Comments (1)
akshayrane
commented on June 25, 2024
Hi Fabio,
Thank you for taking a closer look at the Guard rule example we have provided with the repository. We think that the Guard rule has clauses that will make the keys sensitive. Here's how:
From the same AWS documentation you linked, it also states:
Case-sensitivity of condition key values depends on the condition operator that you use. For example, the following condition includes the StringEquals operator to ensure that only requests made by johndoe match. Users named JohnDoe are denied access.
The guard rule in question applies to the keys StringEquals, StringLike, ArnEquals and ArnLike, the following snippet will ensure that:
rule check_via_aws_service(statement) {
when %statement.Principal.Service exists {
%statement.Condition[ keys == /String(Equals|Like)|Arn(Equals|Like)/ ] not empty {
let source_accounts = this[ keys == /(aws|AWS):[sS]ource(Account|Owner|Arn|ARN)/ ]
%source_accounts in %allowed
}
}
}
Now, for the templates where this rule is skipped meaning the four keys that we are checking are actually not used, where as IgnoreCase equivalent is used I agree there is a possibility of bypassing the rule.
We may need to either tweak the rule or add another clause applicable to ignore case condition operators as well. We will make the necessary changes and raise a PR for this change.
HTH,
Akshay
from cloudformation-guard.
Related Issues (20)
- [BUG] cfn-guard validate JSON response is not standardised across CFN data and non-CFN data schemas HOT 2
- Error messages need to be set for each check HOT 3
- [Feature Request]: Support for external json files as variables HOT 1
- [GENERAL ISSUE] Shouldn't `unresolved` be not `FAIL` but `ERROR` in unit testing? HOT 3
- [Enhancement] Add support to call functions inline
- Intrinsic functions handled differently when testing vs validating HOT 1
- CFN Guard validate does not work correctly when entire rule file is comments HOT 2
- [BUG] `empty` `exists` `!= null` don't work as documented HOT 2
- Check on specific Key Value pair[GENERAL ISSUE] HOT 2
- [BUG] install-guard.sh will fail with exit code 0 if GitHub raises a 403 HOT 2
- [GENERAL ISSUE] sam build fails due to certificate problem HOT 5
- [BUG] cfn-guard validate doesn't produce a parseable json/yaml output in 'custom_message' field HOT 2
- [BUG] Incorrect download URL for pre-built binary HOT 2
- [Enhancement] Show full path to file HOT 3
- [Enhancement] Add support for windows
- Add support for SARIF [Enhancement] HOT 2
- [GENERAL ISSUE] Documentation HOT 4
- [BUG] cfn-guard error via GitHub Actions HOT 2
- [Enhancement] Only show errors/failures in output HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudformation-guard.