prowler-cloud · puchy22 · Jun 13, 2024 · Jun 13, 2024 · Jun 13, 2024 · Jun 13, 2024
@@ -88,3 +88,13 @@ VPCs should have separate private and public subnets to prevent the exposure of
 VPCs should have subnets in different availability zones to prevent a single point of failure. Prowler will only check this configuration for those VPCs that are in use, in other words, only the VPCs where you have ENIs (network interfaces).
 
   - `vpc_subnet_different_az`
+
+#### IAM
+Prowler checks that inline policies does not overly guaranteeing access to certain services such as Cloudtrail and KMS, only attached inline policies will be checked.
+
+  - `iam_policy_no_full_access_to_cloudtrail`
+  - `iam_policy_no_full_access_to_kms`
+
+Policies with determined combination could lead into a privilege escalation, only attached inline policies will be checked.
+
+  - `iam_policy_allows_privilege_escalation`
@@ -0,0 +1,33 @@
+{
+  "Provider": "aws",
+  "CheckID": "iam_inline_policy_allows_privilege_escalation",
+  "CheckTitle": "Ensure no Inline Managed IAM policies allow actions that may lead into Privilege Escalation",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards"
+  ],
+  "ServiceName": "iam",
+  "SubServiceName": "inline_policy",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "high",
+  "ResourceType": "AwsIamPolicy",
+  "Description": "Ensure no Inline Managed IAM policies allow actions that may lead into Privilege Escalation",
+  "Risk": "Users with some IAM permissions are allowed to elevate their privileges up to administrator rights.",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Grant usage permission on a per-resource basis and applying least privilege principle.",
+      "Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,48 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.iam.iam_client import iam_client
+from prowler.providers.aws.services.iam.lib.privilege_escalation import (
+    check_privilege_escalation,
+)
+
+
+class iam_inline_policy_allows_privilege_escalation(Check):
+    def execute(self) -> Check_Report_AWS:
+        findings = []
+
+        for policy in iam_client.policies:
+            if (
+                policy.attached or iam_client.provider.scan_unused_services
+            ) and policy.type == "Inline":
+                report = Check_Report_AWS(self.metadata())
+                report.resource_id = policy.name
+                report.resource_arn = policy.arn
+                report.region = iam_client.region
+                report.resource_tags = policy.tags
+                report.status = "PASS"
+
+                if "role" in report.resource_arn:
+                    resource_type_str = "role"
+                elif "group" in report.resource_arn:
+                    resource_type_str = "group"
+                elif "user" in report.resource_arn:
+                    resource_type_str = "user"
+                else:
+                    resource_type_str = "resource"
+
+                report.status_extended = f"Inline Policy '{report.resource_id}'{' attached to ' + resource_type_str + ' ' + report.resource_arn if policy.attached else ''} does not allow privilege escalation."
+
+                policies_affected = check_privilege_escalation(
+                    getattr(policy, "document", {})
+                )
+
+                if policies_affected:
+                    report.status = "FAIL"
+
+                    report.status_extended = (
+                        f"Inline Policy '{report.resource_id}'{' attached to ' + resource_type_str + ' ' + report.resource_arn if policy.attached else ''} allows privilege escalation using the following actions: {policies_affected}".rstrip()
+                        + "."
+                    )
+
+                findings.append(report)
+
+        return findings
@@ -0,0 +1,34 @@
+{
+  "Provider": "aws",
+  "CheckID": "iam_inline_policy_no_full_access_to_cloudtrail",
+  "CheckTitle": "Ensure IAM inline policies that allow full \"cloudtrail:*\" privileges are not created",
+  "CheckType": [
+    "Software and Configuration Checks",
+    "Industry and Regulatory Standards",
+    "CIS AWS Foundations Benchmark"
+  ],
+  "ServiceName": "iam",
+  "SubServiceName": "inline_policies",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsIamPolicy",
+  "Description": "Ensure IAM inline policies that allow full \"cloudtrail:*\" privileges are not created",
+  "Risk": "CloudTrail is a critical service and IAM policies should follow least privilege model for this service in particular",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
+      "Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,33 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.iam.iam_client import iam_client
+from prowler.providers.aws.services.iam.lib.policy import check_full_service_access
+
+critical_service = "cloudtrail"
+
+
+class iam_inline_policy_no_full_access_to_cloudtrail(Check):
+    def execute(self) -> Check_Report_AWS:
+        findings = []
+
+        for policy in iam_client.policies:
+            # Check only inline policies
+            if (
+                policy.attached or iam_client.provider.scan_unused_services
+            ) and policy.type == "Inline":
+                report = Check_Report_AWS(self.metadata())
+                report.region = iam_client.region
+                report.resource_arn = policy.arn
+                report.resource_id = policy.name
+                report.resource_tags = policy.tags
+                report.status = "PASS"
+                report.status_extended = f"Inline Policy {policy.name} does not allow '{critical_service}:*' privileges."
+
+                if policy.document and check_full_service_access(
+                    critical_service, policy.document
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"Inline Policy {policy.name} allows '{critical_service}:*' privileges to all resources."
+
+                findings.append(report)
+
+        return findings
@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "iam_inline_policy_no_full_access_to_kms",
+  "CheckTitle": "Ensure IAM inline policies that allow full \"kms:*\" privileges are not created",
+  "CheckType": [
+    "Software and Configuration Checks"
+  ],
+  "ServiceName": "iam",
+  "SubServiceName": "inline_policy",
+  "ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
+  "Severity": "medium",
+  "ResourceType": "AwsIamPolicy",
+  "Description": "Ensure IAM inline policies that allow full \"kms:*\" privileges are not created",
+  "Risk": "KMS is a critical service and IAM policies should follow least privilege model for this service in particular",
+  "RelatedUrl": "",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "It is more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. List policies an analyze if permissions are the least possible to conduct business activities.",
+      "Url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
@@ -0,0 +1,32 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.iam.iam_client import iam_client
+from prowler.providers.aws.services.iam.lib.policy import check_full_service_access
+
+critical_service = "kms"
+
+
+class iam_inline_policy_no_full_access_to_kms(Check):
+    def execute(self):
+        findings = []
+
+        for policy in iam_client.policies:
+            if (
+                policy.attached or iam_client.provider.scan_unused_services
+            ) and policy.type == "Inline":
+                report = Check_Report_AWS(self.metadata())
+                report.region = iam_client.region
+                report.resource_arn = policy.arn
+                report.resource_id = policy.name
+                report.resource_tags = policy.tags
+                report.status = "PASS"
+                report.status_extended = f"Inline Policy {policy.name} does not allow '{critical_service}:*' privileges."
+
+                if policy.document and check_full_service_access(
+                    critical_service, policy.document
+                ):
+                    report.status = "FAIL"
+                    report.status_extended = f"Inline Policy {policy.name} allows '{critical_service}:*' privileges."
+
+                findings.append(report)
+
+        return findings