Merge pull request #6553 from Checkmarx/kics/945

fix(query): iam_access_analyzer_not_enabled
Checkmarx · Nov 6, 2023 · 8d7fc79 · 8d7fc79
2 parents 82e20dd + 9eddcb2
commit 8d7fc79
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 1 deletion.
diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/query.rego
@@ -6,7 +6,10 @@ import data.generic.common as common_lib
 extensions := {".json", ".yaml"}
 
 CxPolicy[result] {
-	count({i | resources := input.document[i].Resources; resources[_].Type == "AWS::AccessAnalyzer::Analyzer"}) == 0
+
+	resources := input.document[i].Resources;
+	count(resources) > 0
+	count({i | resources[_].Type == "AWS::AccessAnalyzer::Analyzer"}) == 0
 
 	result := {
 		"documentId": input.document[i].id,

diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/negative2.json
@@ -0,0 +1,43 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+      "Analyzer": {
+        "Type": "AWS::AccessAnalyzer::Analyzer",
+        "Properties": {
+          "AnalyzerName": "MyAccountAnalyzer",
+          "Type": "ACCOUNT",
+          "Tags": [
+            {
+              "Key": "Kind",
+              "Value": "Dev"
+            }
+          ],
+          "ArchiveRules": [
+            {
+              "RuleName": "ArchiveTrustedAccountAccess",
+              "Filter": [
+                {
+                  "Property": "principal.AWS",
+                  "Eq": [
+                    "123456789012"
+                  ]
+                }
+              ]
+            },
+            {
+              "RuleName": "ArchivePublicS3BucketsAccess",
+              "Filter": [
+                {
+                  "Property": "resource",
+                  "Contains": [
+                    "arn:aws:s3:::docs-bucket",
+                    "arn:aws:s3:::clients-bucket"
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      }
+    }
+  }
diff --git a/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive2.json b/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive2.json
@@ -0,0 +1,16 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Description": "A sample template 2",
+    "Resources": {
+      "myuseeer": {
+        "Type": "AWS::IAM::Group",
+        "Properties": {
+          "Path": "/",
+          "LoginProfile": {
+            "Password": "myP@ssW0rd"
+          }
+        }
+      }
+    }
+  }
+
diff --git a/...ies/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json b/...ies/cloudFormation/aws/iam_access_analyzer_not_enabled/test/positive_expected_result.json
@@ -4,5 +4,11 @@
     "severity": "LOW",
     "line": 3,
     "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "IAM Access Analyzer Not Enabled",
+    "severity": "LOW",
+    "line": 4,
+    "fileName": "positive2.json"
   }
 ]