From b34deb9306fe813fa1cc9e1b3ccdb92c00b3effc Mon Sep 17 00:00:00 2001 From: Matthew Wynn Date: Mon, 23 Dec 2024 15:53:04 -0800 Subject: [PATCH 1/2] Fix CKV_AWS_272 incorrect example Fixes #1041 --- .../aws-general-policies/bc-aws-272.adoc | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc index d6dfbe1036..f079c306e8 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc @@ -36,24 +36,26 @@ This policy ensures that an AWS Lambda function has been properly configured to To address the issue, you need to enable the code-signing configuration for your AWS Lambda function. Code-signing adds an extra layer of security to your application by ensuring that the deployed code is not tampered with. -[source,go] +[source,terraform] ---- resource "aws_lambda_function" "example" { - function_name = "example" - filename = "example.zip" - source_code_hash = filebase64sha256("example.zip") - handler = "exports.test" - runtime = "nodejs12.x" + function_name = "example" + s3_bucket = aws_signer_signing_job.job.signed_object[0].s3[0].bucket + s3_key = aws_signer_signing_job.this.signed_object[0].s3[0].key + handler = "exports.test" + runtime = "nodejs12.x" + code_signing_config_arn = aws_lambda_code_signing_config.example.arn } resource "aws_lambda_code_signing_config" "example" { allowed_publishers { - signing_profile_version_arns = [aws_signer_signing_profile_version.example.arn] + signing_profile_version_arns = [aws_signer_signing_profile.example.version_arn] } - policies = "Warn" + policies { + untrusted_artifact_on_deployment = "Enforce" + } } ---- From 7b30753ea361db8f7116427935a3fa1d944a614c Mon Sep 17 00:00:00 2001 From: Matthew Wynn Date: Mon, 6 Jan 2025 09:57:53 -0800 Subject: [PATCH 2/2] Apply CKV_AWS_272 suggestions from code review Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> --- .../aws-policies/aws-general-policies/bc-aws-272.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc index f079c306e8..1afb62df91 100644 --- a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272.adoc @@ -36,7 +36,9 @@ This policy ensures that an AWS Lambda function has been properly configured to To address the issue, you need to enable the code-signing configuration for your AWS Lambda function. Code-signing adds an extra layer of security to your application by ensuring that the deployed code is not tampered with. -[source,terraform] +Example: + +[source,go] ---- resource "aws_lambda_function" "example" { function_name = "example"