Skip to content

Commit

Permalink
add test for lengthy key policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@Michael-McClelland
Michael-McClelland committed Oct 6, 2023
1 parent 48716a5 commit 4d78b9b
Show file tree
Hide file tree
Showing 2 changed files with 370 additions and 1 deletion.
3 changes: 2 additions & 1 deletion tests/terraform/graph/checks/resources/KmsKeyWildcardPrincipal/expected.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@ fail:
- "aws_kms_key.fail_1"
- "aws_kms_key.fail_2"
- "aws_kms_key.fail_3"
- "aws_kms_key.fail_4"
- "aws_kms_key.fail_4"
- "aws_kms_key.fail_5"
368 changes: 368 additions & 0 deletions tests/terraform/graph/checks/resources/KmsKeyWildcardPrincipal/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,374 @@ resource "aws_kms_key" "fail_4" {
POLICY
}

resource "aws_kms_key" "fail_5" {
description = "description"
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:*"
],
"Resource": "*"
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "AccessAnalyzerAndConfigPermissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
"arn:aws:iam::111122223333:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
"arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
]
},
"Action": [
"kms:Describe*",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
"arn:aws:iam::111122223333:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
"arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
]
},
"Action": [
"kms:Describe*",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
"arn:aws:iam::111122223333:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
"arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
]
},
"Action": [
"kms:Describe*",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
"arn:aws:iam::111122223333:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
"arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
]
},
"Action": [
"kms:Describe*",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
"arn:aws:iam::111122223333:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig",
"arn:aws:iam::111122223333:role/aws-service-role/macie.amazonaws.com/AWSServiceRoleForAmazonMacie"
]
},
"Action": [
"kms:Describe*",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:Describe*",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:List*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"awws:PrincipalAccount": "111122223333",
"kms:CallerAccount": "111122223333",
"aws:PrincipalOrgID": "o-abcdefg"
}
}
},
{
"Sid": "DisableSafetyBypass",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "kms:PutKeyPolicy",
"Resource": "*",
"Condition": {
"Bool": {
"kms:BypassPolicyLockoutSafetyCheck": "true"
}
}
}
]
}
POLICY
}


resource "aws_kms_key" "pass_0" {
description = "description"
policy = <<POLICY
Expand Down

0 comments on commit 4d78b9b

Please sign in to comment.