Comments (4)
joshfried-aws
commented on July 18, 2024
Hey @Aaron-Garrett for sake of clarity, would you be willing to provide some test cases (1 pass and 1 fail test case to feed into the test command would be fine)
from cloudformation-guard.
Aaron-Garrett
commented on July 18, 2024
Pass:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
rS3FullFolderName:
Type: AWS::IAM::Role
Properties:
RoleName: s3_full_folder_name
Description: Testing use of folder name
PermissionsBoundary: "permissionboundary"
MaxSessionDuration: 36000
Policies:
- PolicyName: s3_full_folder_name_check
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:List*
Resource:
- !Sub arn:aws:s3:::lly-edp-raw-us-east-2-${DeployEnvironment}/veeva_cdb*/
Fail:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
rS3FullFolderName:
Type: AWS::IAM::Role
Properties:
RoleName: s3_full_folder_name
Description: Testing use of folder name
PermissionsBoundary: "permissionboundary"
MaxSessionDuration: 36000
Policies:
- PolicyName: s3_full_folder_name_check
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:List*
Resource:
- !Sub arn:aws:s3:::lly-edp-raw-us-east*-2-${DeployEnvironment}/veeva_cdb/
from cloudformation-guard.
dannyvassallo
commented on July 18, 2024
Hey @Aaron-Garrett!
I took the fixtures above and played with the Regex pattern a little bit here. You'll notice it matches only the cases you've mentioned. To hopefully answer your question about how guard handles the ? pattern, it's not different from the expected operation as it's just parsing standard Regex - I'm just not sure it's necessary for your use case unless I'm missing something. If you'd like to learn more about how Guard parses Regex you can take a look at this crate here.
I created this sample rule based on your examples and I can reproduce your expected pass/fail case from above:
rule IAM_ROLE_NO_FULL_ACCESS_FOR_S3 {
let violationsString = Resources.*[
Type in [/AWS::IAM::Role/]
some Properties.Policies[*].PolicyDocument.Statement[*] {
some Resource[*] in [/^arn:aws:s3:::([^*\/]*\*[^*\/]*)\/.*$/]
}
]
let violationsSub = Resources.*[
Type in [/AWS::IAM::Role/]
some Properties.Policies[*].PolicyDocument.Statement[*] {
some Resource[*][keys == "Fn::Sub"] in [/^arn:aws:s3:::([^*\/]*\*[^*\/]*)\/.*$/]
}
]
%violationsString empty
<<
Violation: Wildcard (*) detected in the bucket name portion of the S3 ARN.
Fix: Avoid using wildcards in the bucket name portion of the S3 ARN.
>>
%violationsSub empty
<<
Violation: Wildcard (*) detected in the bucket name portion of the S3 ARN.
Fix: Avoid using wildcards in the bucket name portion of the S3 ARN.
>>
}
Please let us know if this was helpful. Thank you!
from cloudformation-guard.
joshfried-aws
commented on July 18, 2024
Hey @Aaron-Garrett just checking in to see if the information @dannyvassallo provided was enough to help you resolve your issue here.
Please let us know if you need anymore help on this issue
from cloudformation-guard.
Related Issues (20)
- [BUG] cfn-guard error via GitHub Actions HOT 2
- [Enhancement] Only show errors/failures in output HOT 5
- [BUG] Failed rule does not print details of the failure HOT 6
- [Enhancement] Add cspell action to check for spelling errors
- [Documentation] Update docs for all public facing functions, and structs
- [BUG] SAM CLI deployed lambda returns InvalidEntryPoint error HOT 3
- [Enhancement] Add support to retrieve the key of a given node HOT 1
- [BUG] '!=' does not work as expected even for same type while using 2 literals. HOT 2
- [Enhancement] Make variables mutable HOT 1
- [Enhancement] Support for CloudFormation Pseudo Parameters
- [GENERAL ISSUE] String concatenation with literal and variable HOT 2
- [BUG] OR is not working HOT 8
- [BUG] "true" does not equal true HOT 2
- Best practice for cfn-guard rules for CDK synthesized resources that are wrapped in a CustomResource, e.g. aws-eks.Cluster HOT 1
- [BUG] Problem with --show-summary HOT 2
- Trying to search an If statement for a value HOT 2
- [GENERAL ISSUE] cfn-guard and Terraform JSON output HOT 2
- [Enhancement] Introdouce date-time and or parse_timestamp (to epoch) function (parser).
- [BUG] cfn-guard-lambda breaks on parsing templates with `verbose: false`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudformation-guard.