From c9436da235c2a9980820b93339f68595919f7396 Mon Sep 17 00:00:00 2001
From: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Date: Thu, 12 Jan 2023 17:39:09 +0100
Subject: [PATCH] fix: Solve IAM policy Errors (#1692)

Co-authored-by: sergargar <sergio@verica.io>
---
 .../aws/services/codebuild/codebuild_service.py       | 11 ++++++-----
 ...iam_no_custom_policy_permissive_role_assumption.py |  6 +++++-
 .../iam_policy_allows_privilege_escalation.py         |  6 +++++-
 .../iam_policy_no_administrative_privileges.py        |  6 +++++-
 4 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/prowler/providers/aws/services/codebuild/codebuild_service.py b/prowler/providers/aws/services/codebuild/codebuild_service.py
index 90e75766..f5c94376 100644
--- a/prowler/providers/aws/services/codebuild/codebuild_service.py
+++ b/prowler/providers/aws/services/codebuild/codebuild_service.py
@@ -58,11 +58,12 @@ class Codebuild:
                     if project.region == region:
                         ids = client.list_builds_for_project(projectName=project.name)
                         if "ids" in ids:
-                            builds = client.batch_get_builds(ids=[ids["ids"][0]])
-                            if "builds" in builds:
-                                project.last_invoked_time = builds["builds"][0][
-                                    "endTime"
-                                ]
+                            if len(ids["ids"]) > 0:
+                                builds = client.batch_get_builds(ids=[ids["ids"][0]])
+                                if "builds" in builds:
+                                    project.last_invoked_time = builds["builds"][0][
+                                        "endTime"
+                                    ]
 
                         projects = client.batch_get_projects(names=[project.name])[
                             "projects"
diff --git a/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py b/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py
index a473ed40..382d3dba 100644
--- a/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py
+++ b/prowler/providers/aws/services/iam/iam_no_custom_policy_permissive_role_assumption/iam_no_custom_policy_permissive_role_assumption.py
@@ -12,7 +12,11 @@ class iam_no_custom_policy_permissive_role_assumption(Check):
             report.resource_id = iam_client.policies[index]["PolicyName"]
             report.status = "PASS"
             report.status_extended = f"Custom Policy {iam_client.policies[index]['PolicyName']} does not allow permissive STS Role assumption"
-            for statement in policy_document["Statement"]:
+            if type(policy_document["Statement"]) != list:
+                policy_statements = [policy_document["Statement"]]
+            else:
+                policy_statements = policy_document["Statement"]
+            for statement in policy_statements:
                 if (
                     statement["Effect"] == "Allow"
                     and "Action" in statement
diff --git a/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py b/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py
index bcd40bf0..8b2766f0 100644
--- a/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py
+++ b/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py
@@ -72,7 +72,11 @@ class iam_policy_allows_privilege_escalation(Check):
             denied_not_actions = set()
 
             # Recover all policy actions
-            for statements in policy["PolicyDocument"]["Statement"]:
+            if type(policy["PolicyDocument"]["Statement"]) != list:
+                policy_statements = [policy["PolicyDocument"]["Statement"]]
+            else:
+                policy_statements = policy["PolicyDocument"]["Statement"]
+            for statements in policy_statements:
                 # Recover allowed actions
                 if statements["Effect"] == "Allow":
                     if "Action" in statements:
diff --git a/prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py
index 44fb98c2..abfa02e7 100644
--- a/prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py
+++ b/prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py
@@ -13,7 +13,11 @@ class iam_policy_no_administrative_privileges(Check):
             report.status = "PASS"
             report.status_extended = f"Policy {iam_client.policies[index]['PolicyName']} does not allow '*:*' administrative privileges"
             # Check the statements, if one includes *:* stop iterating over the rest
-            for statement in policy_document["Statement"]:
+            if type(policy_document["Statement"]) != list:
+                policy_statements = [policy_document["Statement"]]
+            else:
+                policy_statements = policy_document["Statement"]
+            for statement in policy_statements:
                 if (
                     statement["Effect"] == "Allow"
                     and "Action" in statement