Skip to content

Commit

Permalink
Add starter-workflows for Policy Validator, removed references to Git…
Browse files Browse the repository at this point in the history 
…Hub secrets & S3 to keep it simple
  • Loading branch information
@mponaws
mponaws committed Apr 18, 2024
1 parent b7543de commit 55c3b6b
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 21 deletions.
16 changes: 6 additions & 10 deletions code-scanning/policy-validator-cfn.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
# This workflow will validate the IAM policies in the CloudFormation (CFN) templates with using the standard and custom checks in AWS IAM Access Analyzer
# To use this workflow, you will need to complete the following set up steps before start using it:
# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. In the below workflow, ARN of such role is stored in the GitHub secrets with name `POLICY_VALIDATOR_ROLE`
# 2. If you're using CheckNoNewAccess check, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies)and store it's path in S3 bucket / GitHub secrets/ in the GitHub repo to compare them against the policies in the CFN templates. In below workflow, we are storing the path to reference policy in the GitHub secrets with name `REFERENCE_IDENTITY_POLICY` to illustrate
# 3. If you're using the CheckAccessNotGranted check, identify the critical actions that shouldn't be granted access by the policies in the CFN templates. Store these actions in S3 bucket / GitHub secrets to compare them against the policies in the CFN templates. In the below workflow, we are storing the S3 bucket object containing the critical action in the GitHub secret with name `CRITICAL_ACTIONS`
# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the given CFN templates.
# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
name: Validate AWS IAM policies in CloudFormation templates using Policy Validator
on:
Expand All @@ -17,8 +17,10 @@ on:
# The branches below must be a subset of the branches above
branches: [$default-branch]
env:
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATES # set to the file path to the CloudFormation template.
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
jobs:
Expand All @@ -38,7 +40,7 @@ jobs:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
with:
role-to-assume: ${{ secrets.POLICY_VALIDATOR_ROLE }}
role-to-assume: ${{ env.AWS_ROLE }}
aws-region: ${{ env.REGION }}
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer ValidatePolicy check
Expand All @@ -52,20 +54,14 @@ jobs:
- name: Print the result for ValidatePolicy check
if: success() || failure()
run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
# Fetch the critical actions stored in S3, S3 URI is stored in GitHub secrets
- name: Fetch critical actions from s3
id: getCriticalActions
run: |
echo "actionsLst=$(aws s3 cp ${{ secrets.CRITICAL_ACTIONS }} -)" >> $GITHUB_OUTPUT
shell: bash
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
id: run-aws-check-access-not-granted
uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
with:
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
template-path: ${{ env.TEMPLATE_PATH}}
actions: ${{ steps.getCriticalActions.outputs.actionsLst }}
actions: ${{ env.ACTIONS }}
region: ${{ env.REGION }}
# Print result from CHECK_ACCESS_NOT_GRANTED check
- name: Print the result for CheckAccessNotGranted check
Expand Down
18 changes: 7 additions & 11 deletions code-scanning/policy-validator-tf.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@

# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer
# To use this workflow, you will need to complete the following set up steps before start using it:
# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. In the below workflow, ARN of such role is stored in the GitHub secrets with name `POLICY_VALIDATOR_ROLE`
# 2. If you're using CheckNoNewAccess check, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies)and store it's path in S3 bucket / GitHub secrets/ in the GitHub repo to compare them against the policies in the TF templates. In below workflow, we are storing the path to reference policy in the GitHub secrets with name `REFERENCE_IDENTITY_POLICY` to illustrate
# 3. If you're using the CheckAccessNotGranted check, identify the critical actions that shouldn't be granted access by the policies in the TF templates. Store these actions in S3 bucket / GitHub secrets to compare them against the policies in the TF templates. In the below workflow, we are storing the S3 bucket object containing the critical action in the GitHub secret with name `CRITICAL_ACTIONS`
# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps.
# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates.
# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.

name: Validate AWS IAM policies in Terraform templates using Policy Validator
Expand All @@ -18,8 +18,10 @@ on:
# The branches below must be a subset of the branches above
branches: [$default-branch]
env:
AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.

Expand All @@ -41,7 +43,7 @@ jobs:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
with:
role-to-assume: ${{ secrets.POLICY_VALIDATOR_ROLE }}
role-to-assume: ${{ env.AWS_ROLE }}
aws-region: ${{ env.REGION }}
# Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer ValidatePolicy check
Expand All @@ -55,20 +57,14 @@ jobs:
- name: Print the result for ValidatePolicy check
if: success() || failure()
run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
# Fetch the critical actions stored in S3, S3 URI is stored in GitHub secrets
- name: Fetch critical actions from s3
id: getCriticalActions
run: |
echo "actionsLst=$(aws s3 cp ${{ secrets.CRITICAL_ACTIONS }} -)" >> $GITHUB_OUTPUT
shell: bash
# Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
- name: Run AWS AccessAnalyzer CheckAccessNotGranted check
id: run-aws-check-access-not-granted
uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
with:
policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
template-path: ${{ env.TEMPLATE_PATH }}
actions: ${{ steps.getCriticalActions.outputs.actionsLst }}
actions: ${{ env.ACTIONS }}
region: ${{ env.REGION }}
# Print result from CHECK_ACCESS_NOT_GRANTED check
- name: Print the result for CheckAccessNotGranted check
Expand Down

0 comments on commit 55c3b6b

Please sign in to comment.