diff --git a/checks/check_extra7100 b/checks/check_extra7100 new file mode 100644 index 00000000..1b12481c --- /dev/null +++ b/checks/check_extra7100 @@ -0,0 +1,76 @@ +#!/usr/bin/env bash + +# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente +# +# This check was contributed by Nick Malcolm (github.com/nickmalcolm), building +# on the hard work of others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy +# of the License at http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed +# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +# CONDITIONS OF ANY KIND, either express or implied. See the License for the +# specific language governing permissions and limitations under the License. + +CHECK_ID_extra7100="7.100" +CHECK_TITLE_extra7100="[extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)" +CHECK_SCORED_extra7100="NOT_SCORED" +CHECK_TYPE_extra7100="EXTRA" +CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy" +CHECK_ALTERNATE_check7100="extra7100" + +extra7100(){ + # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)" + # + # A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined + # This is most often seen as sts:assumeRole on *, but can take other forms. + # + # Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy + LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}') + if [[ $LIST_CUSTOM_POLICIES ]]; then + textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)" + for policy in $LIST_CUSTOM_POLICIES; do + POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}') + POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}') + + POLICY_STATEMENTS_WITH_ALLOW=$($AWSCLI iam get-policy-version \ + --output json \ + --policy-arn $POLICY_ARN \ + --version-id $POLICY_VERSION \ + --query "[PolicyVersion.Document.Statement] | [] | [?Effect == 'Allow']" \ + $PROFILE_OPT \ + --region $REGION + ) + + # Identify permissive policies by: + # 1 & 2) Casting all the Resource and Action keys to Arrays (sometimes they're a single string) + # 3) Iterate over the policy statements + # 4) Narrow the scope to Actions which are sts:* or sts:assumeRole(WithSAML|WithWebIdentity) + # 5) Narrow the scope to Resources (IAM Roles) which include a wildcard + POLICY_WITH_PERMISSIVE_STS=$(echo $POLICY_STATEMENTS_WITH_ALLOW \ + | jq 'map( .Resource |= (if type=="array" then . else [.] end) )' \ + | jq 'map( .Action |= (if type=="array" then . else [.] end) )' \ + | jq '.[]' \ + | jq 'select(.Action[] | contains("sts:AssumeRole") or contains("sts:*"))' \ + | jq 'select(.Resource[] | contains("*"))') + + if [[ $POLICY_WITH_PERMISSIVE_STS ]]; then + PERMISSIVE_POLICIES_LIST="$PERMISSIVE_POLICIES_LIST $POLICY_ARN" + fi + + done + if [[ $PERMISSIVE_POLICIES_LIST ]]; then + textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs" + textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy" + for policy in $PERMISSIVE_POLICIES_LIST; do + textFail "Policy $policy allows permissive STS Role assumption" + done + else + textPass "No custom policies found that allow permissive STS Role assumption" + fi + else + textPass "No custom policies found" + fi +} diff --git a/checks/check_extra798 b/checks/check_extra798 deleted file mode 100644 index fa15a011..00000000 --- a/checks/check_extra798 +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env bash - -# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy -# of the License at http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software distributed -# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -# CONDITIONS OF ANY KIND, either express or implied. See the License for the -# specific language governing permissions and limitations under the License. - -CHECK_ID_extra798="7.98" -CHECK_TITLE_extra798="[extra798] Check if Lambda functions have resource-based policy set as Public" -CHECK_SCORED_extra798="NOT_SCORED" -CHECK_TYPE_extra798="EXTRA" -CHECK_ASFF_RESOURCE_TYPE_extra798="AwsLambdaFunction" -CHECK_ALTERNATE_check798="extra798" - -extra798(){ - for regx in $REGIONS; do - LIST_OF_FUNCTIONS=$($AWSCLI lambda list-functions $PROFILE_OPT --region $regx --output text --query 'Functions[*].FunctionName') - if [[ $LIST_OF_FUNCTIONS ]]; then - for lambdafunction in $LIST_OF_FUNCTIONS; do - # get the policy per function - FUNCTION_POLICY=$($AWSCLI lambda get-policy $PROFILE_OPT --region $regx --function-name $lambdafunction --query Policy --output text 2>/dev/null) - if [[ $FUNCTION_POLICY ]]; then - FUNCTION_POLICY_ALLOW_ALL=$(echo $FUNCTION_POLICY \ - | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') - if [[ $FUNCTION_POLICY_ALLOW_ALL ]]; then - textFail "$regx: Lambda function $lambdafunction has a policy with public access" "$regx" - else - textPass "$regx: Lambda function $lambdafunction has a policy resource-based policy and is not public" "$regx" - fi - else - textPass "$regx: Lambda function $lambdafunction does not have resource-based policy" "$regx" - fi - done - else - textInfo "$regx: No Lambda functions found" "$regx" - fi - done -} diff --git a/groups/group7_extras b/groups/group7_extras index f6964d39..65766a9a 100644 --- a/groups/group7_extras +++ b/groups/group7_extras @@ -15,7 +15,7 @@ GROUP_ID[7]='extras' GROUP_NUMBER[7]='7.0' GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************' GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called -GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799' +GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100' # Extras 759 and 760 (lambda variables and code secrets finder are not included) # to run detect-secrets use `./prowler -g secrets`