mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 06:45:08 +00:00
feat(extra7100): Migrate check extra7100 -> iam_no_custom_policy_permissive_role_assumption (#1417)
This commit is contained in:
Nacho Rivera
@@ -1,49 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
|
||||
CHECK_ID_check120="1.20"
|
||||
CHECK_TITLE_check120="[check120] Ensure a support role has been created to manage incidents with AWS Support"
|
||||
CHECK_SCORED_check120="SCORED"
|
||||
CHECK_CIS_LEVEL_check120="LEVEL1"
|
||||
CHECK_SEVERITY_check120="Medium"
|
||||
CHECK_ASFF_TYPE_check120="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check120="AwsIamRole"
|
||||
CHECK_ALTERNATE_check120="check120"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check120="ens-op.acc.1.aws.iam.4"
|
||||
CHECK_SERVICENAME_check120="iam"
|
||||
CHECK_RISK_check120='AWS provides a support center that can be used for incident notification and response; as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.'
|
||||
CHECK_REMEDIATION_check120='Create an IAM role for managing incidents with AWS.'
|
||||
CHECK_DOC_check120='https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html'
|
||||
CHECK_CAF_EPIC_check120='IAM'
|
||||
|
||||
check120(){
|
||||
# "Ensure a support role has been created to manage incidents with AWS Support (Scored)"
|
||||
SUPPORTPOLICYARN=$($AWSCLI iam list-policies --query "Policies[?PolicyName == 'AWSSupportAccess'].Arn" $PROFILE_OPT --region $REGION --output text)
|
||||
if [[ $SUPPORTPOLICYARN ]];then
|
||||
for policyarn in $SUPPORTPOLICYARN;do
|
||||
POLICYROLES=$($AWSCLI iam list-entities-for-policy --policy-arn $policyarn $PROFILE_OPT --region $REGION --output text | awk -F$'\t' '{ print $3 }')
|
||||
if [[ $POLICYROLES ]];then
|
||||
for name in $POLICYROLES; do
|
||||
textPass "$REGION: Support Policy attached to $name" "$REGION" "$name"
|
||||
done
|
||||
# for user in $(echo "$POLICYUSERS" | grep UserName | cut -d'"' -f4) ; do
|
||||
# textInfo "User $user has support access via $policyarn"
|
||||
# done
|
||||
else
|
||||
textFail "$REGION: Support Policy not applied to any Role" "$REGION" "$name"
|
||||
fi
|
||||
done
|
||||
else
|
||||
textFail "$REGION: No Support Policy found" "$REGION" "$name"
|
||||
fi
|
||||
}
|
||||
@@ -1,54 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
|
||||
CHECK_ID_check121="1.21"
|
||||
CHECK_TITLE_check121="[check121] Do not setup access keys during initial user setup for all IAM users that have a console password"
|
||||
CHECK_SCORED_check121="NOT_SCORED"
|
||||
CHECK_CIS_LEVEL_check121="LEVEL1"
|
||||
CHECK_SEVERITY_check121="Medium"
|
||||
CHECK_ASFF_TYPE_check121="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check121="AwsIamUser"
|
||||
CHECK_ALTERNATE_check121="check121"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check121="ens-op.acc.1.aws.iam.5"
|
||||
CHECK_SERVICENAME_check121="iam"
|
||||
CHECK_RISK_check121='AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials; it also generates unnecessary management work in auditing and rotating these keys. Requiring that additional steps be taken by the user after their profile has been created will give a stronger indication of intent that access keys are (a) necessary for their work and (b) once the access key is established on an account that the keys may be in use somewhere in the organization.'
|
||||
CHECK_REMEDIATION_check121='From the IAM console: generate credential report and disable not required keys.'
|
||||
CHECK_DOC_check121='https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html'
|
||||
CHECK_CAF_EPIC_check121='IAM'
|
||||
|
||||
check121(){
|
||||
# "Do not setup access keys during initial user setup for all IAM users that have a console password (Not Scored)"
|
||||
LIST_USERS=$($AWSCLI iam list-users --query 'Users[*].UserName' --output text $PROFILE_OPT --region $REGION)
|
||||
# List of USERS with KEY1 last_used_date as N/A
|
||||
LIST_USERS_KEY1_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$11 }'|grep N/A |awk '{ print $1 }'; done)
|
||||
# List of USERS with KEY1 active, last_used_date as N/A and have a console password
|
||||
LIST_USERS_KEY1_ACTIVE=$(for user in $LIST_USERS_KEY1_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$9 }'|grep "true true$"|awk '{ print $1 }'|sed 's/[[:blank:]]+/,/g' ; done)
|
||||
if [[ $LIST_USERS_KEY1_ACTIVE ]]; then
|
||||
for user in $LIST_USERS_KEY1_ACTIVE; do
|
||||
textFail "$REGION: User $user has never used access key 1" "$REGION" "$user"
|
||||
done
|
||||
else
|
||||
textPass "$REGION: No users found with access key 1 never used" "$REGION" "$user"
|
||||
fi
|
||||
# List of USERS with KEY2 last_used_date as N/A
|
||||
LIST_USERS_KEY2_NA=$(for user in $LIST_USERS; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$16 }'|grep N/A |awk '{ print $1 }' ; done)
|
||||
# List of USERS with KEY2 active, last_used_date as N/A and have a console password
|
||||
LIST_USERS_KEY2_ACTIVE=$(for user in $LIST_USERS_KEY2_NA; do grep "^${user}," $TEMP_REPORT_FILE|awk -F, '{ print $1,$4,$14 }'|grep "true true$" |awk '{ print $1 }' ; done)
|
||||
if [[ $LIST_USERS_KEY2_ACTIVE ]]; then
|
||||
for user in $LIST_USERS_KEY2_ACTIVE; do
|
||||
textFail "$REGION: User $user has never used access key 2" "$REGION" "$user"
|
||||
done
|
||||
else
|
||||
textPass "$REGION: No users found with access key 2 never used" "$REGION" "$user"
|
||||
fi
|
||||
}
|
||||
@@ -1,50 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
|
||||
CHECK_ID_check122="1.22"
|
||||
CHECK_TITLE_check122="[check122] Ensure IAM policies that allow full \"*:*\" administrative privileges are not created"
|
||||
CHECK_SCORED_check122="SCORED"
|
||||
CHECK_CIS_LEVEL_check122="LEVEL1"
|
||||
CHECK_SEVERITY_check122="Medium"
|
||||
CHECK_ASFF_TYPE_check122="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check122="AwsIamPolicy"
|
||||
CHECK_ALTERNATE_check122="check122"
|
||||
CHECK_SERVICENAME_check122="iam"
|
||||
CHECK_RISK_check122='IAM policies are the means by which privileges are granted to users; groups; or roles. It is recommended and considered a standard security advice to grant least privilege—that is; granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks instead of allowing full administrative privileges. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.'
|
||||
CHECK_REMEDIATION_check122='It is more secure to start with a minimum set of permissions and grant additional permissions as necessary; rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.'
|
||||
CHECK_DOC_check122='http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html'
|
||||
CHECK_CAF_EPIC_check122='IAM'
|
||||
|
||||
check122(){
|
||||
# "Ensure IAM policies that allow full \"*:*\" administrative privileges are not created (Scored)"
|
||||
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
|
||||
if [[ $LIST_CUSTOM_POLICIES ]]; then
|
||||
for policy in $LIST_CUSTOM_POLICIES; do
|
||||
POLICY_ARN=$(awk 'BEGIN{FS=OFS=","}{NF--; print}' <<< "${policy}")
|
||||
POLICY_VERSION=$(awk -F ',' '{print $(NF)}' <<< "${policy}")
|
||||
POLICY_WITH_FULL=$($AWSCLI iam get-policy-version --output text --policy-arn $POLICY_ARN --version-id $POLICY_VERSION --query "[PolicyVersion.Document.Statement] | [] | [?Action!=null] | [?Effect == 'Allow' && Resource == '*' && Action == '*']" $PROFILE_OPT --region $REGION)
|
||||
if [[ $POLICY_WITH_FULL ]]; then
|
||||
POLICIES_ALLOW_LIST="$POLICIES_ALLOW_LIST $POLICY_ARN"
|
||||
else
|
||||
textPass "$REGION: Policy ${policy//,/[comma]} that does not allow full \"*:*\" administrative privileges" "${REGION}" "${policy}"
|
||||
fi
|
||||
done
|
||||
if [[ $POLICIES_ALLOW_LIST ]]; then
|
||||
for policy in $POLICIES_ALLOW_LIST; do
|
||||
textFail "$REGION: Policy ${policy//,/[comma]} allows \"*:*\"" "${REGION}" "${policy}"
|
||||
done
|
||||
fi
|
||||
else
|
||||
textPass "$REGION: No custom policies found" "$REGION"
|
||||
fi
|
||||
}
|
||||
@@ -1,56 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
#
|
||||
# Remediation:
|
||||
#
|
||||
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
|
||||
#
|
||||
# aws logs put-metric-filter \
|
||||
# --region us-east-1 \
|
||||
# --log-group-name CloudTrail/MyCloudTrailLG \
|
||||
# --filter-name AWSAuthorizationFailures \
|
||||
# --filter-pattern '{ $.errorCode = "*UnauthorizedOperation" || $.errorCode = "AccessDenied*" }' \
|
||||
# --metric-transformations metricName=AuthorizationFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
|
||||
#
|
||||
# aws cloudwatch put-metric-alarm \
|
||||
# --region us-east-1 \
|
||||
# --alarm-name "Authorization Failures" \
|
||||
# --alarm-description "Alarm triggered when unauthorized API calls are made" \
|
||||
# --metric-name AuthorizationFailureCount \
|
||||
# --namespace CloudTrailMetrics \
|
||||
# --statistic Sum \
|
||||
# --comparison-operator GreaterThanOrEqualToThreshold \
|
||||
# --evaluation-periods 1 \
|
||||
# --period 300 \
|
||||
# --threshold 1 \
|
||||
# --actions-enabled \
|
||||
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
|
||||
|
||||
CHECK_ID_check31="3.1"
|
||||
CHECK_TITLE_check31="[check31] Ensure a log metric filter and alarm exist for unauthorized API calls"
|
||||
CHECK_SCORED_check31="SCORED"
|
||||
CHECK_CIS_LEVEL_check31="LEVEL1"
|
||||
CHECK_SEVERITY_check31="Medium"
|
||||
CHECK_ASFF_TYPE_check31="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check31="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check301="check31"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check31="ens-op.exp.8.aws.trail.2"
|
||||
CHECK_SERVICENAME_check31="iam"
|
||||
CHECK_RISK_check31='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check31='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check31='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check31='Logging and Monitoring'
|
||||
|
||||
check31(){
|
||||
check3x '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*"'
|
||||
}
|
||||
@@ -1,56 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
#
|
||||
# Remediation:
|
||||
#
|
||||
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
|
||||
#
|
||||
# aws logs put-metric-filter \
|
||||
# --region us-east-1 \
|
||||
# --log-group-name CloudTrail/CloudWatchLogGroup \
|
||||
# --filter-name ConsoleSignInWithoutMfaCount \
|
||||
# --filter-pattern '{ $.eventName = "ConsoleLogin" && $.additionalEventData.MFAUsed != "Yes" }' \
|
||||
# --metric-transformations metricName=ConsoleSignInWithoutMfaCount,metricNamespace=CloudTrailMetrics,metricValue=1
|
||||
#
|
||||
# aws cloudwatch put-metric-alarm \
|
||||
# --region us-east-1 \
|
||||
# --alarm-name ConsoleSignInWithoutMfaAlarm \
|
||||
# --alarm-description "Triggered by sign-in requests made without MFA." \
|
||||
# --metric-name ConsoleSignInWithoutMfaCount \
|
||||
# --namespace CloudTrailMetrics \
|
||||
# --statistic Sum \
|
||||
# --comparison-operator GreaterThanOrEqualToThreshold \
|
||||
# --evaluation-periods 1 \
|
||||
# --period 300 \
|
||||
# --threshold 1 \
|
||||
# --actions-enabled \
|
||||
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
|
||||
|
||||
CHECK_ID_check32="3.2"
|
||||
CHECK_TITLE_check32="[check32] Ensure a log metric filter and alarm exist for Management Console sign-in without MFA"
|
||||
CHECK_SCORED_check32="SCORED"
|
||||
CHECK_CIS_LEVEL_check32="LEVEL1"
|
||||
CHECK_SEVERITY_check32="Medium"
|
||||
CHECK_ASFF_TYPE_check32="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check32="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check302="check32"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check32="ens-op.exp.8.aws.trail.4"
|
||||
CHECK_SERVICENAME_check32="iam"
|
||||
CHECK_RISK_check32='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check32='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check32='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check32='Logging and Monitoring'
|
||||
|
||||
check32(){
|
||||
check3x '\$\.eventName\s*=\s*"ConsoleLogin".+\$\.additionalEventData\.MFAUsed\s*!=\s*"Yes"'
|
||||
}
|
||||
@@ -1,60 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
#
|
||||
# Remediation:
|
||||
#
|
||||
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
|
||||
#
|
||||
# aws logs put-metric-filter \
|
||||
# --region us-east-1 \
|
||||
# --log-group-name CloudTrail/CloudWatchLogGroup \
|
||||
# --filter-name RootAccountUsage \
|
||||
# --filter-pattern '{ $.userIdentity.type = "Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != "AwsServiceEvent" }' \
|
||||
# --metric-transformations metricName=RootAccountUsageEventCount,metricNamespace=CloudTrailMetrics,metricValue=1 \
|
||||
#
|
||||
# aws cloudwatch put-metric-alarm \
|
||||
# --region us-east-1 \
|
||||
# --alarm-name RootAccountUsageAlarm \
|
||||
# --alarm-description "Triggered by AWS Root Account usage." \
|
||||
# --metric-name RootAccountUsageEventCount \
|
||||
# --namespace CloudTrailMetrics \
|
||||
# --statistic \
|
||||
# --comparison-operator GreaterThanOrEqualToThreshold \
|
||||
# --evaluation-periods 1 \
|
||||
# --period 300 \
|
||||
# --threshold 1 \
|
||||
# --actions-enabled \
|
||||
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
|
||||
|
||||
CHECK_ID_check33="3.3"
|
||||
CHECK_TITLE_check33="[check33] Ensure a log metric filter and alarm exist for usage of root account"
|
||||
CHECK_SCORED_check33="SCORED"
|
||||
CHECK_CIS_LEVEL_check33="LEVEL1"
|
||||
CHECK_SEVERITY_check33="Medium"
|
||||
CHECK_ASFF_TYPE_check33="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check33="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check303="check33"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check33="ens-op.exp.8.aws.trail.5"
|
||||
CHECK_SERVICENAME_check33="iam"
|
||||
CHECK_RISK_check33='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check33='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check33='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check33='Logging and Monitoring'
|
||||
|
||||
check33(){
|
||||
if [[ "${REGION}" == "us-gov-west-1" || "${REGION}" == "us-gov-east-1" ]]; then
|
||||
textInfo "${REGION}: This is an AWS GovCloud account and there is no root account to perform checks."
|
||||
else
|
||||
check3x '\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"'
|
||||
fi
|
||||
}
|
||||
@@ -1,56 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
#
|
||||
# Remediation:
|
||||
#
|
||||
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
|
||||
#
|
||||
# aws logs put-metric-filter \
|
||||
# --region us-east-1 \
|
||||
# --log-group-name CloudTrail/CloudWatchLogGroup \
|
||||
# --filter-name IAMAuthConfigChanges \
|
||||
# --filter-pattern '{ ($.eventName = DeleteGroupPolicy) || ($.eventName = DeleteRolePolicy) || ($.eventName = DeleteUserPolicy) || ($.eventName = PutGroupPolicy) || ($.eventName = PutRolePolicy) || ($.eventName = PutUserPolicy) || ($.eventName = CreatePolicy) || ($.eventName = DeletePolicy) || ($.eventName = CreatePolicyVersion) || ($.eventName = DeletePolicyVersion) || ($.eventName = AttachRolePolicy) || ($.eventName = DetachRolePolicy) || ($.eventName = AttachUserPolicy) || ($.eventName = DetachUserPolicy) || ($.eventName = AttachGroupPolicy) || ($.eventName = DetachGroupPolicy) }' \
|
||||
# --metric-transformations metricName=IAMPolicyEventCount,metricNamespace=CloudTrailMetrics,metricValue=1
|
||||
#
|
||||
# aws cloudwatch put-metric-alarm \
|
||||
# --region us-east-1 \
|
||||
# --alarm-name IAMAuthorizationActivityAlarm \
|
||||
# --alarm-description "Triggered by AWS IAM authorization config changes." \
|
||||
# --metric-name IAMPolicyEventCount \
|
||||
# --namespace CloudTrailMetrics \
|
||||
# --statistic Sum \
|
||||
# --comparison-operator GreaterThanOrEqualToThreshold \
|
||||
# --evaluation-periods 1 \
|
||||
# --period 300 \
|
||||
# --threshold 1 \
|
||||
# --actions-enabled \
|
||||
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
|
||||
|
||||
CHECK_ID_check34="3.4"
|
||||
CHECK_TITLE_check34="[check34] Ensure a log metric filter and alarm exist for IAM policy changes"
|
||||
CHECK_SCORED_check34="SCORED"
|
||||
CHECK_CIS_LEVEL_check34="LEVEL1"
|
||||
CHECK_SEVERITY_check34="Medium"
|
||||
CHECK_ASFF_TYPE_check34="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check34="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check304="check34"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check34="ens-op.exp.8.aws.trail.6"
|
||||
CHECK_SERVICENAME_check34="iam"
|
||||
CHECK_RISK_check34='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check34='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check34='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check34='IAM'
|
||||
|
||||
check34(){
|
||||
check3x '\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy'
|
||||
}
|
||||
@@ -1,56 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
#
|
||||
# Remediation:
|
||||
#
|
||||
# https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf
|
||||
#
|
||||
# aws logs put-metric-filter \
|
||||
# --region us-east-1 \
|
||||
# --log-group-name CloudTrail/MyCloudTrailLG \
|
||||
# --filter-name AWSConsoleSignInFailures \
|
||||
# --filter-pattern '{ ($.eventName = ConsoleLogin) && ($.errorMessage = "Failed authentication") }' \
|
||||
# --metric-transformations metricName=ConsoleSigninFailureCount,metricNamespace=CloudTrailMetrics,metricValue=1
|
||||
#
|
||||
# aws cloudwatch put-metric-alarm \
|
||||
# --region us-east-1 \
|
||||
# --alarm-name "Console Sign-in Failures" \
|
||||
# --alarm-description "AWS Management Console Sign-in Failure Alarm." \
|
||||
# --metric-name ConsoleSigninFailureCount \
|
||||
# --namespace CloudTrailMetrics \
|
||||
# --statistic Sum \
|
||||
# --comparison-operator GreaterThanOrEqualToThreshold \
|
||||
# --evaluation-periods 1 \
|
||||
# --period 300 \
|
||||
# --threshold 3 \
|
||||
# --actions-enabled \
|
||||
# --alarm-actions arn:aws:sns:us-east-1:123456789012:CloudWatchAlarmTopic
|
||||
|
||||
CHECK_ID_check36="3.6"
|
||||
CHECK_TITLE_check36="[check36] Ensure a log metric filter and alarm exist for AWS Management Console authentication failures"
|
||||
CHECK_SCORED_check36="SCORED"
|
||||
CHECK_CIS_LEVEL_check36="LEVEL2"
|
||||
CHECK_SEVERITY_check36="Medium"
|
||||
CHECK_ASFF_TYPE_check36="Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark"
|
||||
CHECK_ASFF_RESOURCE_TYPE_check36="AwsCloudTrailTrail"
|
||||
CHECK_ALTERNATE_check306="check36"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_check36="ens-op.exp.8.aws.trail.3"
|
||||
CHECK_SERVICENAME_check36="iam"
|
||||
CHECK_RISK_check36='Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.'
|
||||
CHECK_REMEDIATION_check36='It is recommended that a metric filter and alarm be established for unauthorized requests.'
|
||||
CHECK_DOC_check36='https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html'
|
||||
CHECK_CAF_EPIC_check36='Logging and Monitoring'
|
||||
|
||||
check36(){
|
||||
check3x '\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"'
|
||||
}
|
||||
@@ -1,82 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
|
||||
#
|
||||
# This check was contributed by Nick Malcolm (github.com/nickmalcolm), building
|
||||
# on the hard work of others.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
# use this file except in compliance with the License. You may obtain a copy
|
||||
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software distributed
|
||||
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
||||
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations under the License.
|
||||
|
||||
CHECK_ID_extra7100="7.100"
|
||||
CHECK_TITLE_extra7100="[extra7100] Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)"
|
||||
CHECK_SCORED_extra7100="NOT_SCORED"
|
||||
CHECK_CIS_LEVEL_extra7100="EXTRA"
|
||||
CHECK_SEVERITY_extra7100="Critical"
|
||||
CHECK_ASFF_RESOURCE_TYPE_extra7100="AwsIamPolicy"
|
||||
CHECK_ALTERNATE_check7100="extra7100"
|
||||
CHECK_ASFF_COMPLIANCE_TYPE_extra7100="ens-op.acc.2.aws.iam.1"
|
||||
CHECK_SERVICENAME_extra7100="iam"
|
||||
CHECK_RISK_extra7100='If not restricted unintended access could happen.'
|
||||
CHECK_REMEDIATION_extra7100='Use the least privilege principle when granting permissions.'
|
||||
CHECK_DOC_extra7100='https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html'
|
||||
CHECK_CAF_EPIC_extra7100='IAM'
|
||||
|
||||
extra7100(){
|
||||
# "Ensure that no custom policies exist which permit assuming any role (e.g. sts:AssumeRole on *)"
|
||||
#
|
||||
# A permissive STS Role assumption policy is one where the Resource (ARN) is not explicitly defined
|
||||
# This is most often seen as sts:assumeRole on *, but can take other forms.
|
||||
#
|
||||
# Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy
|
||||
LIST_CUSTOM_POLICIES=$($AWSCLI iam list-policies --output text $PROFILE_OPT --region $REGION --scope Local --query 'Policies[*].[Arn,DefaultVersionId]' | grep -v -e '^None$' | awk -F '\t' '{print $1","$2"\n"}')
|
||||
if [[ $LIST_CUSTOM_POLICIES ]]; then
|
||||
for policy in $LIST_CUSTOM_POLICIES; do
|
||||
POLICY_ARN=$(echo $policy | awk -F ',' '{print $1}')
|
||||
POLICY_VERSION=$(echo $policy | awk -F ',' '{print $2}')
|
||||
|
||||
POLICY_STATEMENTS_WITH_ALLOW=$($AWSCLI iam get-policy-version \
|
||||
--output json \
|
||||
--policy-arn $POLICY_ARN \
|
||||
--version-id $POLICY_VERSION \
|
||||
--query "[PolicyVersion.Document.Statement] | [] | [?Effect == 'Allow']" \
|
||||
$PROFILE_OPT \
|
||||
--region $REGION
|
||||
)
|
||||
|
||||
# Identify permissive policies by:
|
||||
# 1 & 2) Casting all the Resource and Action keys to Arrays (sometimes they're a single string)
|
||||
# 3) Iterate over the policy statements
|
||||
# 4) Narrow the scope to Actions which are sts:* or sts:assumeRole(WithSAML|WithWebIdentity)
|
||||
# 5) Narrow the scope to Resources (IAM Roles) which include a wildcard
|
||||
POLICY_WITH_PERMISSIVE_STS=$(echo $POLICY_STATEMENTS_WITH_ALLOW \
|
||||
| jq 'map( .Resource |= (if type=="array" then . else [.] end) )' \
|
||||
| jq 'map( .Action |= (if type=="array" then . else [.] end) )' \
|
||||
| jq '.[]' \
|
||||
| jq 'select(.Action[] | contains("sts:AssumeRole") or contains("sts:*"))' \
|
||||
| jq 'select(.Resource[] | contains("*"))')
|
||||
|
||||
if [[ $POLICY_WITH_PERMISSIVE_STS ]]; then
|
||||
PERMISSIVE_POLICIES_LIST="$PERMISSIVE_POLICIES_LIST $POLICY_ARN"
|
||||
fi
|
||||
|
||||
done
|
||||
if [[ $PERMISSIVE_POLICIES_LIST ]]; then
|
||||
textInfo "STS AssumeRole Policies should only include the complete ARNs for the Roles that the user needs"
|
||||
textInfo "Learn more: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy"
|
||||
for policy in $PERMISSIVE_POLICIES_LIST; do
|
||||
textFail "$REGION: Policy $policy allows permissive STS Role assumption" "$REGION" "$policy"
|
||||
done
|
||||
else
|
||||
textPass "$REGION: No custom policies found that allow permissive STS Role assumption" "$REGION"
|
||||
fi
|
||||
else
|
||||
textPass "$REGION: No custom policies found" "$REGION"
|
||||
fi
|
||||
}
|
||||
@@ -0,0 +1,35 @@
|
||||
{
|
||||
"Provider": "aws",
|
||||
"CheckID": "iam_no_custom_policy_permissive_role_assumption",
|
||||
"CheckTitle": "Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)",
|
||||
"CheckType": ["Software and Configuration Checks"],
|
||||
"ServiceName": "iam",
|
||||
"SubServiceName": "",
|
||||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
|
||||
"Severity": "critical",
|
||||
"ResourceType": "AwsIamPolicy",
|
||||
"Description": "Ensure that no custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)",
|
||||
"Risk": "If not restricted unintended access could happen.",
|
||||
"RelatedUrl": "",
|
||||
"Remediation": {
|
||||
"Code": {
|
||||
"CLI": "",
|
||||
"NativeIaC": "",
|
||||
"Other": "",
|
||||
"Terraform": ""
|
||||
},
|
||||
"Recommendation": {
|
||||
"Text": "Use the least privilege principle when granting permissions.",
|
||||
"Url": "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"
|
||||
}
|
||||
},
|
||||
"Categories": [],
|
||||
"Tags": {
|
||||
"Tag1Key": "value",
|
||||
"Tag2Key": "value"
|
||||
},
|
||||
"DependsOn": [],
|
||||
"RelatedTo": [],
|
||||
"Notes": "CAF Security Epic: IAM",
|
||||
"Compliance": []
|
||||
}
|
||||
@@ -0,0 +1,30 @@
|
||||
from lib.check.models import Check, Check_Report
|
||||
from providers.aws.services.iam.iam_client import iam_client
|
||||
|
||||
|
||||
class iam_no_custom_policy_permissive_role_assumption(Check):
|
||||
def execute(self) -> Check_Report:
|
||||
findings = []
|
||||
for index, policy_document in enumerate(iam_client.list_policies_version):
|
||||
report = Check_Report(self.metadata)
|
||||
report.region = iam_client.region
|
||||
report.resource_arn = iam_client.policies[index]["Arn"]
|
||||
report.resource_id = iam_client.policies[index]["PolicyName"]
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Custom Policy {iam_client.policies[index]['PolicyName']} does not allow permissive STS Role assumption"
|
||||
for statement in policy_document["Statement"]:
|
||||
if (
|
||||
statement["Effect"] == "Allow"
|
||||
and (
|
||||
statement["Action"] == "sts:AssumeRole"
|
||||
or statement["Action"] == "sts:*"
|
||||
)
|
||||
and statement["Resource"] == "*"
|
||||
):
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"Custom Policy {iam_client.policies[index]['PolicyName']} allows permissive STS Role assumption"
|
||||
break
|
||||
|
||||
findings.append(report)
|
||||
|
||||
return findings
|
||||
@@ -0,0 +1,206 @@
|
||||
from json import dumps
|
||||
from re import search
|
||||
from unittest import mock
|
||||
|
||||
from boto3 import client
|
||||
from moto import mock_iam
|
||||
|
||||
|
||||
class Test_iam_no_custom_policy_permissive_role_assumption:
|
||||
@mock_iam
|
||||
def test_policy_allows_permissive_role_assumption_wildcard(self):
|
||||
iam_client = client("iam")
|
||||
policy_name = "policy1"
|
||||
policy_document = {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{"Effect": "Allow", "Action": "sts:*", "Resource": "*"},
|
||||
],
|
||||
}
|
||||
arn = iam_client.create_policy(
|
||||
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
|
||||
)["Policy"]["Arn"]
|
||||
|
||||
from providers.aws.lib.audit_info.audit_info import current_audit_info
|
||||
from providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
with mock.patch(
|
||||
"providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
|
||||
new=IAM(current_audit_info),
|
||||
):
|
||||
from providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
|
||||
iam_no_custom_policy_permissive_role_assumption,
|
||||
)
|
||||
|
||||
check = iam_no_custom_policy_permissive_role_assumption()
|
||||
result = check.execute()
|
||||
assert result[0].status == "FAIL"
|
||||
assert search(
|
||||
f"Custom Policy {policy_name} allows permissive STS Role assumption",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_arn == arn
|
||||
assert result[0].resource_id == policy_name
|
||||
|
||||
@mock_iam
|
||||
def test_policy_allows_permissive_role_assumption_no_wilcard(self):
|
||||
iam_client = client("iam")
|
||||
policy_name = "policy1"
|
||||
policy_document = {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{"Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*"},
|
||||
],
|
||||
}
|
||||
arn = iam_client.create_policy(
|
||||
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
|
||||
)["Policy"]["Arn"]
|
||||
|
||||
from providers.aws.lib.audit_info.audit_info import current_audit_info
|
||||
from providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
with mock.patch(
|
||||
"providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
|
||||
new=IAM(current_audit_info),
|
||||
):
|
||||
from providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
|
||||
iam_no_custom_policy_permissive_role_assumption,
|
||||
)
|
||||
|
||||
check = iam_no_custom_policy_permissive_role_assumption()
|
||||
result = check.execute()
|
||||
assert result[0].status == "FAIL"
|
||||
assert search(
|
||||
f"Custom Policy {policy_name} allows permissive STS Role assumption",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_arn == arn
|
||||
assert result[0].resource_id == policy_name
|
||||
|
||||
@mock_iam
|
||||
def test_policy_assume_role_not_allow_permissive_role_assumption(self):
|
||||
iam_client = client("iam")
|
||||
policy_name = "policy1"
|
||||
policy_document = {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{
|
||||
"Effect": "Allow",
|
||||
"Action": "sts:AssumeRole",
|
||||
"Resource": "arn:aws:iam::123456789012:user/JohnDoe",
|
||||
},
|
||||
],
|
||||
}
|
||||
arn = iam_client.create_policy(
|
||||
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
|
||||
)["Policy"]["Arn"]
|
||||
from providers.aws.lib.audit_info.audit_info import current_audit_info
|
||||
from providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
with mock.patch(
|
||||
"providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
|
||||
new=IAM(current_audit_info),
|
||||
):
|
||||
from providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
|
||||
iam_no_custom_policy_permissive_role_assumption,
|
||||
)
|
||||
|
||||
check = iam_no_custom_policy_permissive_role_assumption()
|
||||
result = check.execute()
|
||||
assert result[0].status == "PASS"
|
||||
assert search(
|
||||
f"Custom Policy {policy_name} does not allow permissive STS Role assumption",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_arn == arn
|
||||
assert result[0].resource_id == policy_name
|
||||
|
||||
@mock_iam
|
||||
def test_policy_not_allow_permissive_role_assumption(self):
|
||||
iam_client = client("iam")
|
||||
policy_name = "policy1"
|
||||
policy_document = {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{"Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "*"},
|
||||
],
|
||||
}
|
||||
arn = iam_client.create_policy(
|
||||
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
|
||||
)["Policy"]["Arn"]
|
||||
|
||||
from providers.aws.lib.audit_info.audit_info import current_audit_info
|
||||
from providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
with mock.patch(
|
||||
"providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
|
||||
new=IAM(current_audit_info),
|
||||
):
|
||||
from providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
|
||||
iam_no_custom_policy_permissive_role_assumption,
|
||||
)
|
||||
|
||||
check = iam_no_custom_policy_permissive_role_assumption()
|
||||
result = check.execute()
|
||||
assert result[0].status == "PASS"
|
||||
assert search(
|
||||
f"Custom Policy {policy_name} does not allow permissive STS Role assumption",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_arn == arn
|
||||
assert result[0].resource_id == policy_name
|
||||
|
||||
@mock_iam
|
||||
def test_policy_permissive_and_not_permissive(self):
|
||||
iam_client = client("iam")
|
||||
policy_name_non_permissive = "policy1"
|
||||
policy_document_non_permissive = {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{"Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "*"},
|
||||
],
|
||||
}
|
||||
policy_name_permissive = "policy2"
|
||||
policy_document_permissive = {
|
||||
"Version": "2012-10-17",
|
||||
"Statement": [
|
||||
{"Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*"},
|
||||
],
|
||||
}
|
||||
arn_non_permissive = iam_client.create_policy(
|
||||
PolicyName=policy_name_non_permissive,
|
||||
PolicyDocument=dumps(policy_document_non_permissive),
|
||||
)["Policy"]["Arn"]
|
||||
arn_permissive = iam_client.create_policy(
|
||||
PolicyName=policy_name_permissive,
|
||||
PolicyDocument=dumps(policy_document_permissive),
|
||||
)["Policy"]["Arn"]
|
||||
|
||||
from providers.aws.lib.audit_info.audit_info import current_audit_info
|
||||
from providers.aws.services.iam.iam_service import IAM
|
||||
|
||||
with mock.patch(
|
||||
"providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption.iam_client",
|
||||
new=IAM(current_audit_info),
|
||||
):
|
||||
from providers.aws.services.iam.iam_no_custom_policy_permissive_role_assumption.iam_no_custom_policy_permissive_role_assumption import (
|
||||
iam_no_custom_policy_permissive_role_assumption,
|
||||
)
|
||||
|
||||
check = iam_no_custom_policy_permissive_role_assumption()
|
||||
result = check.execute()
|
||||
assert len(result) == 2
|
||||
assert result[0].status == "PASS"
|
||||
assert result[0].resource_arn == arn_non_permissive
|
||||
assert search(
|
||||
f"Policy {policy_name_non_permissive} does not allow permissive STS Role assumption",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == policy_name_non_permissive
|
||||
assert result[1].status == "FAIL"
|
||||
assert result[1].resource_arn == arn_permissive
|
||||
assert search(
|
||||
f"Policy {policy_name_permissive} allows permissive STS Role assumption",
|
||||
result[1].status_extended,
|
||||
)
|
||||
assert result[1].resource_id == policy_name_permissive
|
||||
@@ -11,7 +11,7 @@ class iam_policy_no_administrative_privileges(Check):
|
||||
report.resource_arn = iam_client.policies[index]["Arn"]
|
||||
report.resource_id = iam_client.policies[index]["PolicyName"]
|
||||
report.status = "PASS"
|
||||
report.status_extended = f"Policy {iam_client.policies[index]['PolicyName']} does not allow \"*:*\" administrative privileges"
|
||||
report.status_extended = f"Policy {iam_client.policies[index]['PolicyName']} does not allow '*:*' administrative privileges"
|
||||
# Check the statements, if one includes *:* stop iterating over the rest
|
||||
for statement in policy_document["Statement"]:
|
||||
if (
|
||||
@@ -20,7 +20,7 @@ class iam_policy_no_administrative_privileges(Check):
|
||||
and statement["Resource"] == "*"
|
||||
):
|
||||
report.status = "FAIL"
|
||||
report.status_extended = f"Policy {iam_client.policies[index]['PolicyName']} allows \"*:*\" administrative privileges"
|
||||
report.status_extended = f"Policy {iam_client.policies[index]['PolicyName']} allows '*:*' administrative privileges"
|
||||
break
|
||||
|
||||
findings.append(report)
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
from json import dumps
|
||||
from re import search
|
||||
from unittest import mock
|
||||
|
||||
from boto3 import client
|
||||
@@ -17,7 +18,7 @@ class Test_iam_policy_no_administrative_privileges_test:
|
||||
{"Effect": "Allow", "Action": "*", "Resource": "*"},
|
||||
],
|
||||
}
|
||||
iam_client.create_policy(
|
||||
arn = iam_client.create_policy(
|
||||
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
|
||||
)["Policy"]["Arn"]
|
||||
|
||||
@@ -35,6 +36,9 @@ class Test_iam_policy_no_administrative_privileges_test:
|
||||
check = iam_policy_no_administrative_privileges()
|
||||
result = check.execute()
|
||||
assert result[0].status == "FAIL"
|
||||
assert result[0].resource_arn == arn
|
||||
assert search(f"Policy {policy_name} allows ", result[0].status_extended)
|
||||
assert result[0].resource_id == policy_name
|
||||
|
||||
@mock_iam
|
||||
def test_policy_non_administrative(self):
|
||||
@@ -47,7 +51,7 @@ class Test_iam_policy_no_administrative_privileges_test:
|
||||
{"Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "*"},
|
||||
],
|
||||
}
|
||||
iam_client.create_policy(
|
||||
arn = iam_client.create_policy(
|
||||
PolicyName=policy_name, PolicyDocument=dumps(policy_document)
|
||||
)["Policy"]["Arn"]
|
||||
|
||||
@@ -65,6 +69,11 @@ class Test_iam_policy_no_administrative_privileges_test:
|
||||
check = iam_policy_no_administrative_privileges()
|
||||
result = check.execute()
|
||||
assert result[0].status == "PASS"
|
||||
assert result[0].resource_arn == arn
|
||||
assert search(
|
||||
f"Policy {policy_name} does not allow", result[0].status_extended
|
||||
)
|
||||
assert result[0].resource_id == policy_name
|
||||
|
||||
@mock_iam
|
||||
def test_policy_administrative_and_non_administrative(self):
|
||||
@@ -84,11 +93,11 @@ class Test_iam_policy_no_administrative_privileges_test:
|
||||
{"Effect": "Allow", "Action": "*", "Resource": "*"},
|
||||
],
|
||||
}
|
||||
iam_client.create_policy(
|
||||
arn_non_administrative = iam_client.create_policy(
|
||||
PolicyName=policy_name_non_administrative,
|
||||
PolicyDocument=dumps(policy_document_non_administrative),
|
||||
)["Policy"]["Arn"]
|
||||
iam_client.create_policy(
|
||||
arn_administrative = iam_client.create_policy(
|
||||
PolicyName=policy_name_administrative,
|
||||
PolicyDocument=dumps(policy_document_administrative),
|
||||
)["Policy"]["Arn"]
|
||||
@@ -108,4 +117,16 @@ class Test_iam_policy_no_administrative_privileges_test:
|
||||
result = check.execute()
|
||||
assert len(result) == 2
|
||||
assert result[0].status == "PASS"
|
||||
assert result[0].resource_arn == arn_non_administrative
|
||||
assert search(
|
||||
f"Policy {policy_name_non_administrative} does not allow ",
|
||||
result[0].status_extended,
|
||||
)
|
||||
assert result[0].resource_id == policy_name_non_administrative
|
||||
assert result[1].status == "FAIL"
|
||||
assert result[1].resource_arn == arn_administrative
|
||||
assert search(
|
||||
f"Policy {policy_name_administrative} allows ",
|
||||
result[1].status_extended,
|
||||
)
|
||||
assert result[1].resource_id == policy_name_administrative
|
||||
|
||||
Reference in New Issue
Block a user