feat(checks): Restrict s3 from wild card access (#373)

* feat(checks): Add a check to disallow wildcard S3 bucket access

* add a todo for AVD-AWS-0057

* make fmt-rego

* refactor and check for iam.Roles

* add examples

* remove todo

* make docs

* add json.marshal to prettify

* chore: format and simplify test data

Signed-off-by: Nikita Pivkin <[email protected]>

---------

Signed-off-by: Nikita Pivkin <[email protected]>
Co-authored-by: Nikita Pivkin <[email protected]>

Author: simar7

avd_docs/aws/iam/AVD-AWS-0345/CloudFormation.md

@@ -0,0 +1,36 @@
+
+Create more restrictive S3 policies instead of using s3:*
+
+```yaml
+AWSTemplateFormatVersion: "2010-09-09"
+
+Resources:
+  GoodPolicy:
+    Type: AWS::IAM::Policy
+    Properties:
+      PolicyName: good_policy
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - s3:GetObject
+              - s3:PutObject
+            Resource: arn:aws:s3:::examplebucket/*
+      Roles:
+        - !Ref GoodRole
+
+  GoodRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: good_role
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: ec2.amazonaws.com
+            Action: sts:AssumeRole
+```
+
+

avd_docs/aws/iam/AVD-AWS-0345/Terraform.md

@@ -0,0 +1,44 @@
+
+Create more restrictive S3 policies instead of using s3:*
+
+```hcl
+resource "aws_iam_policy" "good_policy" {
+  name = "good_policy"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject"
+        ]
+        Resource = "arn:aws:s3:::examplebucket/*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role" "good_role" {
+  name = "good_role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "good_role_policy_attachment" {
+  role       = aws_iam_role.good_role.name
+  policy_arn = aws_iam_policy.good_policy.arn
+}
+```
+
+

avd_docs/aws/iam/AVD-AWS-0345/docs.md

@@ -0,0 +1,10 @@
+
+Ensure that the creation of the IAM policy 's3:*' is disallowed.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+

checks/cloud/aws/iam/limit_s3_full_access.rego

@@ -0,0 +1,51 @@
+# METADATA
+# title: "Disallow unrestricted s3:* IAM Policies"
+# description: "Ensure that the creation of the IAM policy 's3:*' is disallowed."
+# scope: package
+# schemas:
+# - input: schema["cloud"]
+# custom:
+#   id: AVD-AWS-0345
+#   avd_id: AVD-AWS-0345
+#   provider: aws
+#   service: iam
+#   severity: HIGH
+#   short_code: no-s3-full-access
+#   recommended_action: "Create more restrictive S3 policies instead of using s3:*"
+#   input:
+#     selector:
+#     - type: cloud
+#       subtypes:
+#         - service: iam
+#           provider: aws
+#   examples: checks/cloud/aws/iam/limit_s3_full_access.yaml
+package builtin.aws.iam.aws0345
+
+import rego.v1
+
+allows_permission(statements, permission, effect) if {
+	statement := statements[_]
+	statement.Effect == effect
+	action = statement.Action[_]
+	action == permission
+}
+
+is_s3_full_access_allowed(document) if {
+	value := json.unmarshal(document)
+	statements := value.Statement
+	not allows_permission(statements, "s3:*", "Deny")
+	allows_permission(statements, "s3:*", "Allow")
+}
+
+deny contains res if {
+	policy := input.aws.iam.policies[_]
+	value = is_s3_full_access_allowed(policy.document.value)
+	res = result.new("IAM policy allows 's3:*' action", policy.document)
+}
+
+deny contains res if {
+	role := input.aws.iam.roles[_]
+	policy := role.policies[_]
+	value = is_s3_full_access_allowed(policy.document.value)
+	res = result.new("IAM role uses a policy that allows 's3:*' action", role)
+}

checks/cloud/aws/iam/limit_s3_full_access.yaml

@@ -0,0 +1,137 @@
+cloudformation:
+  good:
+    - |-
+      AWSTemplateFormatVersion: "2010-09-09"
+
+      Resources:
+        GoodPolicy:
+          Type: AWS::IAM::Policy
+          Properties:
+            PolicyName: good_policy
+            PolicyDocument:
+              Version: "2012-10-17"
+              Statement:
+                - Effect: Allow
+                  Action:
+                    - s3:GetObject
+                    - s3:PutObject
+                  Resource: arn:aws:s3:::examplebucket/*
+            Roles:
+              - !Ref GoodRole
+
+        GoodRole:
+          Type: AWS::IAM::Role
+          Properties:
+            RoleName: good_role
+            AssumeRolePolicyDocument:
+              Version: "2012-10-17"
+              Statement:
+                - Effect: Allow
+                  Principal:
+                    Service: ec2.amazonaws.com
+                  Action: sts:AssumeRole
+  bad:
+    - |-
+      AWSTemplateFormatVersion: "2010-09-09"
+
+      Resources:
+        BadPolicy:
+          Type: AWS::IAM::Policy
+          Properties:
+            PolicyName: bad_policy
+            PolicyDocument:
+              Version: "2012-10-17"
+              Statement:
+                - Effect: Allow
+                  Action: s3:*
+                  Resource: '*'
+            Roles:
+              - !Ref BadRole
+
+        BadRole:
+          Type: AWS::IAM::Role
+          Properties:
+            RoleName: bad_role
+            AssumeRolePolicyDocument:
+              Version: "2012-10-17"
+              Statement:
+                - Effect: Allow
+                  Principal:
+                    Service: ec2.amazonaws.com
+                  Action: sts:AssumeRole
+terraform:
+  good:
+    - |-
+      resource "aws_iam_policy" "good_policy" {
+        name = "good_policy"
+        policy = jsonencode({
+          Version = "2012-10-17"
+          Statement = [
+            {
+              Effect = "Allow"
+              Action = [
+                "s3:GetObject",
+                "s3:PutObject"
+              ]
+              Resource = "arn:aws:s3:::examplebucket/*"
+            }
+          ]
+        })
+      }
+
+      resource "aws_iam_role" "good_role" {
+        name = "good_role"
+        assume_role_policy = jsonencode({
+          Version = "2012-10-17"
+          Statement = [
+            {
+              Effect = "Allow"
+              Principal = {
+                Service = "ec2.amazonaws.com"
+              }
+              Action = "sts:AssumeRole"
+            }
+          ]
+        })
+      }
+
+      resource "aws_iam_role_policy_attachment" "good_role_policy_attachment" {
+        role       = aws_iam_role.good_role.name
+        policy_arn = aws_iam_policy.good_policy.arn
+      }
+  bad:
+    - |-
+      resource "aws_iam_policy" "bad_policy" {
+        name = "bad_policy"
+        policy = jsonencode({
+          Version = "2012-10-17"
+          Statement = [
+            {
+              Effect   = "Allow"
+              Action   = "s3:*"
+              Resource = "*"
+            }
+          ]
+        })
+      }
+
+      resource "aws_iam_role" "bad_role" {
+        name = "bad_role"
+        assume_role_policy = jsonencode({
+          Version = "2012-10-17"
+          Statement = [
+            {
+              Effect = "Allow"
+              Principal = {
+                Service = "ec2.amazonaws.com"
+              }
+              Action = "sts:AssumeRole"
+            }
+          ]
+        })
+      }
+
+      resource "aws_iam_role_policy_attachment" "bad_role_policy_attachment" {
+        role       = aws_iam_role.bad_role.name
+        policy_arn = aws_iam_policy.bad_policy.arn
+      }

checks/cloud/aws/iam/limit_s3_full_access_test.rego

@@ -0,0 +1,87 @@
+package builtin.aws.iam.aws0345
+
+import rego.v1
+
+test_with_allow_s3_full_access if {
+	policies := [{
+		"name": "policy_with_s3_full_access",
+		"document": {"value": json.marshal({
+			"Version": "2012-10-17",
+			"Statement": [{
+				"Effect": "Allow",
+				"Action": ["s3:*"],
+				"Resource": ["*"],
+			}],
+		})},
+	}]
+
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 1
+}
+
+test_with_deny_s3_full_access if {
+	policies := [{
+		"name": "policy_with_s3_full_access",
+		"document": {"value": json.marshal({
+			"Version": "2012-10-17",
+			"Statement": [{
+				"Effect": "Deny",
+				"Action": ["s3:*"],
+			}],
+		})},
+	}]
+
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 0
+}
+
+test_with_no_s3_full_access if {
+	policies := [{
+		"name": "policy_without_s3_full_access",
+		"document": {"value": json.marshal({
+			"Version": "2012-10-17",
+			"Statement": [{
+				"Effect": "Allow",
+				"Action": ["s3:GetObject"],
+				"Resource": ["arn:aws:s3:::examplebucket/*"],
+			}],
+		})},
+	}]
+
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 0
+}
+
+test_with_role_using_amazon_s3_full_access_policy if {
+	roles := [{
+		"name": "role_with_amazon_s3_full_access",
+		"policies": [{"document": {"value": json.marshal({
+			"Version": "2012-10-17",
+			"Statement": [{
+				"Effect": "Allow",
+				"Action": ["s3:*"],
+				"Resource": ["*"],
+			}],
+		})}}],
+	}]
+
+	r := deny with input as {"aws": {"iam": {"roles": roles}}}
+	count(r) == 1
+}
+
+test_with_role_not_using_amazon_s3_full_access_policy if {
+	roles := [{
+		"name": "role_without_amazon_s3_full_access",
+		"policies": [{"document": {"value": json.marshal({
+			"Version": "2012-10-17",
+			"Statement": [{
+				"Effect": "Allow",
+				"Action": ["s3:GetObject"],
+				"Resource": ["arn:aws:s3:::examplebucket"],
+			}],
+		})}}],
+	}]
+
+	r := deny with input as {"aws": {"iam": {"roles": roles}}}
+	count(r) == 0
+}