ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

IAM check116 and check122 modified to log also PASS results (#1107)

Browse Source 
* fix(check116): Fixed logic to include resource_id of passed users

* fix(check122): Changed logic check to include explicit pass records
This commit is contained in:
n4ch04
2022-04-12 19:54:51 +02:00
committed by GitHub
parent 5b902a1329
commit c9e282f236
2 changed files with 17 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
checks/check116
View File

@@ -29,20 +29,21 @@ CHECK_CAF_EPIC_check116='IAM'
check116(){ check116(){
# "Ensure IAM policies are attached only to groups or roles (Scored)" # "Ensure IAM policies are attached only to groups or roles (Scored)"
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION) LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
C116_NUM_USERS=0
for user in $LIST_USERS;do for user in $LIST_USERS;do
USER_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user) USER_ATTACHED_POLICY=$($AWSCLI iam list-attached-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
if [[ $USER_POLICY ]]; then USER_INLINE_POLICY=$($AWSCLI iam list-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user)
textFail "$REGION: $user has managed policy directly attached" "$REGION" "$user" if [[ $USER_ATTACHED_POLICY ]] || [[ $USER_INLINE_POLICY ]]
C116_NUM_USERS=$(expr $C116_NUM_USERS + 1) then
fi if [[ $USER_ATTACHED_POLICY ]]
USER_POLICY=$($AWSCLI iam list-user-policies --output text $PROFILE_OPT --region $REGION --user-name $user) then
if [[ $USER_POLICY ]]; then textFail "$REGION: $user has managed policy directly attached" "$REGION" "$user"
textFail "$REGION: $user has inline policy directly attached" "$REGION" "$user" fi
C116_NUM_USERS=$(expr $C116_NUM_USERS + 1) if [[ $USER_INLINE_POLICY ]]
then
textFail "$REGION: $user has inline policy directly attached" "$REGION" "$user"
fi
else
textPass "$REGION: No policies attached to user $user" "$REGION" "$user"
fi fi
done done
if [[ $C116_NUM_USERS -eq 0 ]]; then
textPass "$REGION: No policies attached to users" "$REGION" "$user"
fi
} }

6
checks/check122
View File

@@ -35,14 +35,14 @@ check122(){
POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION) POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION)
if [[ $POLICY_WITH_FULL ]]; then if [[ $POLICY_WITH_FULL ]]; then
POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN" POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN"
else
textPass "$REGION: Policy ${policy//,/[comma]} that does not allow full \"*:*\" administrative privileges" "${REGION}" "${policy}"
fi fi
done done
if [[ $POLICIES_ALLOW_LIST ]]; then if [[ $POLICIES_ALLOW_LIST ]]; then
for policy in $POLICIES_ALLOW_LIST; do for policy in $POLICIES_ALLOW_LIST; do
textFail "$REGION: Policy ${policy//,/[comma]} allows \"*:*\"" "$REGION" "$policy" textFail "$REGION: Policy ${policy//,/[comma]} allows \"*:*\"" "${REGION}" "${policy}"
done done
else
textPass "$REGION: No custom policy found that allow full \"*:*\" administrative privileges" "$REGION"
fi fi
else else
textPass "$REGION: No custom policies found" "$REGION" textPass "$REGION: No custom policies found" "$REGION"