Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

CKV_AWS_111 - cloudformation check cloudwatch:PutMetricData

See original GitHub issue

Describe the bug When running checkov against a cloudformation template with an IAM policy including the action cloudwatch:PutMetricData and a condition limiting the action to a specific namepace, the CKV_AWS_111 rule is triggered. Since PutMetricData doesn’t support limiting by a resource, the condition seems like it should be a sufficient control to limit write access.

To Reproduce Steps to reproduce the behavior:

  1. Create a Cloudformation template containing a policy that looks like:
- Sid: AllowPutMetricData
  Effect: Allow
  Action:
    - cloudwatch:PutMetricData
  Resource: "*"
  Condition:
    StringEquals:
      cloudwatch:namespace: Namespace
  1. Run checkov -d </path/to/cloudformation> --quiet
  2. You should see checkov flag the policy as a violation of CKV_AWS_111

Expected behavior I expect checkov to consider that policy valid for the CKV_AWS_111 rule.

Desktop (please complete the following information):

  • OS: MacOS
  • Checkov Version 1.0.844

Thanks ahead of time for reviewing this and thanks for the awesome tool!

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:2
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
kmcquadecommented, Mar 19, 2021

@schosterbarak I like that idea from @yi2020 too. If you want to contribute that to Cloudsplaining, we can fix it in both places!

1reaction
yi2020commented, Mar 19, 2021

@kmcquade our approach with Cloudrail has been to assume that if there are conditions, it’s not really *. We do in some cases dig through the condition to see if it really limits anything, but the amount of logic required was insane.

Read more comments on GitHub >

github_iconTop Results From Across the Web

CloudWatch::Alarm MetricDataQuery - AWS CloudFormation
The MetricDataQuery property type specifies the metric data to return, and whether this call is just retrieving a batch set of data for...
Read more >
Adding Custom Metric to CloudFormation template
You can use cloudformation simple template to add metrics. resource "AWS::Logs::MetricFilter" specifies a metric filter that describes how ...
Read more >
Amazon CloudFormation template for setting up the Route 53 ...
When using global endpoints you have to have a Route 53 health check to monitor the status of your Regions. The following template...
Read more >
AWS CloudFormation Templates - Check Point Support Center
The table below lists CloudFormation templates provided and maintained by Check Point that simplify the deployment of Check Point security ...
Read more >
aws-cloudformation/cfn-lint: CloudFormation Linter - GitHub
Includes checking valid values for resource properties and best practices. Warning. This is an attempt to provide validation for AWS CloudFormation templates ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Very slow terraform scan on medium sized repository

Next page

CKV_AWS_107: aws_iam_policy for action ecr:GetAuthorizationToken with resource "*"