fix(iam): add StringLike condition in iam_role_cross_service_confused_deputy_prevention (#2533)

2026-02-10 06:45:08 +00:00 · 2023-06-27 10:06:46 +02:00
parent 60a1497eaf
commit 6efe634850
2 changed files with 61 additions and 0 deletions
--- a/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py
+++ b/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py
@@ -39,6 +39,17 @@ class iam_role_cross_service_confused_deputy_prevention(Check):
                                    ]
                                )
                            )
+                            or (
+                                "StringLike" in statement["Condition"]
+                                and "aws:SourceAccount"
+                                in statement["Condition"]["StringLike"]
+                                and iam_client.account
+                                in str(
+                                    statement["Condition"]["StringLike"][
+                                        "aws:SourceAccount"
+                                    ]
+                                )
+                            )
                            or (
                                "ArnEquals" in statement["Condition"]
                                and "aws:SourceArn"
--- a/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py
+++ b/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py
@@ -192,3 +192,53 @@ class Test_iam_role_cross_service_confused_deputy_prevention:
            )
            assert result[0].resource_id == "test"
            assert result[0].resource_arn == response["Role"]["Arn"]
+
+    @mock_iam
+    def test_iam_service_role_with_cross_service_confused_deputy_prevention_stringlike(
+        self,
+    ):
+        iam_client = client("iam", region_name=AWS_REGION)
+        policy_document = {
+            "Version": "2008-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Principal": {"Service": "workspaces.amazonaws.com"},
+                    "Action": "sts:AssumeRole",
+                    "Condition": {
+                        "StringLike": {"aws:SourceAccount": [AWS_ACCOUNT_ID]}
+                    },
+                }
+            ],
+        }
+        response = iam_client.create_role(
+            RoleName="test",
+            AssumeRolePolicyDocument=dumps(policy_document),
+        )
+
+        from prowler.providers.aws.services.iam.iam_service import IAM
+
+        current_audit_info = self.set_mocked_audit_info()
+        current_audit_info.audited_account = AWS_ACCOUNT_ID
+        with mock.patch(
+            "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+            new=current_audit_info,
+        ), mock.patch(
+            "prowler.providers.aws.services.iam.iam_role_cross_service_confused_deputy_prevention.iam_role_cross_service_confused_deputy_prevention.iam_client",
+            new=IAM(current_audit_info),
+        ):
+            # Test Check
+            from prowler.providers.aws.services.iam.iam_role_cross_service_confused_deputy_prevention.iam_role_cross_service_confused_deputy_prevention import (
+                iam_role_cross_service_confused_deputy_prevention,
+            )
+
+            check = iam_role_cross_service_confused_deputy_prevention()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == "IAM Service Role test prevents against a cross-service confused deputy attack"
+            )
+            assert result[0].resource_id == "test"
+            assert result[0].resource_arn == response["Role"]["Arn"]