busy-dentist-99842
04/07/2022, 4:21 PMResourceValidationPolicy
for CrossGuard that is looking for S3 Bucket Policies that would allow public traffic.
We are running into complications with the PolicyDocument.Statement
being a type of Input<Input<PolicyStatement>[]>
.
How can we get at the PolicyStatement
fields to verify things like PolicyStatement.Principal
is not set to *
without a PolicyStatement.Condition
?
Thanks in advance for the help.little-cartoon-10569
04/07/2022, 10:00 PMvalidateResource: validateResourceOfType(aws.s3.BucketPolicy, (policy, args, reportViolation) => {
policy.statements.apply((statements: PolicyStatement[]) => {
statements.forEach(statement => {
if (statement.principals.length == 1 && statement.principals[0] == "*" && statement.conditions.length == 0) {
reportViolation(`Statement ${statement.sid} allows any principal but has no conditions applied`);
}
});
});
})
(Code completely untested.. it's just pseudo-code..)miniature-musician-31262
04/08/2022, 12:18 AMpolicy
here is an UnwrappedObject<aws.s3.BucketPolicyArgs>
, and policy.policy
(which contains the Statement) is a string | UnwrappedObject<aws.iam.PolicyDocument>
. For me, it ends up a string
, which means you’ll have to JSON.parse it (and then cast that) to examine its contents. This seems to work for me:
...
validateResource: validateResourceOfType(aws.s3.BucketPolicy, (policy, args, reportViolation) => {
const policyDoc = JSON.parse(policy.policy as string) as UnwrappedObject<aws.iam.PolicyDocument>;
const violations = policyDoc.Statement
.filter(statement => statement.Principal === "*");
if (violations.length > 0) {
reportViolation("Hey -- don't do that.");
}
}),
...
little-cartoon-10569
04/08/2022, 12:28 AMminiature-musician-31262
04/08/2022, 12:30 AMvalidateResourceOfType(aws.iam.Role…)
, I see the same thing — role
is an UnwrappedObject
, and role.assumeRolePolicy
is a string | UnwrappedObject
as well:little-cartoon-10569
04/08/2022, 1:01 AMminiature-musician-31262
04/08/2022, 3:36 AMbusy-dentist-99842
04/08/2022, 12:34 PMstring
and we can do the parsing @miniature-musician-31262 suggested.
Thanks again.