Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CFT scanning doesn't support short form intrinsic functions #1693

Open
cpasquini opened this issue Aug 20, 2024 · 1 comment
Open

CFT scanning doesn't support short form intrinsic functions #1693

cpasquini opened this issue Aug 20, 2024 · 1 comment

Comments

@cpasquini
Copy link

  • terrascan version: v1.19.1
  • Operating System: MacOS

Description

CFT scanning doesn't support short form intrinsic functions and treats a use of short form as a vulnerability.

I've seen this issue occur for multiple resource types in our YAML templates.

What I Did

An example yaml resource is seen below - notice that it uses the short form of the ImportValue function (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html#w45aac23c24c46b9) :

  SQSQueue:
    Type: AWS::SQS::Queue
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Properties:
      QueueName: test
      KmsDataKeyReusePeriodSeconds: 300
      KmsMasterKeyId: !ImportValue imported_value
      MessageRetentionPeriod: 345600 #4 days
      RedrivePolicy:
        deadLetterTargetArn: <insert_dead_letter_arn>
        maxReceiveCount: 5

Running a scan on that resource returns an error (terrascan scan -i cft -f sqs-example.yaml --severity high -o yaml

- rule_name: sqsSseDisabled
          description: Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using AWS KMS
          rule_id: AC_AWS_0366
          severity: HIGH
          category: Security Best Practices

but updating the resource to use the long form OR updating the resource to use a standard string will fix the problem, for example changing to Fn::ImportValue):

  SQSQueue:
    Type: AWS::SQS::Queue
    UpdateReplacePolicy: Delete
    DeletionPolicy: Delete
    Properties:
      QueueName: test
      KmsDataKeyReusePeriodSeconds: 300
      KmsMasterKeyId: Fn::ImportValue imported_value
      MessageRetentionPeriod: 345600 #4 days
      RedrivePolicy:
        deadLetterTargetArn: <insert_dead_letter_arn>
        maxReceiveCount: 5

This happens for Fn:Ref (!Ref) and others.
@cpasquini
Copy link
Author

I did check the v1.19.1 code and it seems that this should be supported, so I am not sure why it is failing:

https://github.com/tenable/terrascan/blob/v1.19.1/pkg/iac-providers/cft/v1/yamlparse.go

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cpasquini