Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: cannot suppress Resource::* on IAM Role with managed policy that uses *-Resource #1481

Closed
ArneOttenVW opened this issue Oct 20, 2023 · 2 comments
Closed

bug: cannot suppress Resource::* on IAM Role with managed policy that uses *-Resource #1481

ArneOttenVW opened this issue Oct 20, 2023 · 2 comments
Assignees
@dontirun
Labels
guidance Question that needs advice or information. needs-reproduction This issue needs reproduction

Comments

@ArneOttenVW
Copy link

What is the problem?

I get an AwsSolutions-IAM5[Resource:**] error on a Role that is using the AWS managed policy AmazonECSTaskExecutionRolePolicy, even though I am suppressing it. The managed policy is using the *-Resource, which is the error I want to suppress.

Reproduction Steps

const executionRole = new iam.Role(this, 'TaskExecutionRole', {
  roleName: `FrontendExecutionRole`,
  assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
  managedPolicies: [{ managedPolicyArn: 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy' }]
});
NagSuppressions.addResourceSuppressions(executionRole, 
  [
    { id: 'AwsSolutions-IAM4', reason: 'Needed for every task execution role.' },
    { id: 'AwsSolutions-IAM5', reason: 'Managed policy uses * resource identifier.', appliesTo: ['Resource::*'] }
  ],
  true
);
cdk synth --quiet

[Error at /FrontendStack/FrontendService/TaskExecutionRole/DefaultPolicy/Resource] AwsSolutions-IAM5[Resource::*]: The IAM entity contains wildcard permissions and does not have a cdk-nag rule suppression with evidence for those permission. Metadata explaining the evidence (e.g. via supporting links) for wildcard permissions allows for transparency to operators. This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'Action::<action>' for policy actions and 'Resource::<resource>' for resources. Example: appliesTo: ['Action::s3:*'].

What did you expect to happen?

The error should be supressed.

What actually happened?

The error is still showing up, even with the applyToChildren option. The only way I could find to suppress it is to provide the full path with NagSuppressions.addResourceSuppressionsByPath.

cdk-nag version

2.27.167

Language

Typescript

Other information

No response
@ArneOttenVW ArneOttenVW added bug Something isn't working needs-triage This issue or PR still needs to be triaged. labels Oct 20, 2023
@dontirun dontirun added needs-reproduction This issue needs reproduction and removed bug Something isn't working needs-triage This issue or PR still needs to be triaged. labels Oct 20, 2023
@dontirun
Copy link
Collaborator

I'm unable to reproduce the error with the given snippet as the default policy has not been generated at this point (see below CloudFormation)

 {
 "Resources": {
  "TaskExecutionRole250D2532": {
   "Type": "AWS::IAM::Role",
   "Properties": {
    "AssumeRolePolicyDocument": {
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "ManagedPolicyArns": [
     "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
    ],
    "RoleName": "FrontendExecutionRole"
   },
   "Metadata": {
    "aws:cdk:path": "test-iam-stack/TaskExecutionRole/Resource",
    "cdk_nag": {
     "rules_to_suppress": [
      {
       "reason": "Managed policy uses * resource identifier.",
       "id": "AwsSolutions-IAM5",
       "applies_to": [
        "Resource::*"
       ]
      }
     ]
    }
   }
  },

You will need to move the suppression to after the Policy has been created, which in this case is probably after the ECS Task using this role has been initialized

@dontirun dontirun added the guidance Question that needs advice or information. label Oct 20, 2023
@dontirun dontirun self-assigned this Oct 20, 2023
@ArneOttenVW
Copy link
Author

I see. I moved the supression down and that solved my issue. Thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dontirun dontirun

Labels
guidance Question that needs advice or information. needs-reproduction This issue needs reproduction
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dontirun @ArneOttenVW