nccgroup / ScoutSuite

Multi-Cloud Security Auditing Tool
GNU General Public License v2.0
6.75k stars 1.07k forks source link

ADA-CP 2.2.1: Ensure a support role has been created to manage incidents with AWS Support #1654

Open rdegraaf opened 4 months ago

rdegraaf commented 4 months ago

Is your feature request related to a problem? Please describe.

The App Defense Alliance Cloud Profile requires a check that an incident-management Role has been registered with AWS Support.

Describe the solution you'd like

Implement the check documented at https://github.com/appdefensealliance/ASA-WG/blob/main/Cloud%20App%20and%20Config%20Profile/Cloud%20App%20and%20Config%20Test%20Guide.md#221-ensure-a-support-role-has-been-created-to-manage-incidents-with-aws-support.

Describe alternatives you've considered

None.

Additional context

rdegraaf commented 4 months ago

Looks like there is already such a rule ("iam-no-support-role") in the "detailed" ruleset, but:

  1. It doesn't work. The rule is not triggered on an account that does not have the AWSSupportAccess permission policy attached to anything -- presumably because ScoutSuite only enumerates AWS-managed permission policies when they are attached to something within the account.
  2. It only requires that the permission policy be attached to something, as opposed to specifically a Role as is required by CIS and ADA.
rdegraaf commented 4 months ago

Fixed in https://github.com/rdegraaf/ScoutSuite/tree/ada-cp-aws. MR to come once I have a few more rules implemented.