Skip to content

Commit a18bc89

Browse files
prowler-botpedrooot
prowler-bot
and
pedrooot
authored
fix(iam): fill resource id with inline policy entity (#5147)
Co-authored-by: Pedro Martín <[email protected]>
1 parent 4bb2857 commit a18bc89

File tree

8 files changed

+71
-75
lines changed

8 files changed

+71
-75
lines changed

prowler/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation.py

+5-11
Original file line numberDiff line numberDiff line change
@@ -12,22 +12,16 @@ def execute(self) -> Check_Report_AWS:
1212
for policy in iam_client.policies:
1313
if policy.type == "Inline":
1414
report = Check_Report_AWS(self.metadata())
15-
report.resource_id = policy.name
15+
report.resource_id = f"{policy.entity}/{policy.name}"
1616
report.resource_arn = policy.arn
1717
report.region = iam_client.region
1818
report.resource_tags = policy.tags
1919
report.status = "PASS"
2020

21-
if "role" in report.resource_arn:
22-
resource_type_str = "role"
23-
elif "group" in report.resource_arn:
24-
resource_type_str = "group"
25-
elif "user" in report.resource_arn:
26-
resource_type_str = "user"
27-
else:
28-
resource_type_str = "resource"
21+
resource_type_str = report.resource_arn.split(":")[-1].split("/")[0]
22+
resource_attached = report.resource_arn.split("/")[-1]
2923

30-
report.status_extended = f"Inline Policy '{report.resource_id}'{' attached to ' + resource_type_str + ' ' + report.resource_arn if policy.attached else ''} does not allow privilege escalation."
24+
report.status_extended = f"{policy.type} policy {policy.name}{' attached to ' + resource_type_str + ' ' + resource_attached if policy.attached else ''} does not allow privilege escalation."
3125

3226
policies_affected = check_privilege_escalation(
3327
getattr(policy, "document", {})
@@ -37,7 +31,7 @@ def execute(self) -> Check_Report_AWS:
3731
report.status = "FAIL"
3832

3933
report.status_extended = (
40-
f"Inline Policy '{report.resource_id}'{' attached to ' + resource_type_str + ' ' + report.resource_arn if policy.attached else ''} allows privilege escalation using the following actions: {policies_affected}".rstrip()
34+
f"{policy.type} policy {policy.name}{' attached to ' + resource_type_str + ' ' + resource_attached if policy.attached else ''} allows privilege escalation using the following actions: {policies_affected}".rstrip()
4135
+ "."
4236
)
4337

prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py

+4-10
Original file line numberDiff line numberDiff line change
@@ -14,16 +14,10 @@ def execute(self) -> Check_Report_AWS:
1414
report.resource_tags = policy.tags
1515
report.status = "PASS"
1616

17-
if "role" in report.resource_arn:
18-
resource_type_str = "role"
19-
elif "group" in report.resource_arn:
20-
resource_type_str = "group"
21-
elif "user" in report.resource_arn:
22-
resource_type_str = "user"
23-
else:
24-
resource_type_str = "resource"
17+
resource_type_str = report.resource_arn.split(":")[-1].split("/")[0]
18+
resource_attached = report.resource_arn.split("/")[-1]
2519

26-
report.status_extended = f"{policy.type} policy {policy.name} attached to {resource_type_str} {report.resource_arn} does not allow '*:*' administrative privileges."
20+
report.status_extended = f"{policy.type} policy {policy.name} attached to {resource_type_str} {resource_attached} does not allow '*:*' administrative privileges."
2721
if policy.document:
2822
# Check the statements, if one includes *:* stop iterating over the rest
2923
if not isinstance(policy.document["Statement"], list):
@@ -45,7 +39,7 @@ def execute(self) -> Check_Report_AWS:
4539
)
4640
):
4741
report.status = "FAIL"
48-
report.status_extended = f"{policy.type} policy {policy.name} attached to {resource_type_str} {report.resource_arn} allows '*:*' administrative privileges."
42+
report.status_extended = f"{policy.type} policy {policy.name} attached to {resource_type_str} {resource_attached} allows '*:*' administrative privileges."
4943
break
5044
findings.append(report)
5145
return findings

prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_cloudtrail/iam_inline_policy_no_full_access_to_cloudtrail.py

+7-3
Original file line numberDiff line numberDiff line change
@@ -15,16 +15,20 @@ def execute(self) -> Check_Report_AWS:
1515
report = Check_Report_AWS(self.metadata())
1616
report.region = iam_client.region
1717
report.resource_arn = policy.arn
18-
report.resource_id = policy.name
18+
report.resource_id = f"{policy.entity}/{policy.name}"
1919
report.resource_tags = policy.tags
2020
report.status = "PASS"
21-
report.status_extended = f"Inline Policy {policy.name} does not allow '{critical_service}:*' privileges."
21+
22+
resource_type_str = report.resource_arn.split(":")[-1].split("/")[0]
23+
resource_attached = report.resource_arn.split("/")[-1]
24+
25+
report.status_extended = f"{policy.type} policy {policy.name}{' attached to ' + resource_type_str + ' ' + resource_attached if policy.attached else ''} does not allow '{critical_service}:*' privileges."
2226

2327
if policy.document and check_full_service_access(
2428
critical_service, policy.document
2529
):
2630
report.status = "FAIL"
27-
report.status_extended = f"Inline Policy {policy.name} allows '{critical_service}:*' privileges to all resources."
31+
report.status_extended = f"{policy.type} policy {policy.name}{' attached to ' + resource_type_str + ' ' + resource_attached if policy.attached else ''} allows '{critical_service}:*' privileges to all resources."
2832

2933
findings.append(report)
3034

prowler/providers/aws/services/iam/iam_inline_policy_no_full_access_to_kms/iam_inline_policy_no_full_access_to_kms.py

+7-3
Original file line numberDiff line numberDiff line change
@@ -14,16 +14,20 @@ def execute(self):
1414
report = Check_Report_AWS(self.metadata())
1515
report.region = iam_client.region
1616
report.resource_arn = policy.arn
17-
report.resource_id = policy.name
17+
report.resource_id = f"{policy.entity}/{policy.name}"
1818
report.resource_tags = policy.tags
1919
report.status = "PASS"
20-
report.status_extended = f"Inline Policy {policy.name} does not allow '{critical_service}:*' privileges."
20+
21+
resource_type_str = report.resource_arn.split(":")[-1].split("/")[0]
22+
resource_attached = report.resource_arn.split("/")[-1]
23+
24+
report.status_extended = f"{policy.type} policy {policy.name}{' attached to ' + resource_type_str + ' ' + resource_attached if policy.attached else ''} does not allow '{critical_service}:*' privileges."
2125

2226
if policy.document and check_full_service_access(
2327
critical_service, policy.document
2428
):
2529
report.status = "FAIL"
26-
report.status_extended = f"Inline Policy {policy.name} allows '{critical_service}:*' privileges."
30+
report.status_extended = f"{policy.type} policy {policy.name}{' attached to ' + resource_type_str + ' ' + resource_attached if policy.attached else ''} allows '{critical_service}:*' privileges."
2731

2832
findings.append(report)
2933

tests/providers/aws/services/iam/iam_inline_policy_allows_privilege_escalation/iam_inline_policy_allows_privilege_escalation_test.py

+16-16
Original file line numberDiff line numberDiff line change
@@ -106,9 +106,9 @@ def test_iam_inline_role_policy_not_allows_privilege_escalation(self):
106106
assert result[0].status == "PASS"
107107
assert (
108108
result[0].status_extended
109-
== f"Inline Policy '{policy_name}' attached to role {role_arn} does not allow privilege escalation."
109+
== f"Inline policy {policy_name} attached to role {role_name} does not allow privilege escalation."
110110
)
111-
assert result[0].resource_id == policy_name
111+
assert result[0].resource_id == f"test_role/{policy_name}"
112112
assert result[0].resource_arn == role_arn
113113
assert result[0].region == AWS_REGION_US_EAST_1
114114
assert result[0].resource_tags == []
@@ -162,9 +162,9 @@ def test_iam_inline_user_policy_not_allows_privilege_escalation_glue_GetDevEndpo
162162
assert result[0].status == "PASS"
163163
assert (
164164
result[0].status_extended
165-
== f"Inline Policy '{policy_name}' attached to user {user_arn} does not allow privilege escalation."
165+
== f"Inline policy {policy_name} attached to user {user_name} does not allow privilege escalation."
166166
)
167-
assert result[0].resource_id == policy_name
167+
assert result[0].resource_id == f"test_user/{policy_name}"
168168
assert result[0].resource_arn == user_arn
169169
assert result[0].region == AWS_REGION_US_EAST_1
170170
assert result[0].resource_tags == []
@@ -228,9 +228,9 @@ def test_iam_inline_group_policy_not_allows_privilege_escalation_dynamodb_PutIte
228228
assert result[0].status == "PASS"
229229
assert (
230230
result[0].status_extended
231-
== f"Inline Policy '{policy_name}' attached to group {group_arn} does not allow privilege escalation."
231+
== f"Inline policy {policy_name} attached to group {group_name} does not allow privilege escalation."
232232
)
233-
assert result[0].resource_id == policy_name
233+
assert result[0].resource_id == f"test_group/{policy_name}"
234234
assert result[0].resource_arn == group_arn
235235
assert result[0].region == AWS_REGION_US_EAST_1
236236
assert result[0].resource_tags == []
@@ -289,13 +289,13 @@ def test_iam_inline_role_policy_allows_privilege_escalation_iam_all_and_ec2_RunI
289289
result = check.execute()
290290
assert len(result) == 1
291291
assert result[0].status == "FAIL"
292-
assert result[0].resource_id == policy_name
292+
assert result[0].resource_id == f"test_role/{policy_name}"
293293
assert result[0].resource_arn == role_arn
294294
assert result[0].region == AWS_REGION_US_EAST_1
295295
assert result[0].resource_tags == []
296296

297297
assert search(
298-
f"Inline Policy '{policy_name}' attached to role {role_arn} allows privilege escalation using the following actions: ",
298+
f"Inline policy {policy_name} attached to role {role_name} allows privilege escalation using the following actions: ",
299299
result[0].status_extended,
300300
)
301301
assert search("iam:PassRole", result[0].status_extended)
@@ -348,13 +348,13 @@ def test_iam_inline_policy_allows_privilege_escalation_iam_PassRole(
348348
result = check.execute()
349349
assert len(result) == 1
350350
assert result[0].status == "FAIL"
351-
assert result[0].resource_id == policy_name
351+
assert result[0].resource_id == f"test_role/{policy_name}"
352352
assert result[0].resource_arn == role_arn
353353
assert result[0].region == AWS_REGION_US_EAST_1
354354
assert result[0].resource_tags == []
355355

356356
assert search(
357-
f"Inline Policy '{policy_name}' attached to role {role_arn} allows privilege escalation using the following actions: ",
357+
f"Inline policy {policy_name} attached to role {role_name} allows privilege escalation using the following actions: ",
358358
result[0].status_extended,
359359
)
360360
assert search("iam:PassRole", result[0].status_extended)
@@ -425,13 +425,13 @@ def test_iam_inline_policy_allows_privilege_escalation_two_combinations(
425425
result = check.execute()
426426
assert len(result) == 1
427427
assert result[0].status == "FAIL"
428-
assert result[0].resource_id == policy_name
428+
assert result[0].resource_id == f"test_role/{policy_name}"
429429
assert result[0].resource_arn == role_arn
430430
assert result[0].region == AWS_REGION_US_EAST_1
431431
assert result[0].resource_tags == []
432432

433433
assert search(
434-
f"Inline Policy '{policy_name}' attached to role {role_arn} allows privilege escalation using the following actions: ",
434+
f"Inline policy {policy_name} attached to role {role_name} allows privilege escalation using the following actions: ",
435435
result[0].status_extended,
436436
)
437437
assert search("iam:PassRole", result[0].status_extended)
@@ -491,13 +491,13 @@ def test_iam_inline_policy_allows_privilege_escalation_iam_PassRole_and_other_ac
491491
result = check.execute()
492492
assert len(result) == 1
493493
assert result[0].status == "FAIL"
494-
assert result[0].resource_id == policy_name
494+
assert result[0].resource_id == f"test_role/{policy_name}"
495495
assert result[0].resource_arn == role_arn
496496
assert result[0].region == AWS_REGION_US_EAST_1
497497
assert result[0].resource_tags == []
498498

499499
assert search(
500-
f"Inline Policy '{policy_name}' attached to role {role_arn} allows privilege escalation using the following actions: ",
500+
f"Inline policy {policy_name} attached to role {role_name} allows privilege escalation using the following actions: ",
501501
result[0].status_extended,
502502
)
503503
assert search("iam:PassRole", result[0].status_extended)
@@ -551,13 +551,13 @@ def test_iam_inline_policy_allows_privilege_escalation_policies_combination(
551551
result = check.execute()
552552
assert len(result) == 1
553553
assert result[0].status == "FAIL"
554-
assert result[0].resource_id == policy_name
554+
assert result[0].resource_id == f"test_role/{policy_name}"
555555
assert result[0].resource_arn == role_arn
556556
assert result[0].region == AWS_REGION_US_EAST_1
557557
assert result[0].resource_tags == []
558558

559559
assert search(
560-
f"Inline Policy '{policy_name}' attached to role {role_arn} allows privilege escalation using the following actions: ",
560+
f"Inline policy {policy_name} attached to role {role_name} allows privilege escalation using the following actions: ",
561561
result[0].status_extended,
562562
)
563563

tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py

+12-12
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@ def test_groups_admin_inline_policy(self):
103103
assert results[0].status == "FAIL"
104104
assert (
105105
results[0].status_extended
106-
== f"Inline policy {policy_name} attached to group {group_arn} allows '*:*' administrative privileges."
106+
== f"Inline policy {policy_name} attached to group {group_name} allows '*:*' administrative privileges."
107107
)
108108

109109
@mock_aws
@@ -147,7 +147,7 @@ def test_groups_no_admin_inline_policy(self):
147147
assert results[0].status == "PASS"
148148
assert (
149149
results[0].status_extended
150-
== f"Inline policy {policy_name} attached to group {group_arn} does not allow '*:*' administrative privileges."
150+
== f"Inline policy {policy_name} attached to group {group_name} does not allow '*:*' administrative privileges."
151151
)
152152

153153
@mock_aws
@@ -201,7 +201,7 @@ def test_groups_admin_and_not_admin_inline_policies(self):
201201
assert result.status == "FAIL"
202202
assert (
203203
result.status_extended
204-
== f"Inline policy {policy_name_admin} attached to group {group_arn} allows '*:*' administrative privileges."
204+
== f"Inline policy {policy_name_admin} attached to group {group_name} allows '*:*' administrative privileges."
205205
)
206206

207207
elif result.resource_id == policy_name_not_admin:
@@ -212,7 +212,7 @@ def test_groups_admin_and_not_admin_inline_policies(self):
212212
assert result.status == "PASS"
213213
assert (
214214
result.status_extended
215-
== f"Inline policy {policy_name_not_admin} attached to group {group_arn} does not allow '*:*' administrative privileges."
215+
== f"Inline policy {policy_name_not_admin} attached to group {group_name} does not allow '*:*' administrative privileges."
216216
)
217217

218218
# Roles
@@ -291,7 +291,7 @@ def test_roles_admin_inline_policy(self):
291291
assert results[0].status == "FAIL"
292292
assert (
293293
results[0].status_extended
294-
== f"Inline policy {policy_name} attached to role {role_arn} allows '*:*' administrative privileges."
294+
== f"Inline policy {policy_name} attached to role {role_name} allows '*:*' administrative privileges."
295295
)
296296

297297
@mock_aws
@@ -338,7 +338,7 @@ def test_roles_no_admin_inline_policy(self):
338338
assert results[0].status == "PASS"
339339
assert (
340340
results[0].status_extended
341-
== f"Inline policy {policy_name} attached to role {role_arn} does not allow '*:*' administrative privileges."
341+
== f"Inline policy {policy_name} attached to role {role_name} does not allow '*:*' administrative privileges."
342342
)
343343

344344
@mock_aws
@@ -394,7 +394,7 @@ def test_roles_admin_and_not_admin_inline_policies(self):
394394
assert result.status == "FAIL"
395395
assert (
396396
result.status_extended
397-
== f"Inline policy {policy_name_admin} attached to group {role_arn} allows '*:*' administrative privileges."
397+
== f"Inline policy {policy_name_admin} attached to group {role_name} allows '*:*' administrative privileges."
398398
)
399399

400400
elif result.resource_id == policy_name_not_admin:
@@ -405,7 +405,7 @@ def test_roles_admin_and_not_admin_inline_policies(self):
405405
assert result.status == "PASS"
406406
assert (
407407
result.status_extended
408-
== f"Inline policy {policy_name_not_admin} attached to group {role_arn} does not allow '*:*' administrative privileges."
408+
== f"Inline policy {policy_name_not_admin} attached to group {role_name} does not allow '*:*' administrative privileges."
409409
)
410410

411411
# Users
@@ -484,7 +484,7 @@ def test_users_admin_inline_policy(self):
484484
assert results[0].status == "FAIL"
485485
assert (
486486
results[0].status_extended
487-
== f"Inline policy {policy_name} attached to user {user_arn} allows '*:*' administrative privileges."
487+
== f"Inline policy {policy_name} attached to user {user_name} allows '*:*' administrative privileges."
488488
)
489489

490490
@mock_aws
@@ -532,7 +532,7 @@ def test_users_no_admin_inline_policy(self):
532532
assert results[0].status == "PASS"
533533
assert (
534534
results[0].status_extended
535-
== f"Inline policy {policy_name} attached to user {user_arn} does not allow '*:*' administrative privileges."
535+
== f"Inline policy {policy_name} attached to user {user_name} does not allow '*:*' administrative privileges."
536536
)
537537

538538
@mock_aws
@@ -589,7 +589,7 @@ def test_users_admin_and_not_admin_inline_policies(self):
589589
assert result.status == "FAIL"
590590
assert (
591591
result.status_extended
592-
== f"Inline policy {policy_name_admin} attached to user {user_arn} allows '*:*' administrative privileges."
592+
== f"Inline policy {policy_name_admin} attached to user {user_name} allows '*:*' administrative privileges."
593593
)
594594

595595
elif result.resource_id == policy_name_not_admin:
@@ -600,5 +600,5 @@ def test_users_admin_and_not_admin_inline_policies(self):
600600
assert result.status == "PASS"
601601
assert (
602602
result.status_extended
603-
== f"Inline policy {policy_name_not_admin} attached to user {user_arn} does not allow '*:*' administrative privileges."
603+
== f"Inline policy {policy_name_not_admin} attached to user {user_name} does not allow '*:*' administrative privileges."
604604
)

0 commit comments

Comments
 (0)