search

data-dot-all / dataall

A modern data marketplace that makes collaboration among diverse users (like business, analysts and engineers) easier, increasing efficiency and agility in data projects on AWS.
https://data-dot-all.github.io/dataall/
Apache License 2.0
226 stars 82 forks source link

Implement least privilege permissions for the IAM role SecretsManagerRDSPostgreSQLRotationSingleUserRole #1323

Open mourya-33 opened 2 months ago

mourya-33 commented 2 months ago

Describe the bug

The IAM role SecretsManagerRDSPostgreSQLRotationSingleUserRole has overly permissive permissions that is flagged by checkov scan (scan result below)

CheckID : CKV_AWS_111 CheckName : Ensure IAM policies does not allow write access without constraints File : /dataall-staging-backend-stage-backend-stack-AuroraDatabasestagingRotationSingleUser36E-1P9OZ9G9U4NU7.yaml:133-253 Resource : AWS::IAM::Role.SecretsManagerRDSPostgreSQLRotationSingleUserRole Guideline : CKV_AWS_111

This needs to be restricted to the required resources only.

How to Reproduce

Post deployment, run a checkov scan on the template for Aurora stacks. The scan report would include the entry for the role with a FAILED error message as described in the description above.

Expected behavior

The IAM role permissions should be restricted to only the required resources.

Your project

No response

Screenshots

No response

OS

Mac

Python version

3.10

AWS data.all version

2.5

Additional context

No response

dlpzx commented 1 month ago

Hi @mourya-33 thanks for opening an issue; will you be implementing it?

mourya-33 commented 1 week ago

Hi @dlpzx yes I will be picking this up. Please assign it to me