From 4e879271a092333f157efe699daca3dd0d0c45a9 Mon Sep 17 00:00:00 2001
From: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Date: Mon, 30 Jan 2023 16:47:09 +0100
Subject: [PATCH] fix(iam_policy_no_administrative_privileges): check only *:*
 permissions (#1802)

---
 .../iam_policy_no_administrative_privileges.py              | 6 +++---
 .../iam_policy_no_administrative_privileges_test.py         | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py
index 01659133..9d1c040a 100644
--- a/prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py
+++ b/prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py
@@ -18,15 +18,15 @@ class iam_policy_no_administrative_privileges(Check):
             else:
                 policy_statements = policy["PolicyDocument"]["Statement"]
             for statement in policy_statements:
+                # Check policies with "Effect": "Allow" with "Action": "*" over "Resource": "*".
                 if (
                     statement["Effect"] == "Allow"
                     and "Action" in statement
-                    and "*" in statement["Action"]
-                    and "*" in statement["Resource"]
+                    and (statement["Action"] == "*" or statement["Action"] == ["*"])
+                    and (statement["Resource"] == "*" or statement["Resource"] == ["*"])
                 ):
                     report.status = "FAIL"
                     report.status_extended = f"Policy {policy['PolicyName']} allows '*:*' administrative privileges"
                     break
-
             findings.append(report)
         return findings
diff --git a/tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py b/tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py
index f7ddcf08..9bdd896e 100644
--- a/tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py
+++ b/tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py
@@ -83,7 +83,7 @@ class Test_iam_policy_no_administrative_privileges_test:
         policy_document_non_administrative = {
             "Version": "2012-10-17",
             "Statement": [
-                {"Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "*"},
+                {"Effect": "Allow", "Action": "logs:*", "Resource": "*"},
             ],
         }
         policy_name_administrative = "policy2"