Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/1576 flag permission policies that deny api actions #1593

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Feature/1576 flag permission policies that deny api actions #1593

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
91d90e3
Merge pull request #1555 from nccgroup/develop
fernando-gallego Jul 5, 2023
967ec54
Update README.md
fernando-gallego Sep 22, 2023
5ef88d3
add new rules to default ruleset
Dec 12, 2023
de3c563
new rule definitions
Dec 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 0 additions & 16 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,20 +50,4 @@ The above report was generated by running Scout Suite against https://github.com
Additional information can be found in the [wiki](https://github.com/nccgroup/ScoutSuite/wiki).
There are also a number of handy [tools](https://github.com/nccgroup/ScoutSuite/tree/master/tools) for automation of common tasks.

## NCC Scout

Our self-service cloud account monitoring platform, NCC Scout, is a user-friendly SaaS providing you with the ability to constantly monitor your public cloud accounts, allowing you to check they’re configured to comply with industry best practice.

It features:

- Persistent monitoring - so you know about changes or issues as they arise
- One tool - all configuration checks in one place for speed and simplicity
- Multi-vendor support - AWS, Azure and GCP public cloud accounts
- Agnostic platform - a trusted third-party tool

Additional details can be found in the [wiki](https://github.com/nccgroup/ScoutSuite/wiki/NCC-Scout).

**NCC Scout now has a free tier under our "Freemium" offering**.
This offering provides access to NCC Group’s extended rulesets, keeping your cloud environment protected in-line with best practice configuration and cloud technologies. To sign up for the service, head on to https://cyberstore.nccgroup.com/our-services/service-details/16/cloud-account-monitoring.


20 changes: 20 additions & 0 deletions ScoutSuite/providers/aws/rules/findings/iam-inline-policy-with-deny-actions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"description": "Inline User Policy with Deny Action",
"rationale": "The presence of Deny statements in permission policies is not necessarily a problem: they have totally valid uses. However, attempting to control access to API actions in AWS using a wildcard allow and a deny-list is very difficult and subject to problems since there is frequently more than way to accomplish something, new API actions get added all the time, and permission policy authors frequently fail to consider all available API actions. Flagged policies should be reviewed to make sure they are appropriate given the account's access control regime and requirements, and that they do not have trivial bypasses.",
"dashboard_name": "Users",
"display_path": "iam.users.id",
"path": "iam.users.id.inline_policies.id.PolicyDocument.Statement.id",
"conditions": [
"and",
[
"iam.users.id.inline_policies.id.PolicyDocument.Statement.id.Effect",
"equal",
"Deny"
],
[
"iam.users.id.inline_policies.id.PolicyDocument.Statement.id.Action",
"notMatch",
"\\*"
]
]
}
20 changes: 20 additions & 0 deletions ScoutSuite/providers/aws/rules/findings/iam-policy-with-deny-actions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"description": "Deny Action in IAM Policy",
"rationale": "The presence of Deny statements in permission policies is not necessarily a problem: they have totally valid uses. However, attempting to control access to API actions in AWS using a wildcard allow and a deny-list is very difficult and subject to problems since there is frequently more than way to accomplish something, new API actions get added all the time, and permission policy authors frequently fail to consider all available API actions. Flagged policies should be reviewed to make sure they are appropriate given the account's access control regime and requirements, and that they do not have trivial bypasses.",
"dashboard_name": "Statements",
"display_path": "iam.policies.id",
"path": "iam.policies.id.PolicyDocument.Statement.id",
"conditions": [
"and",
[
"iam.policies.id.PolicyDocument.Statement.id.Effect",
"equal",
"Deny"
],
[
"iam.policies.id.PolicyDocument.Statement.id.Action",
"notMatch",
"\\*"
]
]
}
12 changes: 12 additions & 0 deletions ScoutSuite/providers/aws/rules/rulesets/default.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -805,6 +805,18 @@
"level": "danger"
}
],
"iam-policy-with-deny-actions.json": [
{
"enabled": true,
"level": "warning"
}
],
"iam-inline-policy-with-deny-actions.json": [
{
"enabled": "true",
"level": "warning"
}
],
"kms-cmk-rotation-disabled.json": [
{
"enabled": true,
Expand Down