KICS scan not flagging SSO policy with admin access

[drey0143143]

I'm running KICS on my infrastructure, but inline SSO Policy below is not being flagged as “SSO Policies with Full Privileges” or as an “IAM Policy with Full Privileges”. Is there any reason for this?

module "SSO_permissionset" {
  source = "../../..//modules/permissionset"

  permission_set_name        = "SSO-permissionset1"
  inline_policy_to_attach = local.sso_permissionset_policy
}

# define the inline policy for SSO permission set
locals {
  sso_permissionset_policy = <<EOT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }

permissionset.tf

resource "aws_ssoadmin_permission_set" "permission_set" {
  name             = var.permission_set_name
  description      = var.permission_set_description
  instance_arn     = var.awssso_arn
}


resource "aws_ssoadmin_permission_set_inline_policy" "inline_policy" {
  inline_policy      = var.inline_policy_to_attach
  instance_arn       = var.awssso_instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.permission_set.arn
}

[cx-henriqueAlvelos]

Hello @drey0143143

I think this file is not 100% correct, because at least ther is one "EOF" missing, could you please give a correct sample?

[cx-henriqueAlvelos]

https://github.com/Checkmarx/kics/issues/6289

[drey0143143]

@cx-henriqueAlvelos Thanks for your reponse, I have fixed the mistake you pointed out. The below is not being flagged either as “SSO Policies with Full Privileges” or as an “IAM Policy with Full Privileges”. Is there any reason for this?

module "SSO_permissionset" {
  source = "../../..//modules/permissionset"

  permission_set_name        = "SSO-permissionset1"
  inline_policy_to_attach    = local.sso_permissionset_policy
}

locals {
  sso_permissionset_policy = <<EOT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "*"
      ],
      "Resource": "*"
    }
  ]
}
EOT
}

modules/permissionset/main.tf

resource "aws_ssoadmin_permission_set" "permission_set" {
  name             = var.permission_set_name
  description      = var.permission_set_description
  instance_arn     = var.awssso_arn
}


resource "aws_ssoadmin_permission_set_inline_policy" "inline_policy" {
  inline_policy      = var.inline_policy_to_attach
  instance_arn       = var.awssso_instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.permission_set.arn
}

However, when we use the below in our configuration, its being flagged as “IAM Policy with Full Privileges”

define the inline policy for the cloud_analyst permission set

data "aws_iam_policy_document" "cloud_analyst_policy" { statement { sid = "VisualEditor0" effect = "Allow" resources = [""] actions = [""] } }

[cx-henriqueAlvelos]

The reason why KICS doesn't flag a vulnerability is because the query https://github.com/Checkmarx/kics/blob/754efc1c6b831870a43f417ec3d7e8743fb0570e/assets/queries/terraform/aws/sso_policy_with_full_priveleges/query.rego is prepared to get the policy directly, i.e:

resource "aws_ssoadmin_permission_set_inline_policy" "inline_policy" {
  inline_policy      = <<EOT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "*"
      ],
      "Resource": "*"
    }
  ]
}
EOT
  instance_arn       = var.awssso_instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.permission_set.arn
}

[drey143]

@cx-henriqueAlvelos is there any future request that can address my use case?

[cx-henriqueAlvelos]

Hello @drey143 We are working on this, once the PR is done, you'll be notified

Best regards

[drey0143143]

@cx-henriqueAlvelos Thank you