search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.63k stars 1.51k forks source link

Default SecurityAudit IAM Policy Doesn't Have ListSubscriptionsByTopic Action #12

Closed virtualjj closed 8 years ago

virtualjj commented 8 years ago

The default SecurityAudit IAM policy only contains the following SNS actions:

"sns:GetTopicAttributes", "sns:ListTopics"

As a result, this causes an error for https://github.com/Alfresco/aws-cis-security-benchmark/blob/master/prowler#L802

An error occurred (AuthorizationError) when calling the ListSubscriptionsByTopic operation: User: arn:aws:iam::XXXXXXXX:user/BobHope is not authorized to perform: SNS:ListSubscriptionsByTopic on resource: arn:aws:sns:eu-west-1:XXXXXXXXX:PagerDuty

The IAM policy needs the following action added to remove the error:

sns:ListSubscriptionsByTopic

toniblyx commented 8 years ago

Good catch @virtualjj! I´m wondering why AWS missed that action on their arn:aws:iam::aws:policy/SecurityAudit policy. I´m also comparing it with the role I use for Security Monkey and it may be more accurate to mix both and add that to the documentation. WTYT?

So this is the arn:aws:iam::aws:policy/SecurityAudit default policy: { "Version": "2012-10-17", "Statement": [ { "Action": [ "cloudformation:getStackPolicy", "cloudwatchlogs:describeLogGroups", "cloudwatchlogs:describeMetricFilters", "autoscaling:Describe*", "cloudformation:DescribeStack*", "cloudformation:GetTemplate", "cloudformation:ListStack*", "cloudfront:Get*", "cloudfront:List*", "cloudtrail:DescribeTrails", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudwatch:Describe*", "codecommit:BatchGetRepositories", "codecommit:GetBranch", "codecommit:GetObjectIdentifier", "codecommit:GetRepository", "codecommit:List*", "codedeploy:Batch*", "codedeploy:Get*", "codedeploy:List*", "config:Deliver*", "config:Describe*", "config:Get*", "datapipeline:DescribeObjects", "datapipeline:DescribePipelines", "datapipeline:EvaluateExpression", "datapipeline:GetPipelineDefinition", "datapipeline:ListPipelines", "datapipeline:QueryObjects", "datapipeline:ValidatePipelineDefinition", "directconnect:Describe*", "dynamodb:ListTables", "ec2:Describe*", "ecs:Describe*", "ecs:List*", "elasticache:Describe*", "elasticbeanstalk:Describe*", "elasticloadbalancing:Describe*", "elasticmapreduce:DescribeJobFlows", "elasticmapreduce:ListClusters", "firehose:Describe*", "firehose:List*", "glacier:ListVaults", "iam:GenerateCredentialReport", "iam:Get*", "iam:List*", "kms:Describe*", "kms:Get*", "kms:List*", "lambda:GetPolicy", "lambda:ListFunctions", "rds:Describe*", "rds:DownloadDBLogFilePortion", "rds:ListTagsForResource", "redshift:Describe*", "route53:GetChange", "route53:GetCheckerIpRanges", "route53:GetGeoLocations", "route53:GetHealthCheck", "route53:GetHealthCheckCount", "route53:GetHealthCheckLastFailureReason", "route53:GetHostedZone", "route53:GetHostedZoneCount", "route53:GetReusableDelegationSet", "route53:ListGeoLocations", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListResourceRecordSets", "route53:ListReusableDelegationSets", "route53:ListTagsForResource", "route53:ListTagsForResources", "route53domains:GetDomainDetail", "route53domains:GetOperationDetail", "route53domains:ListDomains", "route53domains:ListOperations", "route53domains:ListTagsForDomain", "s3:GetBucket*", "s3:GetLifecycleConfiguration", "s3:GetObjectAcl", "s3:GetObjectVersionAcl", "s3:ListAllMyBuckets", "sdb:DomainMetadata", "sdb:ListDomains", "ses:GetIdentityDkimAttributes", "ses:ListIdentities", "sns:GetTopicAttributes", "sns:ListTopics", "sqs:GetQueueAttributes", "sqs:ListQueues", "tag:GetResources", "tag:GetTagKeys" ], "Effect": "Allow", "Resource": "*" } ] }

And this is the custom SecurityMonkeyReadOnly role used to perform all checks that Security Monkey needs: { "Version": "2012-10-17", "Statement": [ { "Action": [ "acm:describecertificate", "acm:listcertificates", "cloudtrail:describetrails", "config:describeconfigrules", "config:describeconfigurationrecorders", "directconnect:describeconnections", "ec2:describeaddresses", "ec2:describedhcpoptions", "ec2:describeflowlogs", "ec2:describeimages", "ec2:describeinstances", "ec2:describeinternetgateways", "ec2:describekeypairs", "ec2:describenatgateways", "ec2:describenetworkacls", "ec2:describenetworkinterfaces", "ec2:describeregions", "ec2:describeroutetables", "ec2:describesecuritygroups", "ec2:describesnapshots", "ec2:describesubnets", "ec2:describetags", "ec2:describevolumes", "ec2:describevpcendpoints", "ec2:describevpcpeeringconnections", "ec2:describevpcs", "elasticloadbalancing:describeloadbalancerattributes", "elasticloadbalancing:describeloadbalancerpolicies", "elasticloadbalancing:describeloadbalancers", "es:describeelasticsearchdomainconfig", "es:listdomainnames", "iam:getaccesskeylastused", "iam:getgroup", "iam:getgrouppolicy", "iam:getloginprofile", "iam:getpolicyversion", "iam:getrole", "iam:getrolepolicy", "iam:getservercertificate", "iam:getuser", "iam:getuserpolicy", "iam:listaccesskeys", "iam:listattachedgrouppolicies", "iam:listattachedrolepolicies", "iam:listattacheduserpolicies", "iam:listentitiesforpolicy", "iam:listgrouppolicies", "iam:listgroups", "iam:listinstanceprofilesforrole", "iam:listmfadevices", "iam:listpolicies", "iam:listrolepolicies", "iam:listroles", "iam:listservercertificates", "iam:listsigningcertificates", "iam:listuserpolicies", "iam:listusers", "kms:describekey", "kms:getkeypolicy", "kms:listaliases", "kms:listgrants", "kms:listkeypolicies", "kms:listkeys", "lambda:listfunctions", "rds:describedbclusters", "rds:describedbclustersnapshots", "rds:describedbinstances", "rds:describedbsecuritygroups", "rds:describedbsnapshots", "rds:describedbsubnetgroups", "redshift:describeclusters", "route53:listhostedzones", "route53:listresourcerecordsets", "route53domains:listdomains", "s3:getbucketacl", "s3:getbucketlocation", "s3:getbucketlogging", "s3:getbucketpolicy", "s3:getbuckettagging", "s3:getbucketversioning", "s3:getlifecycleconfiguration", "s3:listallmybuckets", "ses:getidentityverificationattributes", "ses:listidentities", "ses:listverifiedemailaddresses", "ses:sendemail", "sns:gettopicattributes", "sns:listsubscriptionsbytopic", "sns:listtopics", "sqs:getqueueattributes", "sqs:listqueues" ], "Effect": "Allow", "Resource": "*" } ] }

toniblyx commented 8 years ago

This one would be the mix of both to be like a ProwlerPolicyReadOnly

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": [
            "acm:describecertificate",
            "acm:listcertificates",
            "autoscaling:describe*",
            "cloudformation:describestack*",
            "cloudformation:getstackpolicy",
            "cloudformation:gettemplate",
            "cloudformation:liststack*",
            "cloudfront:get*",
            "cloudfront:list*",
            "cloudtrail:describetrails",
            "cloudtrail:gettrailstatus",
            "cloudtrail:listtags",
            "cloudwatch:describe*",
            "cloudwatchlogs:describeloggroups",
            "cloudwatchlogs:describemetricfilters",
            "codecommit:batchgetrepositories",
            "codecommit:getbranch",
            "codecommit:getobjectidentifier",
            "codecommit:getrepository",
            "codecommit:list*",
            "codedeploy:batch*",
            "codedeploy:get*",
            "codedeploy:list*",
            "config:deliver*",
            "config:describe*",
            "config:get*",
            "datapipeline:describeobjects",
            "datapipeline:describepipelines",
            "datapipeline:evaluateexpression",
            "datapipeline:getpipelinedefinition",
            "datapipeline:listpipelines",
            "datapipeline:queryobjects",
            "datapipeline:validatepipelinedefinition",
            "directconnect:describe*",
            "dynamodb:listtables",
            "ec2:describe*",
            "ecs:describe*",
            "ecs:list*",
            "elasticache:describe*",
            "elasticbeanstalk:describe*",
            "elasticloadbalancing:describe*",
            "elasticmapreduce:describejobflows",
            "elasticmapreduce:listclusters",
            "es:describeelasticsearchdomainconfig",
            "es:listdomainnames",
            "firehose:describe*",
            "firehose:list*",
            "glacier:listvaults",
            "iam:generatecredentialreport",
            "iam:get*",
            "iam:list*",
            "kms:describe*",
            "kms:get*",
            "kms:list*",
            "lambda:getpolicy",
            "lambda:listfunctions",
            "rds:describe*",
            "rds:downloaddblogfileportion",
            "rds:listtagsforresource",
            "redshift:describe*",
            "route53:getchange",
            "route53:getcheckeripranges",
            "route53:getgeolocations",
            "route53:gethealthcheck",
            "route53:gethealthcheckcount",
            "route53:gethealthchecklastfailurereason",
            "route53:gethostedzone",
            "route53:gethostedzonecount",
            "route53:getreusabledelegationset",
            "route53:listgeolocations",
            "route53:listhealthchecks",
            "route53:listhostedzones",
            "route53:listhostedzonesbyname",
            "route53:listresourcerecordsets",
            "route53:listreusabledelegationsets",
            "route53:listtagsforresource",
            "route53:listtagsforresources",
            "route53domains:getdomaindetail",
            "route53domains:getoperationdetail",
            "route53domains:listdomains",
            "route53domains:listoperations",
            "route53domains:listtagsfordomain",
            "s3:getbucket*",
            "s3:getlifecycleconfiguration",
            "s3:getobjectacl",
            "s3:getobjectversionacl",
            "s3:listallmybuckets",
            "sdb:domainmetadata",
            "sdb:listdomains",
            "ses:getidentitydkimattributes",
            "ses:getidentityverificationattributes",
            "ses:listidentities",
            "ses:listverifiedemailaddresses",
            "ses:sendemail",
            "sns:gettopicattributes",
            "sns:listsubscriptionsbytopic",
            "sns:listtopics",
            "sqs:getqueueattributes",
            "sqs:listqueues",
            "tag:getresources",
            "tag:gettagkeys"
        ],
        "Effect": "Allow",
        "Resource": "*"
    }]
}

I'm going to add it in the README as well.

toniblyx commented 8 years ago

done, can you test that role in your environment? @virtualjj

virtualjj commented 8 years ago

Worked as expected - thanks!

toniblyx commented 8 years ago

Good to hear :)