dlpzx
commented
5 months ago Thanks for opening an issue @mourya-33. I assigned you to the issue, let us know if you need any support
Open mourya-33 opened 5 months ago
dlpzx
commented
5 months ago Thanks for opening an issue @mourya-33. I assigned you to the issue, let us know if you need any support
mourya-33
commented
4 months ago Thanks Adriana
Describe the bug
CDK automatically creates an IAM Role - AssetsFileRole for managing the Assets stage in the main cicd code pipeline. However, this role has a default policy with the following unrestricted IAM permissions that are flagged by checkov scans.
{ "Action": [ "codebuild:BatchGetBuilds", "codebuild:StartBuild", "codebuild:StopBuild" ], "Effect": "Allow", "Resource": "*" }
This needs to be added to the checkov baseline until remediated.
How to Reproduce
While deploying dataall to AWS, after the cdk synth, scan the file - cdk.out/dataall-main-cicd-stack.template.json with checkov. Checkov will have a FAILURE with the following message
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: AWS::IAM::Policy.dataallmaincdkpipelineAssetsFileRoleDefaultPolicy{Hash} File: /dataall-main-cicd-stack.template.json: {line number} Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint
Expected behavior
Once the role is added to checkov baseline, the checkov scan should no longer have a FAILURE message for the AssetsFileRole.
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.10
AWS data.all version
2.3
Additional context
This issue is related to https://github.com/data-dot-all/dataall/issues/877