Merge pull request #7097 from Checkmarx/tf_bug_principals

fix(query): policy without principal query with false positive for IAM role used as an inline policy
Checkmarx · Jun 26, 2024 · 6855628 · 6855628
2 parents 6b06adc + ba3f02a
commit 6855628
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/assets/queries/terraform/aws/policy_without_principal/query.rego b/assets/queries/terraform/aws/policy_without_principal/query.rego
@@ -27,7 +27,7 @@ CxPolicy[result] {
 }
 
 is_iam_identity_based_policy(resource) {
-	iam_identity_based_policy := {"aws_iam_group_policy", "aws_iam_policy", "aws_iam_role_policy", "aws_iam_user_policy"}
+	iam_identity_based_policy := {"aws_iam_group_policy", "aws_iam_policy", "aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_role"}
 	resource == iam_identity_based_policy[_]
 }
 

diff --git a/assets/queries/terraform/aws/policy_without_principal/test/negative4.tf b/assets/queries/terraform/aws/policy_without_principal/test/negative4.tf
@@ -0,0 +1,33 @@
+data "aws_iam_policy_document" "example" {
+  statement {
+    actions = [
+      "cloudwatch:PutMetricData",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+data "aws_iam_policy_document" "lambda_assume" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+    principals {
+      type = "Service"
+      identifiers = [
+        "lambda.amazonaws.com"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role" "example" {
+  name               = "example-role"
+  assume_role_policy = data.aws_iam_policy_document.lambda_assume.json
+
+  inline_policy {
+    name   = "default"
+    policy = data.aws_iam_policy_document.example.json
+  }
+}