Policies authorizing public access to resources are security-sensitive

Rules and Languages Report False-positive / False-negative...
1

We are running sonarqube developer 10.5 (same issue was in 10.4) on terraform code.

This statement of a KMS key policy gives a security hotspot item on rule terraform:S6270 ( Policies authorizing public access to resources are security-sensitive):

  {
    Effect : "Allow",
    Principal = "*",
    Action : [
      "kms:Decrypt",
      "kms:GenerateDataKey"
    ],
    Resource : "*",
    Condition : {
      StringLike : {
        "aws:PrincipalArn" : [
          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/eu-west-1/AWSReservedSSO_ssss_*",
          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/tf-iam-role-k8s-*"
        ]
      }
    }

Why doesn’t SQ recognize the Condition in this statement?

4

Hello Eric,

Thanks for raising this issue! At the moment, the analyzer ignores any conditions. I have created an internal ticket to improve this behavior and to not raise an issue if conditions are set to restrict the allowed principals.

For now, please mark this issue as a false positive since I can’t say for certain when the rule detection will be improved.

1 Like