[steampipe-mod-aws-compliance] Malformed ARN for some resources?

[yorinasub17]

Some queries (e.g., https://github.com/turbot/steampipe-mod-aws-compliance/blob/main/query/iam/iam_account_password_policy_expire_90.sql#L3) report the resource ID using a malformed ARN. AWS requires 6 parts to an ARN, but the query only contains 5 parts in the resource column (e.g., the computed resource is arn:PARTITION:::ACCOUNT_ID, which is 4 :s). For example, the aws-sdk-go library will reject this ARN as invalid: https://go.dev/play/p/nXDfWa3P-hO

Is this intentional? I was originally going to report this as a bug on the mod, but I wasn't sure if there was some hidden intention here.

[cbruno10]

Hey @yorinasub17 , any malformed ARNs are not intentional. For that query in particular, we're using the AWS account ARN, which may not be an official ARN from AWS, but there's no 6th part to the ARN, as the ARN would stop at account ID. The aws_account table has an arn column also, but that would produce the same result.

Are you using these resource columns (which often contain ARNs) anywhere, and is this ARN in particular then causing later failures in your workflow?

If you see any other malformed ARNs though, we'd appreciate bug reports on them!

[yorinasub17]

Are you using these resource columns (which often contain ARNs) anywhere, and is this ARN in particular then causing later failures in your workflow?

I had originally thought this was causing issues when I was loading the steampipe results into SecurityHub via the ASFF format, but then I later realized the issue was that global results were being reported with a ProductArn calculated without a region, which SecurityHub was rejecting.

So this is OK for me!

---

With that said, more for my curiosity:

we're using the AWS account ARN

Is there documentation (or an API) on this from AWS that designates this as the ARN of an AWS account? I had thought that the root user ARN was typically considered to be the account ARN (arn:PARTITION:iam::ACCOUNT_ID:root), due to its usage in resources like KMS, but I may have missed this specific doc.

[cbruno10]

As far as I know, there's no official AWS account ARN. The ARN format we use in the query you mentioned, along with some others, is our best guess based on other ARNs.

There is the root ARN you mentioned, but we usually use that as the resource in queries that focus on the root user's configuration and permissions, e.g., which root users can access a KMS key. For the IAM account password queries, we've decided to use the account ARN as the password policy applies to all users in the account.

[yorinasub17]

Ah gotcha! Distinguishing between the root user and account makes sense to me.

If it isn't official, a small suggestion is to append a :account to the ARN (e.g., arn:PARTITION:::ACCOUNT_ID:account), to ensure that it is a valid ARN and the SDKs can parse it.