sample (in the IaC of your choice) + the expected outcomes.

{
 "Description": "Application stack ",
 "Resources": {
  "functionE78B77A9": {
   "Type": "AWS::Lambda::Permission",
   "Properties": {
    "Action": "lambda:InvokeFunction",
    "FunctionName": {
     "Fn::GetAtt": [
      "qrBD631E36",
      "Arn"
     ]
    },
    "Principal": "*",
    "PrincipalOrgID": "o-asdasd"
   }
  }
 }
}

Running checkov --run-all-external-checks on the above cfn template will cause the failure

Version (please complete the following information):

Additional context This check is also printing "Not a service principal" in the standard out which is messing with the output format of the command. Its not clear if that is a bug or along expected lines.

tsmithv11 commented 3 months ago

@srikanthm-1 thanks for reaching out! I ran checkov -f check.json --run-all-external-checks against your example and it treated the result as UNKNOWN which is as expected. This check is looking for permissions delegated to service accounts only. If we use PrincipalOrgID the scope is too broad and will include some non-service accounts. Therefore, we can't run this check against those without creating false positives.

Also note, we'll remove the odd print statement.