fix(iam_policy_no_administrative_privileges): check only *:* permissions (#1802)

prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py

@@ -18,15 +18,15 @@ class iam_policy_no_administrative_privileges(Check):
             else:
                 policy_statements = policy["PolicyDocument"]["Statement"]
             for statement in policy_statements:
+                # Check policies with "Effect": "Allow" with "Action": "*" over "Resource": "*".
                 if (
                     statement["Effect"] == "Allow"
                     and "Action" in statement
-                    and "*" in statement["Action"]
-                    and "*" in statement["Resource"]
+                    and (statement["Action"] == "*" or statement["Action"] == ["*"])
+                    and (statement["Resource"] == "*" or statement["Resource"] == ["*"])
                 ):
                     report.status = "FAIL"
                     report.status_extended = f"Policy {policy['PolicyName']} allows '*:*' administrative privileges"
                     break
-
             findings.append(report)
         return findings

tests/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges_test.py

@@ -83,7 +83,7 @@ class Test_iam_policy_no_administrative_privileges_test:
         policy_document_non_administrative = {
             "Version": "2012-10-17",
             "Statement": [
-                {"Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "*"},
+                {"Effect": "Allow", "Action": "logs:*", "Resource": "*"},
             ],
         }
         policy_name_administrative = "policy2"