Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CloudFormation: Unable to Validate Secret Manager Resource Policies Using forEach #6995

Open
sarbole opened this issue Feb 4, 2025 · 0 comments
Open

CloudFormation: Unable to Validate Secret Manager Resource Policies Using forEach #6995

sarbole opened this issue Feb 4, 2025 · 0 comments
Labels
languages

Comments

@sarbole
Copy link

sarbole commented Feb 4, 2025

Describe the issue
Cloudformation / I am trying to identify that all secret manager resources have an associated resource policy, but when using the forEach of cloudformation, although each resource has its policy associated with the check it is not possible to identify it, is there any support for foreach? , Thanks

Custom Rule:

metadata:
    name: "Check that Secret has configured Resource Based policy"
    id: "CKV2_777"
    category: "GENERAL_SECURITY"
definition:
    and:
        - cond_type: "filter"
          attribute: "resource_type"
          value:
            - AWS::SecretsManager::Secret
          operator: within
        - cond_type: connection
          operator: exists
          resource_types:
              - AWS::SecretsManager::Secret
          connected_resource_types:
              - AWS::SecretsManager::ResourcePolicy

Example Value

Resources:
  Secret1:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: "Secret1"
      Description: "first secret"

  Secret2:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: "Secret2"
      Description: "second secret"

  Fn::ForEach::secretsResourcePolicy:
    - SecretIdentifier
    - - Secret1
      - Secret2
    - ${SecretIdentifier}RoleBasedPolicy:
        Type: AWS::SecretsManager::ResourcePolicy
        Properties:
          ResourcePolicy:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: secretsmanager:GetSecretValue
                Principal:
                  AWS:
                    - Fn::Sub: arn:aws:iam::${AWS::AccountId}:role/cloudformation-service-deployment
                Resource: '*'
              - Effect: Deny
                Action: secretsmanager:GetSecretValue
                Condition:
                  Fn::If:
                    - DeployVSTSRole
                    - StringNotLike:
                        aws:PrincipalArn:
                          - Fn::Sub: arn:aws:iam::${AWS::AccountId}:role/asdasd
                          - Ref: DbaAdminRole
                Principal:
                  AWS: '*'
                Resource: '*'
          SecretId:
            Ref: SecretIdentifier
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
languages
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sarbole