bridgecrewio · tsmithv11 · Apr 14, 2025 · Apr 11, 2025 · Apr 11, 2025 · Apr 11, 2025
diff --git a/checkov/arm/checks/resource/StorageAccountName.py b/checkov/arm/checks/resource/StorageAccountName.py
@@ -9,7 +9,7 @@
 
 STO_NAME_REGEX = re.compile(r"^[a-z0-9]{3,24}$")
 VARIABLE_REFS = ("local.", "module.", "var.", "random_string.", "random_id.", "random_integer.", "random_pet.",
-                 "azurecaf_name", "each.")
+                 "azurecaf_name", "each.", "substring")
 
 
 class StorageAccountName(BaseResourceCheck):

diff --git a/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml b/checkov/terraform/checks/graph_checks/aws/Route53ZoneEnableDNSSECSigning.yaml
@@ -3,28 +3,30 @@ metadata:
   id: "CKV2_AWS_38"
   category: "NETWORKING"
 definition:
- and :
-    - cond_type: filter
-      attribute: resource_type
-      value:
-      - aws_route53_zone
-      operator: within
-    - cond_type: connection
-      resource_types:
-      - aws_route53_zone
-      connected_resource_types:
-      - aws_route53_hosted_zone_dnssec
-      - aws_route53_key_signing_key
-      operator: exists
-    - or:
+  or:
+    - and:
       - cond_type: attribute
         resource_types:
           - aws_route53_zone
-        attribute: vpc
-        operator: not_exists
+        attribute: vpc  # This indicates a private zone that can't have DNSSEC enabled
+        operator: exists
+      - cond_type: attribute
+        resource_types:
+          - aws_route53_zone
+        attribute: vpc  # This indicates a private zone that can't have DNSSEC enabled
+        operator: not_equals
+        value: []
+    - and:
+      - cond_type: filter
+        attribute: resource_type
+        value:
+        - aws_route53_zone
+        operator: within
       - cond_type: connection
         resource_types:
         - aws_route53_zone
         connected_resource_types:
-        - aws_route53_zone_association
-        operator: not_exists
+        - aws_route53_hosted_zone_dnssec
+        - aws_route53_key_signing_key
+        - aws_route53_zone_association  # This indicates a private zone that can't have DNSSEC enabled
+        operator: exists
diff --git a/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py b/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py
@@ -82,8 +82,11 @@ def scan_resource_conf(self, conf):
                     return CheckResult.UNKNOWN
 
         if isinstance(policy_block, dict) and 'Statement' in policy_block.keys():
-            for statement in force_list(policy_block['Statement']):
-                if statement['Effect'] == 'Deny' or 'Principal' not in statement:
+            statements = force_list(policy_block['Statement'])
+            if all('Effect' not in statement for statement in statements):
+                return CheckResult.UNKNOWN
+            for statement in statements:
+                if 'Effect' not in statement or statement['Effect'] == 'Deny' or 'Principal' not in statement:
                     continue
                 principal = statement['Principal']
                 if principal == '*':

diff --git a/tests/arm/checks/resource/example_StorageAccountName/substring.bicep b/tests/arm/checks/resource/example_StorageAccountName/substring.bicep
@@ -0,0 +1,52 @@
+@description('Name of the environment')
+param environmentName string
+
+@description('Name of the Storage account')
+param storageAccountName string = substring('abcdefgh${environmentName}${uniqueString(resourceGroup().id)}', 0, 24)
+
+@description('Provide a location for the resources.')
+param location string = resourceGroup().location
+
+resource dataStorageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = {
+  name: storageAccountName
+  location: location
+  sku: {
+    name: 'Standard_LRS'
+  }
+  kind: 'StorageV2'
+  identity: {
+    type: 'SystemAssigned'
+  }
+  properties: {
+    accessTier: 'Hot'
+    allowBlobPublicAccess: false
+    allowSharedKeyAccess: true
+    allowCrossTenantReplication: false
+    isHnsEnabled: true
+    allowedCopyScope: 'AAD'
+    defaultToOAuthAuthentication: false
+    encryption: {
+      keySource: 'Microsoft.Storage'
+      requireInfrastructureEncryption: false
+      services: {
+        blob: {
+          enabled: true
+          keyType: 'Account'
+        }
+      }
+    }
+    minimumTlsVersion: 'TLS1_2'
+    largeFileSharesState: 'Disabled'
+    sasPolicy: {
+      expirationAction: 'Log'
+      sasExpirationPeriod: '00.00:10:00'
+    }
+    supportsHttpsTrafficOnly: true
+    networkAcls: {
+      bypass: 'AzureServices'
+      virtualNetworkRules: []
+      ipRules: []
+      defaultAction: 'Allow'
+    }
+  }
+}
diff --git a/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf b/tests/terraform/checks/resource/aws/example_S3AllowsAnyPrincipal/main.tf
@@ -483,4 +483,17 @@ resource "aws_s3_bucket" "pass_w_condition6" {
   ]
 }
 POLICY
+}
+
+# Handle error
+resource "aws_s3_bucket_policy" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = concat(
+      jsondecode(data.aws_iam_policy_document.logs-cloudtrail-policy-acl-check.json).Statement,
+      jsondecode(data.aws_iam_policy_document.s3-logs-cloudtrail-policy-write.json).Statement,
+      jsondecode(data.aws_iam_policy_document.s3-logs-vpc-flow-logs-policy.json).Statement,
+    )
+  })
 }
diff --git a/tests/terraform/graph/checks/resources/Route53ZoneEnableDNSSECSigning/expected.yaml b/tests/terraform/graph/checks/resources/Route53ZoneEnableDNSSECSigning/expected.yaml
@@ -2,5 +2,6 @@ pass:
   - "aws_route53_zone.pass"
   - "aws_route53_zone.private_with_inline_vpc"
   - "aws_route53_zone.private_with_zone_association"
+  - "aws_route53_zone.pass_signing_key"
 fail:
-  - "aws_route53_zone.fail"
+  - "aws_route53_zone.fail2"
diff --git a/tests/terraform/graph/checks/resources/Route53ZoneEnableDNSSECSigning/main.tf b/tests/terraform/graph/checks/resources/Route53ZoneEnableDNSSECSigning/main.tf
@@ -34,13 +34,14 @@ resource "aws_route53_zone_association" "private" {
   vpc_id  = "vpc-1a2b3c4d"
 }
 
-#fail
-resource "aws_route53_zone" "fail" {
-  name = "fail"
+#pass with signing key
+resource "aws_route53_zone" "pass_signing_key" {
+  name = "pass"
 }
+
 resource "aws_route53_key_signing_key" "fail" {
-  hosted_zone_id             = aws_route53_zone.fail.id
-  key_management_service_arn = aws_kms_key.fail.arn
+  hosted_zone_id             = aws_route53_zone.pass_signing_key.id
+  key_management_service_arn = aws_kms_key.pass_signing_key.arn
   name                       = "pass"
 }
 

diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py
@@ -568,6 +568,9 @@ def test_OSSBucketPublic(self):
     def test_Route53ZoneHasMatchingQueryLog(self):
         self.go("Route53ZoneHasMatchingQueryLog")
 
+    def test_Route53ZoneEnableDNSSECSigning(self):
+        self.go("Route53ZoneEnableDNSSECSigning")
+
 
     def test_registry_load(self):
         registry = Registry(parser=GraphCheckParser(), checks_dir=str(