Updated has_statement? function of aws_iam_inline_policy.rb. For Action and NotAction, if they are arrays (see screenshot below), will use include? to check if there's any match to criteria[:Action]/criteria[:NotAction]. If they are not arrays, will use eql? to check if the statement and criteria match exactly.
Issues Resolved
The current resource pack would generate false alert because of the criteria check logics. For example, if the criteria is set as {Resource: '*', Action: '*', Effect: 'Allow'} to check if the inline policy authorizes any actions to any resources. However, an inline policy with any action includes * will also fail the check, such as the one in the above screenshot.
Check List
Please fill box or appropriate ([x]) or mark N/A.
[ ] New functionality includes integration tests/controls
[ ] New Terraform resources
[ ] Documentation provided or updated for resources
Signed-off-by: Jiaming Wang jiaming.wang@sap.com
Description
Updated
has_statement?
function ofaws_iam_inline_policy.rb
. For Action and NotAction, if they are arrays (see screenshot below), will useinclude?
to check if there's any match tocriteria[:Action]
/criteria[:NotAction]
. If they are not arrays, will useeql?
to check if the statement and criteria match exactly.Issues Resolved
The current resource pack would generate false alert because of the criteria check logics. For example, if the criteria is set as
{Resource: '*', Action: '*', Effect: 'Allow'}
to check if the inline policy authorizes any actions to any resources. However, an inline policy with any action includes*
will also fail the check, such as the one in the above screenshot.Check List
Please fill box or appropriate ([x]) or mark N/A.
rake lint
passes