-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add support for GitHub Enterprise Cloud #29
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bridgecrew has found errors in this PR ⬇️
@@ -22,8 +24,6 @@ module "aws_oidc_github" { | |||
iam_role_inline_policies = { | |||
"example_inline_policy" : data.aws_iam_policy_document.example.json | |||
} | |||
|
|||
additional_thumbprints = var.additional_thumbprints | |||
} | |||
|
|||
data "aws_iam_policy_document" "example" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensure IAM policies do not allow data exfiltration
Resource: aws_iam_policy_document.example | Bridgecrew ID: BC_AWS_IAM_55
| Checkov ID: CKV_AWS_108
How to Fix
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"lambda:CreateFunction",
"lambda:CreateEventSourceMapping",
"dynamodb:CreateTable",
]
resources = [
"*",
]
}
}
Description
Data Exfiltration actions allow certain read-only IAM actions without resource constraints, such as s3:GetObject, ssm:GetParameter*, or secretsmanager:GetSecretValue.1 - Unrestricted s3:GetObject permissions has a long history of customer data leaks
2 - ssm:GetParameter* and secretsmanager:GetSecretValue are both used to access secrets.
3 - rds:CopyDBSnapshot and rds:CreateDBSnapshot can be used to exfiltrate RDS database contents.
For more information, visit the cloudsplaining documentation
https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/
Adds support for GitHub Enterprise Cloud customers by adding a new variable called
enterprise_slug
which when populated, will configure the OIDC provider with a different issuer URL, and will condition the role to be assumed only when theiss
claim includes the enterprise slug.