Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Check failing due to IAM Roles created by AWS Control Tower and AFT with AdministratorAccess policy #3810

Open
jfagoagas opened this issue Apr 18, 2024 Discussed in #3809 · 1 comment
Open

[Bug]: Check failing due to IAM Roles created by AWS Control Tower and AFT with AdministratorAccess policy #3810

jfagoagas opened this issue Apr 18, 2024 Discussed in #3809 · 1 comment
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/medium Results in some unexpected or undesired behavior.

Comments

@jfagoagas
Copy link
Member

jfagoagas commented Apr 18, 2024
edited

Discussed in #3809

Originally posted by @dmkim22-lguplus April 18, 2024
Hello,

IAM Roles created by AWS Control Tower and AFT (Account Factory for Terraform) have AdministratorAccess policy attached, and it seems "Ensure IAM AWS-Managed policies that allow full ":" administrative privileges are not attached" is failing due to this.

Should the following IAM Roles in an account be excluded from this check?

  • aws-controltower-AdministratorExecutionRole
  • AWSAFTExecution
  • AWSAFTService
  • AWSControlTowerExecution
  • stacksets-exec-*

Thank you in advance.
@jfagoagas jfagoagas added status/needs-triage Issue pending triage provider/aws Issues/PRs related with the AWS provider labels Apr 18, 2024
@jfagoagas jfagoagas mentioned this issue May 7, 2024
Closed
@jfagoagas jfagoagas added status/awaiting-reponse Waiting response from Issue owner and removed status/needs-triage Issue pending triage labels May 7, 2024
@jfagoagas jfagoagas reopened this May 7, 2024
@jfagoagas jfagoagas added severity/medium Results in some unexpected or undesired behavior. and removed status/awaiting-reponse Waiting response from Issue owner labels May 7, 2024
@jfagoagas
Copy link
Member Author

We need to do further investigation because the check iam_aws_attached_policy_no_administrative_privileges analyzes IAM Managed policies so the resource_id is the policy name. So there is no quick solution for this issue as of today, we need to think about having related resources in the same findings and use the allowlist.

@jfagoagas jfagoagas added the bug label May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/medium Results in some unexpected or undesired behavior.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(mutelist): Exclude resources from AFT prowler-cloud/prowler
1 participant
@jfagoagas