当为Terraform资源扫描运行checkov时,得到了这个失败的
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: aws_iam_policy_document.foo
File: /data.tf:7-18
data "aws_iam_policy_document" "foo" {
statement {
effect = "Allow"
actions = [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"sns:Subscribe",
]
resources = ["*"]
}
}
从官方文件中,找到了它的介绍页
页面上有一个Fix - Buildtime,但如何将其引用以用于我的案例
从资源面临在页面上,我在"Resource Exposure" actions列表中找不到任何名称为cloudwatch或sns,为什么它失败了?
如果在不添加# checkov:skip=CKV_AWS_111: XXXX的情况下修复它,如何进行调整CCD_ 6块?
你不应该在资源中使用通配符,现在它已经为所有资源广泛开放了。
data "aws_iam_policy_document" "foo" {
statement {
effect = "Allow"
actions = [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"sns:Subscribe",
]
resources = ["resource-arn"]
}
}
如果您将资源的通配符更改为将使用此策略的资源的arns列表,则checkov将不再显示此错误。