diff --git a/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py b/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py index ed20464d..dc0ce226 100644 --- a/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py +++ b/prowler/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention.py @@ -39,6 +39,17 @@ class iam_role_cross_service_confused_deputy_prevention(Check): ] ) ) + or ( + "StringLike" in statement["Condition"] + and "aws:SourceAccount" + in statement["Condition"]["StringLike"] + and iam_client.account + in str( + statement["Condition"]["StringLike"][ + "aws:SourceAccount" + ] + ) + ) or ( "ArnEquals" in statement["Condition"] and "aws:SourceArn" diff --git a/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py b/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py index a77be120..1efc071f 100644 --- a/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py +++ b/tests/providers/aws/services/iam/iam_role_cross_service_confused_deputy_prevention/iam_role_cross_service_confused_deputy_prevention_test.py @@ -192,3 +192,53 @@ class Test_iam_role_cross_service_confused_deputy_prevention: ) assert result[0].resource_id == "test" assert result[0].resource_arn == response["Role"]["Arn"] + + @mock_iam + def test_iam_service_role_with_cross_service_confused_deputy_prevention_stringlike( + self, + ): + iam_client = client("iam", region_name=AWS_REGION) + policy_document = { + "Version": "2008-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": {"Service": "workspaces.amazonaws.com"}, + "Action": "sts:AssumeRole", + "Condition": { + "StringLike": {"aws:SourceAccount": [AWS_ACCOUNT_ID]} + }, + } + ], + } + response = iam_client.create_role( + RoleName="test", + AssumeRolePolicyDocument=dumps(policy_document), + ) + + from prowler.providers.aws.services.iam.iam_service import IAM + + current_audit_info = self.set_mocked_audit_info() + current_audit_info.audited_account = AWS_ACCOUNT_ID + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=current_audit_info, + ), mock.patch( + "prowler.providers.aws.services.iam.iam_role_cross_service_confused_deputy_prevention.iam_role_cross_service_confused_deputy_prevention.iam_client", + new=IAM(current_audit_info), + ): + # Test Check + from prowler.providers.aws.services.iam.iam_role_cross_service_confused_deputy_prevention.iam_role_cross_service_confused_deputy_prevention import ( + iam_role_cross_service_confused_deputy_prevention, + ) + + check = iam_role_cross_service_confused_deputy_prevention() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "PASS" + assert ( + result[0].status_extended + == "IAM Service Role test prevents against a cross-service confused deputy attack" + ) + assert result[0].resource_id == "test" + assert result[0].resource_arn == response["Role"]["Arn"]