-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(IAM): Add inline policies checks and improve custom policy checks (
- Loading branch information
Showing
22 changed files
with
2,546 additions
and
317 deletions.
There are no files selected for viewing
Empty file.
33 changes: 33 additions & 0 deletions
33
...y_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "iam_inline_policy_allows_privilege_escalation", | ||
"CheckTitle": "Ensure no Inline IAM policies allow actions that may lead into Privilege Escalation", | ||
"CheckType": [ | ||
"Software and Configuration Checks", | ||
"Industry and Regulatory Standards" | ||
], | ||
"ServiceName": "iam", | ||
"SubServiceName": "inline_policy", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "high", | ||
"ResourceType": "AwsIamPolicy", | ||
"Description": "Ensure no Inline IAM policies allow actions that may lead into Privilege Escalation", | ||
"Risk": "Users with some IAM permissions are allowed to elevate their privileges up to administrator rights.", | ||
"RelatedUrl": "", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Grant usage permission on a per-resource basis and applying least privilege principle.", | ||
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
46 changes: 46 additions & 0 deletions
46
...nline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.iam.iam_client import iam_client | ||
from prowler.providers.aws.services.iam.lib.privilege_escalation import ( | ||
check_privilege_escalation, | ||
) | ||
|
||
|
||
class iam_inline_policy_allows_privilege_escalation(Check): | ||
def execute(self) -> Check_Report_AWS: | ||
findings = [] | ||
|
||
for policy in iam_client.policies: | ||
if policy.type == "Inline": | ||
report = Check_Report_AWS(self.metadata()) | ||
report.resource_id = policy.name | ||
report.resource_arn = policy.arn | ||
report.region = iam_client.region | ||
report.resource_tags = policy.tags | ||
report.status = "PASS" | ||
|
||
if "role" in report.resource_arn: | ||
resource_type_str = "role" | ||
elif "group" in report.resource_arn: | ||
resource_type_str = "group" | ||
elif "user" in report.resource_arn: | ||
resource_type_str = "user" | ||
else: | ||
resource_type_str = "resource" | ||
|
||
report.status_extended = f"Inline Policy '{report.resource_id}'{' attached to ' + resource_type_str + ' ' + report.resource_arn if policy.attached else ''} does not allow privilege escalation." | ||
|
||
policies_affected = check_privilege_escalation( | ||
getattr(policy, "document", {}) | ||
) | ||
|
||
if policies_affected: | ||
report.status = "FAIL" | ||
|
||
report.status_extended = ( | ||
f"Inline Policy '{report.resource_id}'{' attached to ' + resource_type_str + ' ' + report.resource_arn if policy.attached else ''} allows privilege escalation using the following actions: {policies_affected}".rstrip() | ||
+ "." | ||
) | ||
|
||
findings.append(report) | ||
|
||
return findings |
Empty file.
34 changes: 34 additions & 0 deletions
34
...no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "iam_inline_policy_no_full_access_to_cloudtrail", | ||
"CheckTitle": "Ensure IAM inline policies that allow full \"cloudtrail:*\" privileges are not created", | ||
"CheckType": [ | ||
"Software and Configuration Checks", | ||
"Industry and Regulatory Standards", | ||
"CIS AWS Foundations Benchmark" | ||
], | ||
"ServiceName": "iam", | ||
"SubServiceName": "inline_policies", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "medium", | ||
"ResourceType": "AwsIamPolicy", | ||
"Description": "Ensure IAM inline policies that allow full \"cloudtrail:*\" privileges are not created", | ||
"Risk": "CloudTrail is a critical service and IAM policies should follow least privilege model for this service in particular", | ||
"RelatedUrl": "", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.", | ||
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
31 changes: 31 additions & 0 deletions
31
...ine_policy_no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.iam.iam_client import iam_client | ||
from prowler.providers.aws.services.iam.lib.policy import check_full_service_access | ||
|
||
critical_service = "cloudtrail" | ||
|
||
|
||
class iam_inline_policy_no_full_access_to_cloudtrail(Check): | ||
def execute(self) -> Check_Report_AWS: | ||
findings = [] | ||
|
||
for policy in iam_client.policies: | ||
# Check only inline policies | ||
if policy.type == "Inline": | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = iam_client.region | ||
report.resource_arn = policy.arn | ||
report.resource_id = policy.name | ||
report.resource_tags = policy.tags | ||
report.status = "PASS" | ||
report.status_extended = f"Inline Policy {policy.name} does not allow '{critical_service}:*' privileges." | ||
|
||
if policy.document and check_full_service_access( | ||
critical_service, policy.document | ||
): | ||
report.status = "FAIL" | ||
report.status_extended = f"Inline Policy {policy.name} allows '{critical_service}:*' privileges to all resources." | ||
|
||
findings.append(report) | ||
|
||
return findings |
Empty file.
32 changes: 32 additions & 0 deletions
32
...inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "iam_inline_policy_no_full_access_to_kms", | ||
"CheckTitle": "Ensure IAM inline policies that allow full \"kms:*\" privileges are not created", | ||
"CheckType": [ | ||
"Software and Configuration Checks" | ||
], | ||
"ServiceName": "iam", | ||
"SubServiceName": "inline_policy", | ||
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id", | ||
"Severity": "medium", | ||
"ResourceType": "AwsIamPolicy", | ||
"Description": "Ensure IAM inline policies that allow full \"kms:*\" privileges are not created", | ||
"Risk": "KMS is a critical service and IAM policies should follow least privilege model for this service in particular", | ||
"RelatedUrl": "", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "", | ||
"NativeIaC": "", | ||
"Other": "", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.", | ||
"Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
30 changes: 30 additions & 0 deletions
30
...es/iam/iam_inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.iam.iam_client import iam_client | ||
from prowler.providers.aws.services.iam.lib.policy import check_full_service_access | ||
|
||
critical_service = "kms" | ||
|
||
|
||
class iam_inline_policy_no_full_access_to_kms(Check): | ||
def execute(self): | ||
findings = [] | ||
|
||
for policy in iam_client.policies: | ||
if policy.type == "Inline": | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = iam_client.region | ||
report.resource_arn = policy.arn | ||
report.resource_id = policy.name | ||
report.resource_tags = policy.tags | ||
report.status = "PASS" | ||
report.status_extended = f"Inline Policy {policy.name} does not allow '{critical_service}:*' privileges." | ||
|
||
if policy.document and check_full_service_access( | ||
critical_service, policy.document | ||
): | ||
report.status = "FAIL" | ||
report.status_extended = f"Inline Policy {policy.name} allows '{critical_service}:*' privileges." | ||
|
||
findings.append(report) | ||
|
||
return findings |
Oops, something went wrong.