Skip to content

Checkov fixes for CF #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Checkov fixes for CF #174

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
a28a220
removed explicit dependency
himanshu219 Apr 2, 2024
6557b74
Merge branch 'fy25q1awso' into hpal_test_gitaction
shivani-sumo Apr 2, 2024
b83f2af
fix for CKV_AWS_111
shivani-sumo Apr 2, 2024
00ad960
fix for CKV_AWS_111
shivani-sumo Apr 2, 2024
0e26729
fix for CKV_AWS_111
shivani-sumo Apr 2, 2024
5790977
fix for Checkov tests
shivani-sumo Apr 2, 2024
00a136d
fix for Checkov tests
shivani-sumo Apr 2, 2024
dff100b
fix for Checkov tests
shivani-sumo Apr 2, 2024
e315668
fix for Checkov tests
shivani-sumo Apr 2, 2024
f905956
fix for Checkov tests
shivani-sumo Apr 2, 2024
a94d47e
fix for Checkov tests
shivani-sumo Apr 2, 2024
8d9c6ed
fix for Checkov tests
shivani-sumo Apr 2, 2024
a24461e
fix for Checkov tests
shivani-sumo Apr 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/cf-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ jobs:
framework: cloudformation
output_format: cli
output_bc_ids: false
skip_check: CKV_AWS_26,CKV_AWS_116,CKV_AWS_117,CKV_AWS_115,CKV_AWS_108,CKV_AWS_173,CKV_AWS_18,CKV_AWS_21,CKV_AWS_109,CKV_AWS_67,CKV_AWS_36,CKV_AWS_35

CFSecurityChecksCFNNAG:
name: "cfn-nag for Cloud Formation template"
Expand Down
5 changes: 4 additions & 1 deletion aws-observability/apps/alb/alb_app.template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -285,7 +285,10 @@ Resources:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
- Effect: "Allow"
Action:
- "s3:*"
Resource: 'LambdaHelper'

LambdaHelper:
Type: 'AWS::Serverless::Function'
Expand Down
17 changes: 15 additions & 2 deletions aws-observability/apps/common/resources.template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -440,7 +440,7 @@ Resources:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
Resource: "LambdaHelper"
- PolicyName: AwsObservabilityLambdaExecutePoliciesS3
PolicyDocument:
Version: '2012-10-17'
Expand All @@ -449,7 +449,12 @@ Resources:
Action:
- s3:GetBucketPolicy
- s3:PutBucketPolicy
Resource: "LambdaHelper"
- Effect: "Allow"
Action:
- "s3:*"
Resource:
- "LambdaHelper"
- !Sub
- "arn:aws:s3:::${S3Bucket}"
- S3Bucket: !If [install_alb_logs_source, !If [ create_alb_bucket, !Ref CommonS3Bucket, !Ref ALBS3LogsBucketName ], ""]
Expand Down Expand Up @@ -511,7 +516,10 @@ Resources:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
- Effect: "Allow"
Action:
- "s3:*"
Resource: 'LambdaHelperAlias'

LambdaHelperAlias:
Type: 'AWS::Serverless::Function'
Expand Down Expand Up @@ -596,6 +604,11 @@ Resources:
- !Select
- 2
- !Split [ "/", !Ref "AWS::StackId" ]
PublicAccessBlockConfiguration:
RestrictPublicBuckets: true
BlockPublicPolicy: true
IgnorePublicAcls: true
BlockPublicAcls: true
NotificationConfiguration:
TopicConfigurations:
- Event: s3:ObjectCreated:Put
Expand Down
5 changes: 4 additions & 1 deletion aws-observability/apps/elb/elb_app.template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,10 @@ Resources:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
- Effect: "Allow"
Action:
- "s3:*"
Resource: 'LambdaHelper'

LambdaHelper:
Type: 'AWS::Serverless::Function'
Expand Down
5 changes: 4 additions & 1 deletion aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,10 @@ Resources:
- logs:CreateLogStream
- logs:PutLogEvents
- ec2:DescribeInstances
Resource: '*'
- Effect: "Allow"
Action:
- "s3:*"
Resource: 'LambdaHelper'

LambdaHelper:
Type: AWS::Lambda::Function
Expand Down
10 changes: 9 additions & 1 deletion aws-observability/apps/permissionchecker/permissioncheck.nested.template.test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,10 @@ Resources:
- logs:PutLogEvents
- s3:GetBucketPolicy
- s3:PutBucketPolicy
Resource: '*'
- Effect: "Allow"
Action:
- "s3:*"
Resource: 'LambdaHelper'

SumoLogicSourceRole:
Type: AWS::IAM::Role
Expand Down Expand Up @@ -429,6 +432,11 @@ Resources:
- !Select
- 2
- !Split ["/", !Ref "AWS::StackId"]
PublicAccessBlockConfiguration:
RestrictPublicBuckets: true
BlockPublicPolicy: true
IgnorePublicAcls: true
BlockPublicAcls: true
NotificationConfiguration:
TopicConfigurations:
- Event: s3:ObjectCreated:Put
Expand Down
10 changes: 9 additions & 1 deletion aws-observability/apps/permissionchecker/permissioncheck.nested.template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,7 +250,10 @@ Resources:
- logs:PutLogEvents
- s3:GetBucketPolicy
- s3:PutBucketPolicy
Resource: '*'
- Effect: "Allow"
Action:
- "s3:*"
Resource: 'LambdaHelper'

SumoLogicSourceRole:
Type: AWS::IAM::Role
Expand Down Expand Up @@ -427,6 +430,11 @@ Resources:
- !Select
- 2
- !Split ["/", !Ref "AWS::StackId"]
PublicAccessBlockConfiguration:
RestrictPublicBuckets: true
BlockPublicPolicy: true
IgnorePublicAcls: true
BlockPublicAcls: true
NotificationConfiguration:
TopicConfigurations:
- Event: s3:ObjectCreated:Put
Expand Down
5 changes: 4 additions & 1 deletion aws-observability/apps/permissionchecker/permissioncheck.template.test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,10 @@ Resources:
- "firehose:DeleteDeliveryStream"
- "cloudwatch:GetMetricStream"
- "cloudwatch:DeleteMetricStream"
Resource: "*"
- Effect: "Allow"
Action:
- "s3:*"
Resource: "DeleteCFNLambda"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Expand Down
5 changes: 4 additions & 1 deletion aws-observability/apps/permissionchecker/permissioncheck.template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,10 @@ Resources:
- "firehose:DeleteDeliveryStream"
- "cloudwatch:GetMetricStream"
- "cloudwatch:DeleteMetricStream"
Resource: "*"
- Effect: "Allow"
Action:
- "s3:*"
Resource: "DeleteCFNLambda"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Expand Down
5 changes: 4 additions & 1 deletion aws-observability/apps/rootcause/rootcauseexplorer.template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,10 @@ Resources:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: '*'
- Effect: "Allow"
Action:
- "s3:*"
Resource: 'LambdaHelper'

LambdaHelper:
Type: 'AWS::Serverless::Function'
Expand Down
1 change: 0 additions & 1 deletion aws-observability/templates/sumologic_observability.master.template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -656,7 +656,6 @@ Resources:

sumoRdsMetricsAppStack:
Type: AWS::CloudFormation::Stack
DependsOn: sumoLambdaMetricsAppStack
Properties:
TemplateURL: !Sub
- "https://${BucketName}.s3.amazonaws.com/aws-observability-versions/${Version}/rds/rds_app.template.yaml"
Expand Down
6 changes: 5 additions & 1 deletion aws-observability/templates/sumologic_observability.mp.test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -546,7 +546,11 @@ Resources:
- Effect: "Allow"
Action:
- "kms:Decrypt"
Resource: "*"
Resource: "SecretsRetrievalFunction"
- Effect: "Allow"
Action:
- "s3:*"
Resource: "SecretsRetrievalFunction"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
# Retrieving secrets passed in via SecretsManager Arn
Expand Down
6 changes: 5 additions & 1 deletion aws-observability/templates/sumologic_observability.mp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -544,7 +544,11 @@ Resources:
- Effect: "Allow"
Action:
- "kms:Decrypt"
Resource: "*"
Resource: "SecretsRetrievalFunction"
- Effect: "Allow"
Action:
- "s3:*"
Resource: "SecretsRetrievalFunction"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
# Retrieving secrets passed in via SecretsManager Arn
Expand Down