prowler icon indicating copy to clipboard operation
prowler copied to clipboard

Published 20 hours ago verified publisher icon prowler-cloud

[Bug]: AWS inline policies not considered for various checks

Open rieck-srlabs opened this issue 10 months ago • 3 comments

Steps to Reproduce

There are various AWS checks that currently only consider "Custom" policies:

  • iam_policy_no_full_access_to_cloudtrail
  • iam_policy_no_full_access_to_kms
  • iam_policy_allows_privilege_escalation

To reproduce,

  1. Create an inline policy allowing full access to CloudTrail
  2. Run prowler aws
  3. Notice that prowler does not flag the full access CloudTrail policy as an issue.

Expected behavior

I expected overprivileged inline policies to be flagged by Prowler.

These checks should treat inline and custom policies identically. From a security POV, there is no practical distinction between custom policies and inline policies.

Actual Result with Screenshots or Logs

n/a

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

Local development environment

OS used

macOS

Prowler version

Prowler 4.1.0 (You are running the latest version, yay!)

Pip version

n/a

Context

No response

rieck-srlabs avatar Apr 22 '24 17:04 rieck-srlabs

@jfagoagas I was thinking about how to address this shortcoming myself.

It is straightforward to extend the existing checks to also cover "Inline" policies, but it seems like in general, Prowler aims to separate checks for custom policies from checks for inline policies (e.g. iam_inline_policy_no_administrative_privileges vs. iam_customer_attached_policy_no_administrative_privileges).

If I wanted to create a separate check just for inline policies, I'd have to duplicate a lot of code for iam_policy_allows_privilege_escalation and introduce quite of bit of maintenance overhead.

How would you go about this?

rieck-srlabs avatar Apr 22 '24 17:04 rieck-srlabs

Hi @rieck-srlabs I think with the current approach we should create new checks for the inline policies. Regarding the iam_inline_policy_allows_privilege_escalation I think there is no need to duplicate code:

  • This code block can be moved https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/services/iam/iam_policy_allows_privilege_escalation/iam_policy_allows_privilege_escalation.py#L22-L89 to prowler/providers/aws/services/iam/lib/privilege_escalation.py
  • The same for the business logic code, it can be moved to another file and just call it from the checks, passing the required arguments and returning the necessary objects to verify the result in the check and generate a finding.

What do you think? Thanks!

jfagoagas avatar Apr 25 '24 09:04 jfagoagas

I likely won't get around to implement this. Happy if you could add this to the backlog for internal development, as has probably already happened, seeing as @sergargar has been assigned.

rieck-srlabs avatar May 29 '24 13:05 rieck-srlabs