这是indexloc提供的服务,不要输入任何密码
Skip to content

feat(terraform): Over permissive Lambda Cors check (Terraform & Cloudformation) #7113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Apr 22, 2025
Merged

feat(terraform): Over permissive Lambda Cors check (Terraform & Cloudformation) #7113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c559cd5
Add terraform graph check: over permissive lambda cors
Apr 17, 2025
d42f197
Add cloudformation graph check: over permissive lambda cors
Apr 20, 2025
dd60e98
Merge branch 'main' into yuval/add-lambda-cors-rule
yuvalmich Apr 20, 2025
17977cd
CR changes: apply the filter on the function itself
Apr 21, 2025
dbb086e
Pass the check if no connection between aws_lambda_function and aws_l…
Apr 21, 2025
68fe0c1
Merge branch 'main' into yuval/add-lambda-cors-rule
Apr 22, 2025
235a21a
increment checkov check id counter after pull changes from main
Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions checkov/cloudformation/checks/graph_checks/LambdaOpenCorsPolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
metadata:
name: "Ensure no open CORS policy"
id: "CKV2_AWS_75"
category: "NETWORKING"
scope:
provider: "aws"
definition:
and:
- cond_type: "filter"
attribute: "resource_type"
value:
- "AWS::Lambda::Function"
operator: "within"
- or:
- cond_type: "connection"
operator: "not_exists"
resource_types:
- "AWS::Lambda::Function"
connected_resource_types:
- "AWS::Lambda::Url"
- and:
- cond_type: "connection"
operator: "exists"
resource_types:
- "AWS::Lambda::Function"
connected_resource_types:
- "AWS::Lambda::Url"
- or:
- cond_type: "attribute"
resource_types:
- "AWS::Lambda::Url"
attribute: "Cors.AllowOrigins"
operator: "not_contains"
value: "*"
- cond_type: "attribute"
resource_types:
- "AWS::Lambda::Url"
attribute: "Cors.AllowMethods"
operator: "not_contains"
value: "*"
40 changes: 40 additions & 0 deletions checkov/terraform/checks/graph_checks/aws/LambdaOpenCorsPolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
metadata:
name: "Ensure no open CORS policy"
id: "CKV2_AWS_75"
category: "NETWORKING"
scope:
provider: "aws"
definition:
and:
- cond_type: "filter"
attribute: "resource_type"
value:
- "aws_lambda_function"
operator: "within"
- or:
- cond_type: "connection"
operator: "not_exists"
resource_types:
- "aws_lambda_function"
connected_resource_types:
- "aws_lambda_function_url"
- and:
- cond_type: "connection"
operator: "exists"
resource_types:
- "aws_lambda_function"
connected_resource_types:
- "aws_lambda_function_url"
- or:
- cond_type: "attribute"
resource_types:
- "aws_lambda_function_url"
attribute: "cors.allow_origins"
operator: "not_contains"
value: "*"
- cond_type: "attribute"
resource_types:
- "aws_lambda_function_url"
attribute: "cors.allow_methods"
operator: "not_contains"
value: "*"
12 changes: 12 additions & 0 deletions tests/cloudformation/graph/checks/resources/LambdaOpenCorsPolicy/expected.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
pass:
- "AWS::Lambda::Function.ValidLambdaFunction"
- "AWS::Lambda::Function.ValidLambdaFunctionWithoutUrl"
- "AWS::Lambda::Function.ValidLambdaFunctionNoCorsDefinition"
- "AWS::Lambda::Function.ValidLambdaFunctionOnlyOriginsStar"
- "AWS::Lambda::Function.ValidLambdaFunctionOnlyMethodsStar"
fail:
- "AWS::Lambda::Function.InvalidLambdaFunction"
evaluated_keys:
Copy link
Contributor

@maxamel maxamel Apr 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the purpose of the evaluated keys here?

Copy link
Contributor Author

@yuvalmich yuvalmich Apr 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't find any documentation about this field but I assume it asserts that the evaluated keys are the same keys that has an attribute field in the check yaml itself.

So if for example I ensured that the attribute AllowOrigins doesn't contain * it should appear in the tests evaluated_keys (otherwise the tests fail)

- Cors/AllowMethods
- Cors/AllowOrigins
- resource_type
129 changes: 129 additions & 0 deletions tests/cloudformation/graph/checks/resources/LambdaOpenCorsPolicy/template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
Resources:
ValidLambdaFunctionWithoutUrl:
Type: AWS::Lambda::Function
Properties:
Handler: index.handler
Runtime: nodejs14.x
Role: !GetAtt ExampleRole.Arn
Code:
S3Bucket: example-bucket
S3Key: lambda_function_payload.zip

ValidLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: example_lambda_function
Handler: index.handler
Runtime: nodejs14.x
Role: !GetAtt ExampleRole.Arn
Code:
S3Bucket: example-bucket
S3Key: lambda_function_payload.zip

ValidLambdaUrl:
Type: AWS::Lambda::Url
Properties:
FunctionName: !Ref ValidLambdaFunction
Cors:
AllowOrigins:
- https://example.com
AllowMethods:
- GET
- POST
ServiceToken: "arn:aws:lambda:us-west-2:123456789012:function:dummy-token"

ValidLambdaFunctionNoCorsDefinition:
Type: AWS::Lambda::Function
Properties:
FunctionName: example_lambda_function
Handler: index.handler
Runtime: nodejs14.x
Role: !GetAtt ExampleRole.Arn
Code:
S3Bucket: example-bucket
S3Key: lambda_function_payload.zip

ValidLambdaUrlNoCorsDefinition:
Type: AWS::Lambda::Url
Properties:
FunctionName: !Ref ValidLambdaFunctionNoCorsDefinition
ServiceToken: "arn:aws:lambda:us-west-2:123456789012:function:dummy-token"

ValidLambdaFunctionOnlyOriginsStar:
Type: AWS::Lambda::Function
Properties:
FunctionName: example_lambda_function
Handler: index.handler
Runtime: nodejs14.x
Role: !GetAtt ExampleRole.Arn
Code:
S3Bucket: example-bucket
S3Key: lambda_function_payload.zip

ValidLambdaUrlOnlyOriginsStar:
Type: AWS::Lambda::Url
Properties:
FunctionName: !Ref ValidLambdaFunctionOnlyOriginsStar
Cors:
AllowOrigins:
- "*"
AllowMethods:
- GET
- POST
ServiceToken: "arn:aws:lambda:us-west-2:123456789012:function:dummy-token"

ValidLambdaFunctionOnlyMethodsStar:
Type: AWS::Lambda::Function
Properties:
FunctionName: example_lambda_function
Handler: index.handler
Runtime: nodejs14.x
Role: !GetAtt ExampleRole.Arn
Code:
S3Bucket: example-bucket
S3Key: lambda_function_payload.zip

ValidLambdaUrlOnlyMethodsStar:
Type: AWS::Lambda::Url
Properties:
FunctionName: !Ref ValidLambdaFunctionOnlyMethodsStar
Cors:
AllowOrigins:
- https://example.com
AllowMethods:
- "*"
ServiceToken: "arn:aws:lambda:us-west-2:123456789012:function:dummy-token"

InvalidLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: example_lambda_function
Handler: index.handler
Runtime: nodejs14.x
Role: !GetAtt ExampleRole.Arn
Code:
S3Bucket: example-bucket
S3Key: lambda_function_payload.zip

InvalidLambdaUrl:
Type: AWS::Lambda::Url
Properties:
FunctionName: !Ref InvalidLambdaFunction
Cors:
AllowOrigins:
- "*"
AllowMethods:
- "*"
ServiceToken: "arn:aws:lambda:us-west-2:123456789012:function:dummy-token"

ExampleRole:
Type: AWS::IAM::Role
Properties:
RoleName: example_role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
3 changes: 3 additions & 0 deletions tests/cloudformation/graph/checks/test_yaml_policies.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@ def test_ACMWildcardDomainName(self):
def test_CloudfrontOriginNotHTTPSOnly(self):
self.go("CloudfrontOriginNotHTTPSOnly")

def test_LambdaOpenCorsPolicy(self):
self.go("LambdaOpenCorsPolicy")

def test_registry_load(self):
registry = self.get_checks_registry()
self.assertGreater(len(registry.checks), 0)
Expand Down
8 changes: 8 additions & 0 deletions tests/terraform/graph/checks/resources/LambdaOpenCorsPolicy/expected.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
pass:
- "aws_lambda_function.valid_lambda_function"
- "aws_lambda_function.valid_lambda_function_no_cors_definition"
- "aws_lambda_function.valid_lambda_function_only_allow_origins_star"
- "aws_lambda_function.valid_lambda_function_only_allow_methods_star"
- "aws_lambda_function.valid_lambda_function_without_url"
fail:
- "aws_lambda_function.invalid_lambda_function"
107 changes: 107 additions & 0 deletions tests/terraform/graph/checks/resources/LambdaOpenCorsPolicy/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
provider "aws" {
region = "us-west-2"
}

resource "aws_lambda_function" "valid_lambda_function" {
function_name = "example_lambda_function"
handler = "index.handler"
runtime = "nodejs14.x"
role = aws_iam_role.example_role.arn
filename = "lambda_function_payload.zip"
}

resource "aws_lambda_function" "valid_lambda_function_without_url" {
function_name = "example_lambda_function"
handler = "index.handler"
runtime = "nodejs14.x"
role = aws_iam_role.example_role.arn
filename = "lambda_function_payload.zip"
}

resource "aws_lambda_function_url" "valid_lambda_function_url" {
function_name = aws_lambda_function.valid_lambda_function.function_name
cors {
allow_origins = ["https://example.com"]
allow_methods = ["GET", "POST"]
}
authorization_type = "AWS_IAM"
}

resource "aws_lambda_function" "valid_lambda_function_no_cors_definition" {
function_name = "example_lambda_function"
handler = "index.handler"
runtime = "nodejs14.x"
role = aws_iam_role.example_role.arn
filename = "lambda_function_payload.zip"
}

resource "aws_lambda_function_url" "valid_lambda_function_url_no_cors_definition" {
function_name = aws_lambda_function.valid_lambda_function_no_cors_definition.function_name
authorization_type = "AWS_IAM"
}

resource "aws_lambda_function" "valid_lambda_function_only_allow_origins_star" {
function_name = "example_lambda_function"
handler = "index.handler"
runtime = "nodejs14.x"
role = aws_iam_role.example_role.arn
filename = "lambda_function_payload.zip"
}

resource "aws_lambda_function_url" "valid_lambda_function_url_only_allow_origins_star" {
function_name = aws_lambda_function.valid_lambda_function_only_allow_origins_star.function_name
cors {
allow_origins = ["*"]
}
authorization_type = "AWS_IAM"
}

resource "aws_lambda_function" "valid_lambda_function_only_allow_methods_star" {
function_name = "example_lambda_function"
handler = "index.handler"
runtime = "nodejs14.x"
role = aws_iam_role.example_role.arn
filename = "lambda_function_payload.zip"
}

resource "aws_lambda_function_url" "valid_lambda_function_url_only_allow_methods_star" {
function_name = aws_lambda_function.valid_lambda_function_only_allow_methods_star.function_name
cors {
allow_methods = ["*"]
}
authorization_type = "AWS_IAM"
}

resource "aws_lambda_function" "invalid_lambda_function" {
function_name = "example_lambda_function"
handler = "index.handler"
runtime = "nodejs14.x"
role = aws_iam_role.example_role.arn
filename = "lambda_function_payload.zip"
}

resource "aws_lambda_function_url" "invalid_lambda_function_url" {
function_name = aws_lambda_function.invalid_lambda_function.function_name
cors {
allow_origins = ["*"]
allow_methods = ["*"]
}
authorization_type = "AWS_IAM"
}

resource "aws_iam_role" "example_role" {
name = "example_role"

assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}
]
})
}
3 changes: 3 additions & 0 deletions tests/terraform/graph/checks/test_yaml_policies.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -574,6 +574,9 @@ def test_Route53ZoneEnableDNSSECSigning(self):
def test_LBWeakCiphers(self):
self.go("LBWeakCiphers")

def test_LambdaOpenCorsPolicy(self):
self.go("LambdaOpenCorsPolicy")


def test_registry_load(self):
registry = Registry(parser=GraphCheckParser(), checks_dir=str(
Expand Down
2 changes: 1 addition & 1 deletion tests/terraform/runner/test_runner.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -471,7 +471,7 @@ def test_no_missing_ids(self):
for check_list in [aws_checks, gcp_checks, azure_checks]:
check_list.sort(reverse=True, key=lambda s: int(s.split('_')[-1]))

for i in range(1, len(aws_checks) + 3):
for i in range(1, len(aws_checks) + 2):
Copy link
Contributor

@bo156 bo156 Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this needed?

Copy link
Contributor

@tsmithv11 tsmithv11 Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

He added the same check to 2 frameworks, so they need the same ID

if f'CKV2_AWS_{i}' == 'CKV2_AWS_17':
# CKV2_AWS_17 was overly keen and those resources it checks are created by default
continue
Expand Down
Loading