cloudformation-guard icon indicating copy to clipboard operation
cloudformation-guard copied to clipboard
verified publisher icon aws-cloudformation

Question about specificity in wildcards.

Open Aaron-Garrett opened this issue 1 year ago • 4 comments

Describe the issue A clear and concise description of what the issue is.

Wanting to understand the use of ? in CFN-Guard and wondering if there is some way to take a regex like this: /^aws(.*)(\*)\/?/ and make it so that it only checks the first part of the ARN for a wildcard character. For further clarification, I only want it to flag a wildcard on the bucket-level of the ARN. I want it to do this whether there is only the bucket listed or one+ levels of folders listed (i.e. aws:arn:s3:::bucket*/ OR aws:arn:s3:::bucket*/top-level-folder) However, I do NOT want it flagging a wildcard in the top-level folder (i.e. aws:arn:s3:::bucket/top-*-folder/).

Any examples Please supply:

  1. Example rules and template that you have tried
`rule IAM_ROLE_NO_FULL_ACCESS_FOR_S3 when %aws_iam_roles_no_full_access_for_s3 !empty {
  let violationsString = Resources.*[
    Type in [/AWS::IAM::Role/]
    some Properties.Policies[*].PolicyDocument.Statement[*] {
      some Resource[*] in [/^arn:aws:s3:::(.*)(\*\/)$/, /^arn:aws:s3:::(.*?)(\*)(.*?)\/(.*?)\/(.*?)$/]
    }
  ]
  let violationsSub = Resources.*[
    Type in [/AWS::IAM::Role/]
    some Properties.Policies[*].PolicyDocument.Statement[*] {
      some Resource[*][keys == "Fn::Sub"] in [/^arn:aws:s3:::(.*)(\*\/)$/, /^arn:aws:s3:::(.*?)(\*)(.*?)\/(.*?)\/(.*?)$/]
    }
  ]
  %violationsString empty
  <<
    Violation: * in S3 folder (prefix) access.
    Fix: Avoid wildcard matching * in S3 folder (prefix) access
  >>
  %violationsSub empty
  <<
    Violation: * in S3 folder (prefix) access.
    Fix: Avoid wildcard matching * in S3 folder (prefix) access
  >>
}

Relevant template segment - !Sub "arn:aws:s3:::lly-edp-raw-us-east-2-${DeployEnvironment}/oogabooga*/"
I do not want this getting flagged by this particular check. I have a different check to enhance usability that will check for top-level folder wildcards.

  1. The commands you used to invoke the tool
OUTPUT=`RUST_BACKTRACE=1 ./cfn-guard-v3-ubuntu-latest/cfn-guard validate --show-summary pass,fail --data "$TEMPLATE_FILE" --rules .github/pr-automation/lib/cfn-guard/rules/ 2>&1`
  1. The output of a -v log level if it's not related to cfn-guard-lambda, or the relevant CloudWatch log messages if it is related to the cfn-guard-lambda

No error log because it is not doing anything wrong, technically. I am just trying to determine if I can limit how far the wildcard searches.

Operating System: Ubuntu

OS Version latest

Aaron-Garrett avatar Apr 15 '24 17:04 Aaron-Garrett

Hey @Aaron-Garrett for sake of clarity, would you be willing to provide some test cases (1 pass and 1 fail test case to feed into the test command would be fine)

joshfried-aws avatar Apr 16 '24 13:04 joshfried-aws

Pass:

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  rS3FullFolderName:
    Type: AWS::IAM::Role
    Properties:
      RoleName: s3_full_folder_name
      Description: Testing use of folder name
      PermissionsBoundary: "permissionboundary"
      MaxSessionDuration: 36000
      Policies:
        - PolicyName: s3_full_folder_name_check
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - s3:List*
                Resource:
                  - !Sub arn:aws:s3:::lly-edp-raw-us-east-2-${DeployEnvironment}/veeva_cdb*/

Fail:

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  rS3FullFolderName:
    Type: AWS::IAM::Role
    Properties:
      RoleName: s3_full_folder_name
      Description: Testing use of folder name
      PermissionsBoundary: "permissionboundary"
      MaxSessionDuration: 36000
      Policies:
        - PolicyName: s3_full_folder_name_check
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - s3:List*
                Resource:
                  - !Sub arn:aws:s3:::lly-edp-raw-us-east*-2-${DeployEnvironment}/veeva_cdb/

Aaron-Garrett avatar Apr 16 '24 13:04 Aaron-Garrett

Hey @Aaron-Garrett!

I took the fixtures above and played with the Regex pattern a little bit here. You'll notice it matches only the cases you've mentioned. To hopefully answer your question about how guard handles the ? pattern, it's not different from the expected operation as it's just parsing standard Regex - I'm just not sure it's necessary for your use case unless I'm missing something. If you'd like to learn more about how Guard parses Regex you can take a look at this crate here.

I created this sample rule based on your examples and I can reproduce your expected pass/fail case from above:

rule IAM_ROLE_NO_FULL_ACCESS_FOR_S3 {
  let violationsString = Resources.*[
    Type in [/AWS::IAM::Role/]
    some Properties.Policies[*].PolicyDocument.Statement[*] {
      some Resource[*] in [/^arn:aws:s3:::([^*\/]*\*[^*\/]*)\/.*$/]
    }
  ]
  let violationsSub = Resources.*[
    Type in [/AWS::IAM::Role/]
    some Properties.Policies[*].PolicyDocument.Statement[*] {
      some Resource[*][keys == "Fn::Sub"] in [/^arn:aws:s3:::([^*\/]*\*[^*\/]*)\/.*$/]
    }
  ]
  %violationsString empty
  <<
    Violation: Wildcard (*) detected in the bucket name portion of the S3 ARN.
    Fix: Avoid using wildcards in the bucket name portion of the S3 ARN.
  >>
  %violationsSub empty
  <<
    Violation: Wildcard (*) detected in the bucket name portion of the S3 ARN.
    Fix: Avoid using wildcards in the bucket name portion of the S3 ARN.
  >>
}

Please let us know if this was helpful. Thank you!

dannyvassallo avatar Apr 16 '24 17:04 dannyvassallo

Hey @Aaron-Garrett just checking in to see if the information @dannyvassallo provided was enough to help you resolve your issue here.

Please let us know if you need anymore help on this issue

joshfried-aws avatar Apr 26 '24 15:04 joshfried-aws