fix for CKV_AWS_111

SumoLogic · Apr 2, 2024 · 0e26729 · 0e26729
1 parent 00ad960
commit 0e26729
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 5 deletions.
diff --git a/aws-observability/apps/alb/alb_app.template.yaml b/aws-observability/apps/alb/alb_app.template.yaml
@@ -285,7 +285,10 @@ Resources:
                   - logs:CreateLogGroup
                   - logs:CreateLogStream
                   - logs:PutLogEvents
-                Resource: '*'
+              - Effect: "Allow"
+                Action:
+                  - "s3:*"
+                Resource: 'LambdaHelper'
 
   LambdaHelper:
     Type: 'AWS::Serverless::Function'

diff --git a/aws-observability/apps/common/resources.template.yaml b/aws-observability/apps/common/resources.template.yaml
@@ -449,7 +449,11 @@ Resources:
                 Action:
                   - s3:GetBucketPolicy
                   - s3:PutBucketPolicy
+              - Effect: "Allow"
+                Action:
+                  - "s3:*"
                 Resource:
+                  - LambdaHelper
                   - !Sub
                     - "arn:aws:s3:::${S3Bucket}"
                     - S3Bucket: !If [install_alb_logs_source, !If [ create_alb_bucket, !Ref CommonS3Bucket, !Ref ALBS3LogsBucketName ], ""] 
@@ -511,7 +515,10 @@ Resources:
                   - logs:CreateLogGroup
                   - logs:CreateLogStream
                   - logs:PutLogEvents
-                Resource: '*'
+              - Effect: "Allow"
+                Action:
+                  - "s3:*"
+                Resource: 'LambdaHelperAlias'
 
   LambdaHelperAlias:
     Type: 'AWS::Serverless::Function'

diff --git a/aws-observability/apps/elb/elb_app.template.yaml b/aws-observability/apps/elb/elb_app.template.yaml
@@ -282,7 +282,10 @@ Resources:
                   - logs:CreateLogGroup
                   - logs:CreateLogStream
                   - logs:PutLogEvents
-                Resource: '*'
+              - Effect: "Allow"
+                Action:
+                  - "s3:*"
+                Resource: 'LambdaHelper'
 
   LambdaHelper:
     Type: 'AWS::Serverless::Function'

diff --git a/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml b/aws-observability/apps/hostmetricsfields/host_metrics_add_fields.template.yaml
@@ -174,7 +174,10 @@ Resources:
                   - logs:CreateLogStream
                   - logs:PutLogEvents
                   - ec2:DescribeInstances
-                Resource: '*'
+              - Effect: "Allow"
+                Action:
+                  - "s3:*"
+                Resource: 'LambdaHelper'
 
   LambdaHelper:
     Type: AWS::Lambda::Function

diff --git a/aws-observability/templates/sumologic_observability.mp.test.yaml b/aws-observability/templates/sumologic_observability.mp.test.yaml
@@ -549,7 +549,7 @@ Resources:
               - Effect: "Allow"
                 Action:
                   - "s3:*"
-                Resource: "*"
+                Resource: "SecretsRetrievalFunction"
       ManagedPolicyArns:
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
   # Retrieving secrets passed in via SecretsManager Arn