fix(policy_condition_parser): add StringEquals aws:SourceArn condition (#2793)

2026-02-10 06:45:08 +00:00 · 2023-08-31 11:54:48 +02:00
parent 8846ae6664
commit 2891bc0b96
2 changed files with 21 additions and 0 deletions
--- a/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py
+++ b/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py
@@ -25,6 +25,7 @@ def is_account_only_allowed_in_condition(
            "s3:resourceaccount",
            "aws:principalaccount",
            "aws:resourceaccount",
+            "aws:sourcearn",
        ],
        "StringLike": [
            "aws:sourceaccount",
--- a/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
+++ b/tests/providers/aws/lib/policy_condition_parser/policy_condition_parser_test.py
@@ -230,6 +230,26 @@ class Test_policy_condition_parser:
            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
        )

+    def test_condition_parser_string_equals_aws_SourceArn_str(self):
+        condition_statement = {
+            "StringEquals": {
+                "aws:SourceArn": f"arn:aws:cloudtrail:*:{TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*"
+            }
+        }
+        assert is_account_only_allowed_in_condition(
+            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
+        )
+
+    def test_condition_parser_string_equals_aws_SourceArn_str_not_valid(self):
+        condition_statement = {
+            "StringEquals": {
+                "aws:SourceArn": f"arn:aws:cloudtrail:*:{NON_TRUSTED_AWS_ACCOUNT_NUMBER}:trail/*"
+            }
+        }
+        assert not is_account_only_allowed_in_condition(
+            condition_statement, TRUSTED_AWS_ACCOUNT_NUMBER
+        )
+
    def test_condition_parser_string_like_aws_PrincipalAccount_list(self):
        condition_statement = {
            "StringLike": {"aws:PrincipalAccount": [TRUSTED_AWS_ACCOUNT_NUMBER]}