Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
This is just one example as Prowler it is reporting in every single AWS IAM Service-linked role the iam_role_cross_service_confused_deputy_prevention security issue:
iam_role_cross_service_confused_deputy_prevention | Ensure IAM Service Roles prevents against a cross-service confused deputy attack | | FAIL | IAM Service Role AWSServiceRoleForAmazonGuardDuty prevents against a cross-service confused deputy attack | iam | | high | AwsIamPolicy | Ensure IAM Service Roles prevents against a cross-service confused deputy attack | Allow attackers to gain unauthorized access to resources | | Use the aws:SourceArn and aws:SourceAccount global condition context keys in trust relationship policies to limit the permissions that a service has to a specific resource | https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention | | | | ENS-RD2022: op.exp.8.r4.aws.ct.8 | | ENV | 9.25522E+11 | us-east-1 | AWSServiceRoleForAmazonGuardDuty | arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty
-- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | --
Steps to Reproduce
Prowler aws is reporting a security issue for all AWS Service Linked IAM Roles where a confused deputy check on it is not applicable. https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
This is just one example as Prowler it is reporting in every single AWS IAM Service-linked role the iam_role_cross_service_confused_deputy_prevention security issue:
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
iam_role_cross_service_confused_deputy_prevention | Ensure IAM Service Roles prevents against a cross-service confused deputy attack | | FAIL | IAM Service Role AWSServiceRoleForAmazonGuardDuty prevents against a cross-service confused deputy attack | iam | | high | AwsIamPolicy | Ensure IAM Service Roles prevents against a cross-service confused deputy attack | Allow attackers to gain unauthorized access to resources | | Use the aws:SourceArn and aws:SourceAccount global condition context keys in trust relationship policies to limit the permissions that a service has to a specific resource | https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention | | | | ENS-RD2022: op.exp.8.r4.aws.ct.8 | | ENV | 9.25522E+11 | us-east-1 | AWSServiceRoleForAmazonGuardDuty | arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | --