DP-41798 : add permission notifier module #252
Conversation
JimmyIL
commented
Sep 10, 2025
JimmyIL
commented
- Used to determine if github action/deployment role changes have added inline, custom, or managed administrator permissions
- pass a variable including the role names (single [] or list []), the sns topic (often linked to slack,teams, or emails)
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| # - Reading IAM role policies (attached + inline) | ||
| # - Publishing to SNS | ||
| # - Writing CloudWatch Logs | ||
| data "aws_iam_policy_document" "detector_permissions" { |
There was a problem hiding this comment.
Data source IAM policy document allows all resources with restricted actions
Resource: aws_iam_policy_document.detector_permissions | Checkov ID: CKV_AWS_356
How to Fix
data "aws_iam_policy_document" "example" {
statement {
sid = "samplePassRole"
effect = "Allow"
actions = [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
]
resources = [
- "*",
+ "arn:aws:s3:::my_bucket/my_object"
]
}
}Description
This policy checks IAM policies for statements that allow unrestricted resource access ('*') for actions that can and should be restricted to specific resources. This behavior is potentially unsafe because it broadens the scope of access controls and increases the risk of unauthorized access.
Prisma Cloud checks the AWS documentation for IAM actions that can be restricted to a resource and recommends defining a specific resource rather than '*'. For example, the s3:PutObject action can be restricted to a specific S3 bucket instead of allowing uploads to any S3 bucket using '*'. It is best security practice to define granular permissions to each user access, as unrestricted access can lead to unwanted manipulations or data breaches. Therefore, it is recommended to specify restrictions and assign minimum necessary access rights.
| depends_on = [null_resource.build_lambda] | ||
| } | ||
|
|
||
| resource "aws_lambda_function" "detector" { |
There was a problem hiding this comment.
AWS Lambda function is not configured to validate code-signing
Resource: aws_lambda_function.detector | Checkov ID: CKV_AWS_272
How to Fix
resource "aws_lambda_function" "example" {
function_name = "example"
s3_bucket = aws_signer_signing_job.job.signed_object[0].s3[0].bucket
s3_key = aws_signer_signing_job.this.signed_object[0].s3[0].key
handler = "exports.test"
runtime = "nodejs12.x"
+ code_signing_config_arn = aws_lambda_code_signing_config.example.arn
}
resource "aws_lambda_code_signing_config" "example" {
allowed_publishers {
signing_profile_version_arns = [aws_signer_signing_profile.example.version_arn]
}
policies {
untrusted_artifact_on_deployment = "Enforce"
}
}Description
This policy ensures that an AWS Lambda function has been properly configured to validate code-signing. If not correctly set up, it could mean that your AWS Lambda function is running code that has not been authenticated. This lack of validation raises a significant security concern, as your service could be running code that has been tampered with or injected with malicious code. This could lead to unauthorized access, data leaks, or compromise of the service. Therefore, it is vital to check and ensure that Lambda functions are enforced to validate code-signing for security.
JimmyIL
force-pushed
the
jimmy/DP-41798/module_for_role_policy_alerts
branch
from
4d0c422 to
dc3a40b
Compare
