Fix appliesTo suppressions

Author: jusdino

backend/compact-connect/common_constructs/nodejs_function.py

@@ -71,7 +71,7 @@ def __init__(
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': [
+                    'appliesTo': [
                         'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
                     ],
                     'reason': 'The BasicExecutionRole policy is appropriate for these lambdas',
@@ -84,7 +84,9 @@ def __init__(
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': 'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',  # noqa: E501 line-too-long
+                    'appliesTo': [
+                        'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+                    ],  # noqa: E501 line-too-long
                     'reason': 'This policy is appropriate for the log retention lambda',
                 },
             ],
@@ -95,7 +97,7 @@ def __init__(
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM5',
-                    'applies_to': ['Resource::*'],
+                    'appliesTo': ['Resource::*'],
                     'reason': 'This lambda needs to be able to configure log groups across the account, though the'
                     ' actions it is allowed are scoped specifically for this task.',
                 },

backend/compact-connect/common_constructs/python_function.py

@@ -85,7 +85,7 @@ def __init__(
                 suppressions=[
                     {
                         'id': 'AwsSolutions-IAM4',
-                        'applies_to': [
+                        'appliesTo': [
                             'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
                         ],
                         'reason': 'The BasicExecutionRole policy is appropriate for these lambdas',
@@ -98,7 +98,9 @@ def __init__(
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': 'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',  # noqa: E501 line-too-long
+                    'appliesTo': [
+                        'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+                    ],  # noqa: E501 line-too-long
                     'reason': 'This policy is appropriate for the log retention lambda',
                 },
             ],
@@ -109,7 +111,7 @@ def __init__(
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM5',
-                    'applies_to': ['Resource::*'],
+                    'appliesTo': ['Resource::*'],
                     'reason': 'This lambda needs to be able to configure log groups across the account, though the'
                     ' actions it is allowed are scoped specifically for this task.',
                 },

backend/compact-connect/common_constructs/slack_channel_configuration.py

@@ -37,7 +37,7 @@ def _configure_chatbot_role(self):
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': ['Policy::arn:<AWS::Partition>:iam::aws:policy/job-function/ViewOnlyAccess'],
+                    'appliesTo': ['Policy::arn:<AWS::Partition>:iam::aws:policy/job-function/ViewOnlyAccess'],
                     'reason': 'This role is general-purpose for operations integration and the AWS-managed '
                     'ViewOnlyAccess policy is suitable',
                 },

backend/compact-connect/stacks/api_stack/cc_api.py

@@ -211,7 +211,7 @@ def __init__(
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': [
+                    'appliesTo': [
                         'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
                     ],
                     'reason': 'This policy is crafted specifically for the account-level role created here.',

backend/compact-connect/stacks/api_stack/v1_api/query_providers.py

@@ -182,7 +182,11 @@ def _query_providers_handler(
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM5',
-                    'applies_to': ['Action::kms:GenerateDataKey*', 'Action::kms:ReEncrypt*'],
+                    'appliesTo': [
+                        'Action::kms:GenerateDataKey*',
+                        'Action::kms:ReEncrypt*',
+                        'Resource::<ProviderTableEC5D0597.Arn>/index/*',
+                    ],
                     'reason': 'The actions in this policy are specifically what this lambda needs to read '
                     'and is scoped to one table and encryption key.',
                 },

backend/compact-connect/stacks/persistent_stack/bulk_uploads_bucket.py

@@ -132,7 +132,7 @@ def _add_v1_ingest_object_events(self, event_bus: EventBus):
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM5',
-                    'applies_to': ['Resource::*'],
+                    'appliesTo': ['Resource::*'],
                     'reason': """
                     The lambda policy is scoped specifically to the PutBucketNotification action, which
                     suits its purpose.
@@ -146,7 +146,7 @@ def _add_v1_ingest_object_events(self, event_bus: EventBus):
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': [
+                    'appliesTo': [
                         'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
                     ],
                     'reason': 'The BasicExecutionRole policy is appropriate for this lambda',

backend/compact-connect/stacks/persistent_stack/compact_configuration_upload.py

@@ -106,7 +106,9 @@ def __init__(
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': 'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',  # noqa: E501 line-too-long
+                    'appliesTo': [
+                        'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+                    ],  # noqa: E501 line-too-long
                     'reason': 'This policy is appropriate for the log retention lambda',
                 },
             ],

backend/compact-connect/stacks/persistent_stack/provider_users_bucket.py

@@ -131,7 +131,7 @@ def _add_v1_object_events(self, provider_table: Table, encryption_key: IKey):
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM5',
-                    'applies_to': ['Resource::*'],
+                    'appliesTo': ['Resource::*'],
                     'reason': """
                     The lambda policy is scoped specifically to the PutBucketNotification action, which
                     suits its purpose.
@@ -145,7 +145,7 @@ def _add_v1_object_events(self, provider_table: Table, encryption_key: IKey):
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': [
+                    'appliesTo': [
                         'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
                     ],
                     'reason': 'The BasicExecutionRole policy is appropriate for this lambda',

backend/compact-connect/stacks/persistent_stack/ssn_table.py

@@ -142,16 +142,31 @@ def _configure_access(self):
         self.key.grant_encrypt_decrypt(self.ingest_role)
 
     def _role_suppressions(self, role: Role):
+        stack = Stack.of(role)
         NagSuppressions.add_resource_suppressions_by_path(
-            Stack.of(role),
+            stack,
             f'{role.node.path}/Resource',
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': [
+                    'appliesTo': [
                         'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
                     ],
                     'reason': 'The BasicExecutionRole policy is appropriate for these lambdas',
                 },
             ],
         )
+        NagSuppressions.add_resource_suppressions_by_path(
+            stack,
+            f'{role.node.path}/DefaultPolicy/Resource',
+            suppressions=[
+                {
+                    'id': 'AwsSolutions-IAM5',
+                    'appliesTo': [f'Resource::<{stack.get_logical_id(self.node.default_child)}.Arn>/index/*'],
+                    'reason': """
+                    This policy contains wild-carded actions and resources but they are scoped to the
+                    specific actions, KMS key and Table that this lambda specifically needs access to.
+                    """,
+                },
+            ],
+        )

backend/compact-connect/stacks/ui_stack/distribution.py

@@ -84,7 +84,7 @@ def __init__(
             suppressions=[
                 {
                     'id': 'AwsSolutions-IAM4',
-                    'applies_to': [
+                    'appliesTo': [
                         'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
                     ],
                     'reason': 'This policy enables CloudWatch logging and is appropriate for this lambda',