dlpzx
commented
2 months ago Hi @mourya-33 thanks for opening an issue. I have quickly looked into the docs and actions such as ram:AcceptResourceShareInvitation can only be limited to ram:ShareOwnerAccountId and ram:ResourceShareName.
So, we cannot restrict permissions based on tags, but we can use the Resource share name, because all data.all RAM shares will be using Lake Formation and will have a name such as LakeFormation-VX-UNIQUEIDENTIFIER. Is that what you are looking for? Or do you just need to include the policy as an exception in checkov?
anmolsgandhi
zsaltys
mourya-33
Describe the bug
Pivot Role (auto created and custom) has the following unrestricted permissions on KMS and RAM shares. This role needs to be added as an exception until the following are remediated.
How to Reproduce
Run checkov scan for auto created pivot role or custom pivot role - deploy/pivot_role/pivotRole.yaml. The scan will FAIL with the following message.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy0 File: /deploy/pivot_role/pivotRole.yaml:{line numbers} Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management without constraints" FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy0 File: /deploy/pivot_role/pivotRole.yaml:{line numbers} Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint
Expected behavior
Once remediated, the checkov scan should not contain the above mentioned failures.
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.10
AWS data.all version
2.3
Additional context
No response