From 9dbfac128669a1836cad1866d48f782b79ff844b Mon Sep 17 00:00:00 2001 From: arjunp99 Date: Tue, 28 Oct 2025 09:26:46 -0500 Subject: [PATCH 1/2] fix: replace ForAllValues:StringLike with StringLike for ram:ResourceShareName conditions - Remove ForAllValues qualifier for single-value keys in RAM policy statements - Affects RamTag, RamUpdateResource, RamAssociateResource, and RamInvitations statements --- .../cdk/pivot_role_data_sharing_policy.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/backend/dataall/modules/s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py b/backend/dataall/modules/s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py index c5a426683..fc440a892 100644 --- a/backend/dataall/modules/s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py +++ b/backend/dataall/modules/s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py @@ -61,7 +61,7 @@ def get_statements(self): effect=iam.Effect.ALLOW, actions=['ram:TagResource'], resources=['*'], - conditions={'ForAllValues:StringLike': {'ram:ResourceShareName': ['LakeFormation*']}}, + conditions={'StringLike': {'ram:ResourceShareName': ['LakeFormation*']}}, ), iam.PolicyStatement( sid='RamCreateResource', @@ -80,7 +80,7 @@ def get_statements(self): actions=['ram:UpdateResourceShare'], resources=[f'arn:aws:ram:*:{self.account}:resource-share/*'], conditions={ - 'ForAllValues:StringLike': {'ram:ResourceShareName': ['LakeFormation*']}, + 'StringLike': {'ram:ResourceShareName': ['LakeFormation*']}, }, ), iam.PolicyStatement( @@ -88,7 +88,7 @@ def get_statements(self): effect=iam.Effect.ALLOW, actions=['ram:AssociateResourceShare', 'ram:DisassociateResourceShare'], resources=[f'arn:aws:ram:*:{self.account}:resource-share/*'], - conditions={'ForAllValues:StringLike': {'ram:ResourceShareName': ['LakeFormation*']}}, + conditions={'StringLike': {'ram:ResourceShareName': ['LakeFormation*']}}, ), iam.PolicyStatement( sid='RamDeleteResource', @@ -105,7 +105,7 @@ def get_statements(self): ], resources=['arn:aws:ram:*:*:resource-share-invitation/*'], # Scoped conditions={ - 'ForAllValues:StringLike': { + 'StringLike': { 'ram:ResourceShareName': ['LakeFormation*', f'{self.env_resource_prefix}*'] }, }, From 9297d93ba54e3c7c16eeef6b61ad86b3aecf0e25 Mon Sep 17 00:00:00 2001 From: arjunp99 Date: Tue, 28 Oct 2025 10:13:58 -0500 Subject: [PATCH 2/2] fix: replace ForAllValues:StringLike with StringLike for single-value RAM keys Addresses security recommendation by using appropriate condition operators for ram:ResourceShareName in pivot role data sharing policy. --- .../s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/backend/dataall/modules/s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py b/backend/dataall/modules/s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py index fc440a892..add87e915 100644 --- a/backend/dataall/modules/s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py +++ b/backend/dataall/modules/s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py @@ -105,9 +105,7 @@ def get_statements(self): ], resources=['arn:aws:ram:*:*:resource-share-invitation/*'], # Scoped conditions={ - 'StringLike': { - 'ram:ResourceShareName': ['LakeFormation*', f'{self.env_resource_prefix}*'] - }, + 'StringLike': {'ram:ResourceShareName': ['LakeFormation*', f'{self.env_resource_prefix}*']}, }, ), iam.PolicyStatement(