-
Notifications
You must be signed in to change notification settings - Fork 338
fix(query): fix fp for s3_bucket_access_to_any_principal #7564
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(query): fix fp for s3_bucket_access_to_any_principal #7564
Conversation
…o_Any_Principal--cloudFormation/aws
…cipal--cloudFormation/aws
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. We could improve the way the if statement is being handled by supporting this flow in the library instead of the function.
But since the scope of this PR is to only fix the query, we can add that as a later improment.
…cipal--cloudFormation/aws
…cipal--cloudFormation/aws
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…cipal--cloudFormation/aws
Reason for Proposed Changes
s3_bucket_access_to_any_principal
can only determine if a "Principal" has permissions "*" or "s3:*" from YAML files if it has no "!If" statements associated.<THEN>
and<ELSE>
require scanning that is currently inexistent. Either of these values can have meaningful policy statements for this query.Proposed Changes
Introduced two helper functions (
handle_if_statements
andhandle_if_statement
) to correctly traverse and extract valid policy statements from structures resulting from !If conditions.This improves the query’s accuracy by avoiding false positives when Principal is not actually "*" in resolved policy logic, and also guarantees the verifications of each and every meaningful object in the if statement be it a
<THEN>
or<ELSE>
associated object.originalPR
I submit this contribution under the Apache-2.0 license.