Merge pull request #136 from cloudgraphdev/fix/CG-1336-aws-pci-iam-check-3

tyler-dunkel · web-flow · commit 2ff7f32c5533 · 2023-03-31T14:33:10.000-05:00
fix(CG-1336): fix PCI IAM check 3
diff --git a/src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-iam-check-3.ts b/src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-iam-check-3.ts
@@ -45,24 +45,32 @@ export default {
   resource: 'queryawsIamPolicy[*]',
   severity: 'high',
   conditions: {
-    not: {
-      path: '@.policyContent.statement',
-      array_any: {
-        and: [
-          {
-            path: '[*].effect',
-            equal: 'Allow',
-          },
-          {
-            path: '[*].action',
-            contains: '*',
-          },
-          {
-            path: '[*].resource',
-            contains: '*',
-          },
-        ],
+    or: [
+      {
+        path: '@.name',
+        equal: 'AdministratorAccess',
       },
-    },
+      {
+        not: {
+          path: '@.policyContent.statement',
+          array_any: {
+            and: [
+              {
+                path: '[*].effect',
+                equal: 'Allow',
+              },
+              {
+                path: '[*].action',
+                contains: '*',
+              },
+              {
+                path: '[*].resource',
+                contains: '*',
+              },
+            ],
+          },
+        },
+      }
+    ]
   },
 }
diff --git a/src/aws/pci-dss-3.2.1/tests/pci-dss-3.2.1-iam-checks.test.ts b/src/aws/pci-dss-3.2.1/tests/pci-dss-3.2.1-iam-checks.test.ts
@@ -101,6 +101,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
         queryawsIamPolicy: [
           {
             id: cuid(),
+            name: 'AdministratorAccess-Amplify',
             policyContent: {
               statement: [
                 {
@@ -131,6 +132,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
         queryawsIamPolicy: [
           {
             id: cuid(),
+            name: 'AdministratorAccess-Amplify',
             policyContent: {
               statement: [
                 {
@@ -157,6 +159,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
         queryawsIamPolicy: [
           {
             id: cuid(),
+            name: 'AdministratorAccess-Amplify',
             policyContent: {
               statement: [
                 {
@@ -187,6 +190,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
         queryawsIamPolicy: [
           {
             id: cuid(),
+            name: 'AdministratorAccess-Amplify',
             policyContent: {
               statement: [
                 {
@@ -207,6 +211,33 @@ describe('PCI Data Security Standard: 3.2.1', () => {
 
       expect(processedRule.result).toBe(Result.FAIL)
     })
+
+    test('Should pass when IAM policies that allow full "*:*" administrative privileges for AdministratorAccess policy', async () => {
+      const data = {
+        queryawsIamPolicy: [
+          {
+            id: cuid(),
+            name: 'AdministratorAccess',
+            policyContent: {
+              statement: [
+                {
+                  effect: 'Allow',
+                  action: ['*'],
+                  resource: ['*'],
+                },
+              ],
+            },
+          },
+        ],
+      }
+
+      const [processedRule] = await rulesEngine.processRule(
+        Aws_PCI_DSS_321_IAM_3 as Rule,
+        { ...data } as any
+      )
+
+      expect(processedRule.result).toBe(Result.PASS)
+    })
   })
 
   describe('IAM Check 4: Hardware MFA should be enabled for the root user', () => {
