Merge pull request #125 from cloudgraphdev/fix/CG-1242-aws-cis-1.16-exclude-AdministratorAccess

tyler-dunkel · web-flow · commit b060c72662b0 · 2023-02-05T12:03:23.000-06:00
Fix/cg 1242 aws cis 1.16 exclude administrator access
diff --git a/src/aws/cis-1.4.0/rules/aws-cis-1.4.0-1.16.ts b/src/aws/cis-1.4.0/rules/aws-cis-1.4.0-1.16.ts
@@ -65,6 +65,7 @@ export default {
     queryawsIamPolicy {
       id
       arn
+      name
       accountId
        __typename
       policyContent {
@@ -79,24 +80,32 @@ export default {
   resource: 'queryawsIamPolicy[*]',
   severity: 'high',
   conditions: {
-    not: {
-      path: '@.policyContent.statement',
-      array_any: {
-        and: [
-          {
-            path: '[*].effect',
-            equal: 'Allow',
-          },
-          {
-            path: '[*].action',
-            contains: '*',
-          },
-          {
-            path: '[*].resource',
-            contains: '*',
+    or: [
+      {
+        path: '@.name',
+        equal: 'AdministratorAccess',
+      },
+      {
+        not: {
+          path: '@.policyContent.statement',
+          array_any: {
+            and: [
+              {
+                path: '[*].effect',
+                equal: 'Allow',
+              },
+              {
+                path: '[*].action',
+                contains: '*',
+              },
+              {
+                path: '[*].resource',
+                contains: '*',
+              },
+            ],
           },
-        ],
+        },
       },
-    },
+    ]
   },
 }
diff --git a/src/aws/cis-1.4.0/tests/aws-cis-1.4.0-1.x.test.ts b/src/aws/cis-1.4.0/tests/aws-cis-1.4.0-1.x.test.ts
@@ -48,6 +48,7 @@ export interface PolicyContent {
 }
 export interface QueryawsIamPolicy {
   id: string
+  name: string
   policyContent: PolicyContent
 }
 
@@ -703,6 +704,7 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
 
   describe('AWS CIS 1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached', () => {
     const getTestRuleFixture = (
+      name: string,
       effect: string,
       action: string[],
       resource: string[]
@@ -711,6 +713,7 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
         queryawsIamPolicy: [
           {
             id: cuid(),
+            name,
             policyContent: {
               statement: [
                 {
@@ -741,7 +744,7 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
     }
       
     test('No Security Issue when IAM policies not allow full "*:*" administrative privileges', async () => {
-      const data: CIS1xQueryResponse = getTestRuleFixture('Allow',  [
+      const data: CIS1xQueryResponse = getTestRuleFixture('AdministratorAccess-Amplify', 'Allow',  [
         'secretsmanager:DeleteSecret',
         'secretsmanager:GetSecretValue',
         'secretsmanager:UpdateSecret',
@@ -750,23 +753,28 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
     })
 
     test('No Security Issue when IAM policies that have a statement with "Effect": "Allow" with "Action": "*" over restricted "Resource"', async () => {
-      const data: CIS1xQueryResponse = getTestRuleFixture('Allow', ['*'], ['arn:aws:secretsmanager:*:*:secret:A4B*'])
+      const data: CIS1xQueryResponse = getTestRuleFixture('AdministratorAccess-Amplify', 'Allow', ['*'], ['arn:aws:secretsmanager:*:*:secret:A4B*'])
       await testRule(data, Result.PASS)
     })
 
     test('No Security Issue when IAM policies that have a statement with "Effect": "Allow" with restricted "Action" over "Resource": "*"', async () => {
-      const data: CIS1xQueryResponse = getTestRuleFixture('Allow',  [
+      const data: CIS1xQueryResponse = getTestRuleFixture('AdministratorAccess-Amplify', 'Allow',  [
         'secretsmanager:DeleteSecret',
         'secretsmanager:GetSecretValue',
         'secretsmanager:UpdateSecret',
       ], ['*'])
       await testRule(data, Result.PASS)
     })
 
-    test('No Security Issue when IAM policies that allow full "*:*" administrative privileges', async () => {
-      const data: CIS1xQueryResponse = getTestRuleFixture('Allow',  ['*'], ['*'])
+    test('Security Issue when IAM policies that allow full "*:*" administrative privileges for non AdministratorAccess policy', async () => {
+      const data: CIS1xQueryResponse = getTestRuleFixture('AdministratorAccess-Amplify', 'Allow',  ['*'], ['*'])
       await testRule(data, Result.FAIL)
     })
+
+    test('No Security Issue when IAM policies that allow full "*:*" administrative privileges for AdministratorAccess policy', async () => {
+      const data: CIS1xQueryResponse = getTestRuleFixture('AdministratorAccess', 'Allow',  ['*'], ['*'])
+      await testRule(data, Result.PASS)
+    })
   })
 
   describe('AWS CIS 1.17 Ensure a support role has been created to manage incidents with AWS Support', () => {
