From aed3edb650adf94ea94be9ee748e8a5a4b1c537a Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sat, 28 Mar 2026 23:52:55 -0400 Subject: [PATCH 01/10] feat(query): add IAM Role Without Permission Boundary query metadata --- .../metadata.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json b/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json new file mode 100644 index 00000000000..9e873b6322e --- /dev/null +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "a4d32b6e-9c7f-4b2a-8e5d-1f3c9a0e7b42", + "queryName": "IAM Role Without Permission Boundary", + "severity": "MEDIUM", + "category": "Identity and Access Management", + "descriptionText": "IAM roles should have a permissions boundary defined to limit the maximum permissions that can be granted. Without a permission boundary, IAM roles can potentially be exploited to escalate privileges beyond intended scope.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#permissions_boundary", + "platform": "Terraform", + "descriptionID": "a4d32b6e", + "cloudProvider": "aws", + "cwe": "269" +} From fef914a97cd5aeaa8c4ec03755fe4e79b189ac8c Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sat, 28 Mar 2026 23:55:55 -0400 Subject: [PATCH 02/10] feat(query): add IAM Role Without Permission Boundary query logic --- .../query.rego | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 assets/queries/terraform/aws/iam_role_without_permission_boundary/query.rego diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/query.rego b/assets/queries/terraform/aws/iam_role_without_permission_boundary/query.rego new file mode 100644 index 00000000000..1a8ae168b33 --- /dev/null +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/query.rego @@ -0,0 +1,20 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.aws_iam_role[name] + not common_lib.valid_key(resource, "permissions_boundary") + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("resource.aws_iam_role[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("aws_iam_role[%s].permissions_boundary is defined", [name]), + "keyActualValue": sprintf("aws_iam_role[%s].permissions_boundary is undefined", [name]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", name], []), + } +} From fda2bb1c249d30251894919aa951d2e0c41e7f48 Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sun, 29 Mar 2026 14:06:54 -0400 Subject: [PATCH 03/10] feat(query): add IAM Role Without Permission Boundary positive test case --- .../test/positive1.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive1.tf diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive1.tf b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive1.tf new file mode 100644 index 00000000000..b1f2fa4e131 --- /dev/null +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive1.tf @@ -0,0 +1,17 @@ +# This should trigger the query - no permissions_boundary defined +resource "aws_iam_role" "positive1" { + name = "positive_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ec2.amazonaws.com" + } + } + ] + }) +} From a430b8f2d912ee424f91c0f8b3b0c9fa049d880f Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sun, 29 Mar 2026 14:09:28 -0400 Subject: [PATCH 04/10] feat(query): add IAM Role Without Permission Boundary negative test case --- .../test/negative1.tf | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 assets/queries/terraform/aws/iam_role_without_permission_boundary/test/negative1.tf diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/negative1.tf b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/negative1.tf new file mode 100644 index 00000000000..def445a5e4e --- /dev/null +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/negative1.tf @@ -0,0 +1,16 @@ +# This should NOT trigger the query - permissions_boundary is defined +resource "aws_iam_role" "negative1" { + name = "negative_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ec2.amazonaws.com" + } + } + ] + }) From 85f898bc82a19df79d064564a09790dc8cca1f09 Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sun, 29 Mar 2026 14:10:45 -0400 Subject: [PATCH 05/10] feat(query): add IAM Role Without Permission Boundary expected test results --- .../test/positive_expected_result.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive_expected_result.json diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive_expected_result.json new file mode 100644 index 00000000000..c2281e0ef57 --- /dev/null +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "IAM Role Without Permission Boundary", + "severity": "MEDIUM", + "line": 2 + } +] From 0a98e038af700726653a35daeede69f542a2e5f0 Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sun, 5 Apr 2026 21:36:49 -0400 Subject: [PATCH 06/10] add missing riskScore field to IAM Role Without Permission Boundary metadata --- .../aws/iam_role_without_permission_boundary/metadata.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json b/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json index 9e873b6322e..e121f5598df 100644 --- a/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json @@ -8,5 +8,6 @@ "platform": "Terraform", "descriptionID": "a4d32b6e", "cloudProvider": "aws", - "cwe": "269" + "cwe": "269", + "riskScore": "2.5" } From d2407966b00fafd42033181f098278bcdec38170 Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sat, 11 Apr 2026 18:30:29 -0400 Subject: [PATCH 07/10] fix(query): update category to Access Control and fix riskScore format --- .../aws/iam_role_without_permission_boundary/metadata.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json b/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json index e121f5598df..fd294fb726e 100644 --- a/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json @@ -2,12 +2,12 @@ "id": "a4d32b6e-9c7f-4b2a-8e5d-1f3c9a0e7b42", "queryName": "IAM Role Without Permission Boundary", "severity": "MEDIUM", - "category": "Identity and Access Management", + "category": "Access Control", "descriptionText": "IAM roles should have a permissions boundary defined to limit the maximum permissions that can be granted. Without a permission boundary, IAM roles can potentially be exploited to escalate privileges beyond intended scope.", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#permissions_boundary", "platform": "Terraform", "descriptionID": "a4d32b6e", "cloudProvider": "aws", "cwe": "269", - "riskScore": "2.5" + "riskScore": 3.0 } From cb50fbc6475f72b0af342738bf2d75f2dc745e71 Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sat, 11 Apr 2026 18:31:45 -0400 Subject: [PATCH 08/10] fix(query): fix negative test case to include permissions_boundary attribute --- .../aws/iam_role_without_permission_boundary/test/negative1.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/negative1.tf b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/negative1.tf index def445a5e4e..1dac3f0b739 100644 --- a/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/negative1.tf +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/negative1.tf @@ -14,3 +14,6 @@ resource "aws_iam_role" "negative1" { } ] }) + + permissions_boundary = "arn:aws:iam::123456789012:policy/BoundaryPolicy" +} From f8b523fd227e3c4b9c9c291a9ff376fb928639ee Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sat, 11 Apr 2026 18:32:46 -0400 Subject: [PATCH 09/10] fix(query): update positive expected result to include fileName --- .../test/positive_expected_result.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive_expected_result.json b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive_expected_result.json index c2281e0ef57..4d7097fcbc9 100644 --- a/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/test/positive_expected_result.json @@ -2,6 +2,7 @@ { "queryName": "IAM Role Without Permission Boundary", "severity": "MEDIUM", - "line": 2 + "line": 2, + "fileName": "positive1.tf" } ] From a02d802f5ffedb7f2e34cd1751fab55d3e6f9f2f Mon Sep 17 00:00:00 2001 From: balaakasam Date: Mon, 25 May 2026 21:30:52 -0400 Subject: [PATCH 10/10] Update assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json Co-authored-by: Artur Ribeiro <153724638+cx-artur-ribeiro@users.noreply.github.com> --- .../aws/iam_role_without_permission_boundary/metadata.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json b/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json index fd294fb726e..551f4fef0f2 100644 --- a/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json +++ b/assets/queries/terraform/aws/iam_role_without_permission_boundary/metadata.json @@ -1,6 +1,6 @@ { "id": "a4d32b6e-9c7f-4b2a-8e5d-1f3c9a0e7b42", - "queryName": "IAM Role Without Permission Boundary", + "queryName": "BETA - IAM Role Without Permission Boundary", "severity": "MEDIUM", "category": "Access Control", "descriptionText": "IAM roles should have a permissions boundary defined to limit the maximum permissions that can be granted. Without a permission boundary, IAM roles can potentially be exploited to escalate privileges beyond intended scope.", @@ -9,5 +9,6 @@ "descriptionID": "a4d32b6e", "cloudProvider": "aws", "cwe": "269", - "riskScore": 3.0 + "riskScore": 3.0, + "experimental": "true" }