Skip to content

Commit

Permalink
Merge branch 'bridgecrewio:main' into prdeshpande-main
Browse files Browse the repository at this point in the history
  • Loading branch information
@praveen-panw
praveen-panw authored Oct 12, 2023
2 parents c01e7d6 + dd803b5 commit 72845c0
Show file tree
Hide file tree
Showing 13 changed files with 4,599 additions and 4,340 deletions.
39 changes: 39 additions & 0 deletions checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
from __future__ import annotations

from typing import List, Any

from checkov.cloudformation.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckCategories, CheckResult


class LambdaServicePermission(BaseResourceCheck):
def __init__(self) -> None:
name = "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
id = "CKV_AWS_364"
supported_resources = ("AWS::Lambda::Permission",)
categories = (CheckCategories.IAM,)
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
properties = conf.get('Properties')
if properties and isinstance(properties, dict):
principal = properties.get('Principal')
if principal and isinstance(principal, str):
principal_parts = principal.split('.')
try:
if principal_parts[1] == 'amazonaws' and principal_parts[2] == 'com':
if properties.get('SourceArn') or properties.get('SourceAccount'):
return CheckResult.PASSED
else:
return CheckResult.FAILED
except IndexError:
print("Not a service principal")
# Not a service principal, so pass.
return CheckResult.UNKNOWN
return CheckResult.UNKNOWN

def get_evaluated_keys(self) -> List[str]:
return ['Properties/Principal', 'Properties/SourceArn', 'Properties/SourceAccount']


check = LambdaServicePermission()
38 changes: 38 additions & 0 deletions checkov/terraform/checks/resource/aws/LambdaServicePermission.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
from __future__ import annotations

from typing import List, Any

from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck


class LambdaServicePermission(BaseResourceCheck):
def __init__(self) -> None:
description = "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
id = "CKV_AWS_364"
supported_resources = ('aws_lambda_permission',)
categories = (CheckCategories.IAM,)
super().__init__(name=description, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
# Replace this with the custom logic for your check
principal = conf.get("principal")
if principal and isinstance(principal, list) and isinstance(principal[0], str):
principal_parts = principal[0].split('.')
try:
if principal_parts[1] == 'amazonaws' and principal_parts[2] == 'com': # This confirms that the principal is set as a service principal.
if 'source_arn' in conf or 'source_account' in conf: # If either of these are set, we're good and the check should pass.
self.evaluated_keys = self.get_evaluated_keys()
return CheckResult.PASSED
else:
self.evaluated_keys = self.get_evaluated_keys()
return CheckResult.FAILED
except IndexError:
return CheckResult.UNKNOWN
return CheckResult.UNKNOWN

def get_evaluated_keys(self) -> List[str]:
return ["principal", "source_arn", "source_account"]


check = LambdaServicePermission()
2 changes: 1 addition & 1 deletion checkov/version.py
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
version = '2.5.6'
version = '2.5.7'
5,596 changes: 2,799 additions & 2,797 deletions docs/5.Policy Index/all.md
View file

Large diffs are not rendered by default.

3 changes: 2 additions & 1 deletion docs/5.Policy Index/cloudformation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,8 @@ nav_order: 1
| 163 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) |
| 164 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) |
| 165 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) |
| 166 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) |
| 166 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) |
| 167 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) |


---
Expand Down
3 changes: 2 additions & 1 deletion docs/5.Policy Index/serverless.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,8 @@ nav_order: 1
| 163 | CKV_AWS_361 | resource | AWS::Neptune::DBCluster | Ensure that Neptune DB cluster has automated backups enabled with adequate retention | Cloudformation | [NeptuneClusterBackupRetention.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/NeptuneClusterBackupRetention.py) |
| 164 | CKV_AWS_363 | resource | AWS::Lambda::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) |
| 165 | CKV_AWS_363 | resource | AWS::Serverless::Function | Ensure Lambda Runtime is not deprecated | Cloudformation | [DeprecatedLambdaRuntime.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py) |
| 166 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) |
| 166 | CKV_AWS_364 | resource | AWS::Lambda::Permission | Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount | Cloudformation | [LambdaServicePermission.py](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/resource/aws/LambdaServicePermission.py) |
| 167 | CKV2_AWS_33 | resource | AWS::AppSync::GraphQLApi | Ensure AppSync is protected by WAF | Cloudformation | [AppSyncProtectedByWAF.yaml](https://github.com/bridgecrewio/checkov/blob/main/checkov/cloudformation/checks/graph_checks/AppSyncProtectedByWAF.yaml) |


---
Expand Down
Loading

0 comments on commit 72845c0

Please sign in to comment.