Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: AWS inline policies not considered for various checks #3833

Open
rieck-srlabs opened this issue Apr 22, 2024 · 2 comments
Open

[Bug]: AWS inline policies not considered for various checks #3833

rieck-srlabs opened this issue Apr 22, 2024 · 2 comments
Assignees
@sergargar
Labels
bug provider/aws Issues/PRs related with the AWS provider status/needs-triage Issue pending triage

Comments

@rieck-srlabs
Copy link
Contributor

Steps to Reproduce

There are various AWS checks that currently only consider "Custom" policies:

  • iam_policy_no_full_access_to_cloudtrail
  • iam_policy_no_full_access_to_kms
  • iam_policy_allows_privilege_escalation

To reproduce,

  1. Create an inline policy allowing full access to CloudTrail
  2. Run prowler aws
  3. Notice that prowler does not flag the full access CloudTrail policy as an issue.

Expected behavior

I expected overprivileged inline policies to be flagged by Prowler.

These checks should treat inline and custom policies identically. From a security POV, there is no practical distinction between custom policies and inline policies.

Actual Result with Screenshots or Logs

n/a

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

Local development environment

OS used

macOS

Prowler version

Prowler 4.1.0 (You are running the latest version, yay!)

Pip version

n/a

Context

No response
@rieck-srlabs rieck-srlabs added bug status/needs-triage Issue pending triage labels Apr 22, 2024
@rieck-srlabs
Copy link
Contributor Author

@jfagoagas I was thinking about how to address this shortcoming myself.

It is straightforward to extend the existing checks to also cover "Inline" policies, but it seems like in general, Prowler aims to separate checks for custom policies from checks for inline policies (e.g. iam_inline_policy_no_administrative_privileges vs. iam_customer_attached_policy_no_administrative_privileges).

If I wanted to create a separate check just for inline policies, I'd have to duplicate a lot of code for iam_policy_allows_privilege_escalation and introduce quite of bit of maintenance overhead.

How would you go about this?

@jfagoagas jfagoagas added the provider/aws Issues/PRs related with the AWS provider label Apr 25, 2024
@jfagoagas
Copy link
Member

jfagoagas commented Apr 25, 2024
edited

Hi @rieck-srlabs I think with the current approach we should create new checks for the inline policies. Regarding the iam_inline_policy_allows_privilege_escalation I think there is no need to duplicate code:

What do you think?
Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sergargar sergargar

Labels
bug provider/aws Issues/PRs related with the AWS provider status/needs-triage Issue pending triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jfagoagas @sergargar @rieck-srlabs