Skip to content

ckv_aws_60 missing the conditionals validation #7304

New issue
New issue
Open
Open
ckv_aws_60 missing the conditionals validation#7304
Labels
checksCheck additions or changes
@rammotat

Description

@rammotat
rammotat
opened on Sep 16, 2025

Describe the issue
The ckv_aws_60 Checkov rule incorrectly flags IAM roles that specify "Principal": "*", even when restrictive conditions are applied in the AssumeRolePolicyDocument. This results in false positives for configurations that are secure due to these conditions.

Examples
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
`resource "aws_iam_role" "private_connect" {
tags = var.tags
name = "${var.resource_prefix}-private-connect"
permissions_boundary = "arn:${var.arn_partition}:iam::${data.aws_caller_identity.current.account_id}:policy/Boundary"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
"Effect" : "Allow",
"Principal" : {
"AWS" = "*"
},
"Action" : "sts:AssumeRole"
Condition = {
StringLike = {
"aws:PrincipalArn" = concat(
local.control_plane_roles,
[
for region, account_id in var.ids_regions_map :
"arn:${var.arn_partition}:iam::${account_id}:role/${var.env_name}-${region}-${var.deployment_id}-connect"
],
[
for region, account_id in var.ids_regions_map :
"arn:${var.arn_partition}:iam::${account_id}:role/${var.env_name}-${region}-${var.deployment_id}-seeder"
],
[
for region, account_id in var.ids_regions_map :
"arn:${var.arn_partition}:iam::${account_id}:role/${var.env_name}-${region}-${var.deployment_id}-gc-pl-event-handler"
],
local.monitoring_role_arns
)
}
}
}
]
})
}

resource "aws_iam_role_policy_attachment" "private_connect_private_link_admin" {
role = aws_iam_role.private_connect.name
policy_arn = aws_iam_policy.private_link_admin.arn
}

resource "aws_iam_role_policy_attachment" "private_connect_get_service_quota" {
role = aws_iam_role.private_connect.name
policy_arn = aws_iam_policy.get_service_quota.arn
}
`
Expected Outcome: The IAM role should pass the ckv_aws_60 check because the "Principal": "*" is effectively restricted by the Condition specifying allowed aws:PrincipalArn values.

Version (please complete the following information):

Checkov Version 3.2.471
Additional context The current implementation of ckv_aws_60 does not account for conditions that restrict the principals allowed to assume the role. This leads to false positives when "Principal": "*" is used in conjunction with restrictive conditions, which is a common and secure practice.

Metadata

Metadata

Assignees

No one assigned

    Labels

    checksCheck additions or changes

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions