feat(IAM): Add inline policies checks and improve custom policy checks (

#4255)
prowler-cloud · Jul 3, 2024 · e6ae539 · e6ae539
1 parent 541b907
commit e6ae539
Show file tree

Hide file tree

Showing 22 changed files with 2,546 additions and 317 deletions.
diff --git a/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/__init__.py b/prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/__init__.py
diff --git a/...y_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.metadata.json b/...y_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.metadata.json
@@ -0,0 +1,33 @@
+{
+  "Provider": "aws",
+  "CheckID": "iam_inline_policy_allows_privilege_escalation",
+  "CheckTitle": "Ensure no Inline IAM policies allow actions that may lead into Privilege Escalation",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards"
+  ],
+  "ServiceName": "iam",
+  "SubServiceName": "inline_policy",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "high",
+  "ResourceType": "AwsIamPolicy",
+  "Description": "Ensure no Inline IAM policies allow actions that may lead into Privilege Escalation",
+  "Risk": "Users with some IAM permissions are allowed to elevate their privileges up to administrator rights.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Grant usage permission on a per-resource basis and applying least privilege principle.",
+      "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
diff --git a/...nline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.py b/...nline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.py
@@ -0,0 +1,46 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.iam.iam_client import iam_client
+from prowler.providers.aws.services.iam.lib.privilege_escalation import (
+    check_privilege_escalation,
+)
+
+
+class iam_inline_policy_allows_privilege_escalation(Check):
+    def execute(self) -> Check_Report_AWS:
+        findings = []
+
+        for policy in iam_client.policies:
+            if policy.type == "Inline":
+                report = Check_Report_AWS(self.metadata())
+                report.resource_id = policy.name
+                report.resource_arn = policy.arn
+                report.region = iam_client.region
+                report.resource_tags = policy.tags
+                report.status = "PASS"
+
+                if "role" in report.resource_arn:
+                    resource_type_str = "role"
+                elif "group" in report.resource_arn:
+                    resource_type_str = "group"
+                elif "user" in report.resource_arn:
+                    resource_type_str = "user"
+                else:
+                    resource_type_str = "resource"
+
+                report.status_extended = f"Inline Policy '{report.resource_id}'{' attached to ' + resource_type_str + ' ' + report.resource_arn if policy.attached else ''} does not allow privilege escalation."
+
+                policies_affected = check_privilege_escalation(
+                    getattr(policy, "document", {})
+                )
+
+                if policies_affected:
+                    report.status = "FAIL"
+
+                    report.status_extended = (
+                        f"Inline Policy '{report.resource_id}'{' attached to ' + resource_type_str + ' ' + report.resource_arn if policy.attached else ''} allows privilege escalation using the following actions: {policies_affected}".rstrip()
+                        + "."
+                    )
+
+                findings.append(report)
+
+        return findings
diff --git a/...ler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_cloudtrail/__init__.py b/...ler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_cloudtrail/__init__.py
diff --git a/...no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.metadata.json b/...no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.metadata.json
@@ -0,0 +1,34 @@
+{
+  "Provider": "aws",
+  "CheckID": "iam_inline_policy_no_full_access_to_cloudtrail",
+  "CheckTitle": "Ensure IAM inline policies that allow full \"cloudtrail:*\" privileges are not created",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "iam",
+  "SubServiceName": "inline_policies",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsIamPolicy",
+  "Description": "Ensure IAM inline policies that allow full \"cloudtrail:*\" privileges are not created",
+  "Risk": "CloudTrail is a critical service and IAM policies should follow least privilege model for this service in particular",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
+      "Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
diff --git a/...ine_policy_no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.py b/...ine_policy_no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.py
@@ -0,0 +1,31 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.iam.iam_client import iam_client
+from prowler.providers.aws.services.iam.lib.policy import check_full_service_access
+
+critical_service = "cloudtrail"
+
+
+class iam_inline_policy_no_full_access_to_cloudtrail(Check):
+    def execute(self) -> Check_Report_AWS:
+        findings = []
+
+        for policy in iam_client.policies:
+            # Check only inline policies
+            if policy.type == "Inline":
+                report = Check_Report_AWS(self.metadata())
+                report.region = iam_client.region
+                report.resource_arn = policy.arn
+                report.resource_id = policy.name
+                report.resource_tags = policy.tags
+                report.status = "PASS"
+                report.status_extended = f"Inline Policy {policy.name} does not allow '{critical_service}:*' privileges."
+
+                if policy.document and check_full_service_access(
+                    critical_service, policy.document
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"Inline Policy {policy.name} allows '{critical_service}:*' privileges to all resources."
+
+                findings.append(report)
+
+        return findings
diff --git a/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_kms/__init__.py b/prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_kms/__init__.py
diff --git a/...inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.metadata.json b/...inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.metadata.json
@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "iam_inline_policy_no_full_access_to_kms",
+  "CheckTitle": "Ensure IAM inline policies that allow full \"kms:*\" privileges are not created",
+  "CheckType": [
+    "Software and Configuration Checks"
+  ],
+  "ServiceName": "iam",
+  "SubServiceName": "inline_policy",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsIamPolicy",
+  "Description": "Ensure IAM inline policies that allow full \"kms:*\" privileges are not created",
+  "Risk": "KMS is a critical service and IAM policies should follow least privilege model for this service in particular",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
+      "Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
diff --git a/...es/iam/iam_inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.py b/...es/iam/iam_inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.py
@@ -0,0 +1,30 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.iam.iam_client import iam_client
+from prowler.providers.aws.services.iam.lib.policy import check_full_service_access
+
+critical_service = "kms"
+
+
+class iam_inline_policy_no_full_access_to_kms(Check):
+    def execute(self):
+        findings = []
+
+        for policy in iam_client.policies:
+            if policy.type == "Inline":
+                report = Check_Report_AWS(self.metadata())
+                report.region = iam_client.region
+                report.resource_arn = policy.arn
+                report.resource_id = policy.name
+                report.resource_tags = policy.tags
+                report.status = "PASS"
+                report.status_extended = f"Inline Policy {policy.name} does not allow '{critical_service}:*' privileges."
+
+                if policy.document and check_full_service_access(
+                    critical_service, policy.document
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"Inline Policy {policy.name} allows '{critical_service}:*' privileges."
+
+                findings.append(report)
+
+        return findings