From ba87f437d5c7d406adac80e64535e0857e73e39a Mon Sep 17 00:00:00 2001
From: Nick Malcolm <nickmalcolm@gmail.com>
Date: Thu, 20 Aug 2020 21:08:00 +1200
Subject: [PATCH 1/4] This check will identify IAM Policies which allow an IAM
 Principal (a Role or User) to escalate their privileges due to insecure STS
 permissions. It is AWS best practice to only use explicitly defined Resources
 (Role ARNs) for an `sts:AssumeRole` action.

See more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy
---
 checks/check_extra798 | 75 +++++++++++++++++++++++++++++++++++++++++++
 groups/group7_extras  |  2 +-
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 checks/check_extra798

diff --git a/checks/check_extra798 b/checks/check_extra798
new file mode 100644
index 00000000..c3f54f1c
--- /dev/null
+++ b/checks/check_extra798
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# This check was contributed by Nick Malcolm (github.com/nickmalcolm), building
+# on the hard work of others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+CHECK_ID_extra798="7.98"
+CHECK_TITLE_extra798="[extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
+CHECK_SCORED_extra798="NOT_SCORED"
+CHECK_TYPE_extra798="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra798="AwsIamPolicy"
+CHECK_ALTERNATE_extra798="extra798"
+
+extra798(){
+  # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
+  #
+  # A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined
+  # This is most often seen as sts:assumeRole on *, but can take other forms.
+  #
+  # Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy
+  LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
+  if [[ $LIST_CUSTOM_POLICIES ]]; then
+    textInfo "Looking for custom policies: (skipping default policies - it may take few seconds...)"
+    for policy in $LIST_CUSTOM_POLICIES; do
+      POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
+      POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
+
+      POLICY_STATEMENTS_WITH_ALLOW=$($AWSCLI iam get-policy-version \
+        --output json \
+        --policy-arn $POLICY_ARN \
+        --version-id $POLICY_VERSION \
+        --query "[PolicyVersion.Document.Statement] | [] | [?Effect == 'Allow']" \
+        $PROFILE_OPT \
+        --region $REGION
+      )
+
+      # Identify permissive policies by:
+      #   1 & 2) Casting all the Resource and Action keys to Arrays (sometimes they're a single string)
+      #   3) Iterate over the policy statements
+      #   4) Narrow the scope to Actions which are sts:* or sts:assumeRole(WithSAML|WithWebIdentity)
+      #   5) Narrow the scope to Resources (IAM Roles) which include a wildcard
+      POLICY_WITH_PERMISSIVE_STS=$(echo $POLICY_STATEMENTS_WITH_ALLOW \
+        | jq 'map( .Resource |= (if type=="array" then . else [.] end) )' \
+        | jq 'map( .Action |= (if type=="array" then . else [.] end) )' \
+        | jq '.[]' \
+        | jq 'select(.Action[] | contains("sts:AssumeRole") or contains("sts:*"))' \
+        | jq 'select(.Resource[] | contains("*"))')
+
+      if [[ $POLICY_WITH_PERMISSIVE_STS ]]; then
+        PERMISSIVE_POLICIES_LIST="$PERMISSIVE_POLICIES_LIST $POLICY_ARN"
+      fi
+
+    done
+    if [[ $PERMISSIVE_POLICIES_LIST ]]; then
+      textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs"
+      textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy"
+      for policy in $PERMISSIVE_POLICIES_LIST; do
+        textFail "Policy $policy allows permissive STS Role assumption"
+      done
+    else
+      textPass "No custom policies found that allow permissive STS Role assumption"
+    fi
+  else
+    textPass "No custom policies found"
+  fi
+}
diff --git a/groups/group7_extras b/groups/group7_extras
index f490879a..47863406 100644
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -15,7 +15,7 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798'
 
 # Extras 759 and 760 (lambda variables and code secrets finder are not included)
 # to run detect-secrets use `./prowler -g secrets`

From 565edf7b4b79577d3b63ce787afdf5f8a560e58c Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Thu, 27 Aug 2020 16:21:56 +0200
Subject: [PATCH 2/4] Change check ID to extra7100

Change check ID to extra7100
---
 checks/check_extra798 | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/checks/check_extra798 b/checks/check_extra798
index c3f54f1c..d032b159 100644
--- a/checks/check_extra798
+++ b/checks/check_extra798
@@ -13,14 +13,14 @@
 # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
-CHECK_ID_extra798="7.98"
-CHECK_TITLE_extra798="[extra798] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
-CHECK_SCORED_extra798="NOT_SCORED"
-CHECK_TYPE_extra798="EXTRA"
-CHECK_ASFF_RESOURCE_TYPE_extra798="AwsIamPolicy"
-CHECK_ALTERNATE_extra798="extra798"
+CHECK_ID_extra7100="7.100"
+CHECK_TITLE_extra7100="[extra7100] Ensure that no custom policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
+CHECK_SCORED_extra7100="NOT_SCORED"
+CHECK_TYPE_extra7100="EXTRA"
+CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
+CHECK_ALTERNATE_check7100="extra7100"
 
-extra798(){
+extra7100(){
   # "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
   #
   # A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined

From 1d4563f60d663088f0101b57589383da15c8d446 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Thu, 27 Aug 2020 16:23:08 +0200
Subject: [PATCH 3/4] Added extra799 and extra7100 to group extras

Added extra799 and extra7100 to group extras
---
 groups/group7_extras | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/groups/group7_extras b/groups/group7_extras
index 47863406..65766a9a 100644
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -15,7 +15,7 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100'
 
 # Extras 759 and 760 (lambda variables and code secrets finder are not included)
 # to run detect-secrets use `./prowler -g secrets`

From 36a291c4a91ab757c5dae574f8763f1ebf5355c0 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Thu, 27 Aug 2020 16:30:20 +0200
Subject: [PATCH 4/4] Rename check_extra798 to check_extra7100

---
 checks/{check_extra798 => check_extra7100} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename checks/{check_extra798 => check_extra7100} (99%)

diff --git a/checks/check_extra798 b/checks/check_extra7100
similarity index 99%
rename from checks/check_extra798
rename to checks/check_extra7100
index c0444fc0..1b12481c 100644
--- a/checks/check_extra798
+++ b/checks/check_extra7100
@@ -73,4 +73,4 @@ extra7100(){
   else
     textPass "No custom policies found"
   fi
-}
\ No newline at end of file
+}