[Bug]: False positive in all AWS service linked IAM Roles

[awsnacho]

Steps to Reproduce

Prowler aws is reporting a security issue for all AWS Service Linked IAM Roles where a confused deputy check on it is not applicable. https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

This is just one example as Prowler it is reporting in every single AWS IAM Service-linked role the iam_role_cross_service_confused_deputy_prevention security issue:

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

iam_role_cross_service_confused_deputy_prevention | Ensure IAM Service Roles prevents against a cross-service confused deputy attack |   | FAIL | IAM Service Role AWSServiceRoleForAmazonGuardDuty prevents against a cross-service confused deputy attack | iam |   | high | AwsIamPolicy | Ensure IAM Service Roles prevents against a cross-service confused deputy attack | Allow attackers to gain unauthorized access to resources |   | Use the aws:SourceArn and aws:SourceAccount global condition context keys in trust relationship policies to limit the permissions that a service has to a specific resource | https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention |   |   |   | ENS-RD2022: op.exp.8.r4.aws.ct.8 |   | ENV | 9.25522E+11 | us-east-1 | AWSServiceRoleForAmazonGuardDuty | arn:aws:iam::123456789012:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | --

Expected behavior

The security issue iam_role_cross_service_confused_deputy_prevention should not reported in service-linked IAM roles as a confused deputy check on it is not applicable.

Actual Result with Screenshots or Logs

THis is an example of one of the AWS IAM service-linked role in the prowler report:

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

iam_role_cross_service_confused_deputy_prevention | Ensure IAM Service Roles prevents against a cross-service confused deputy attack |   | FAIL | IAM Service Role AWSServiceRoleForAmazonGuardDuty prevents against a cross-service confused deputy attack | iam |   | high | AwsIamPolicy | Ensure IAM Service Roles prevents against a cross-service confused deputy attack | Allow attackers to gain unauthorized access to resources |   | Use the aws:SourceArn and aws:SourceAccount global condition context keys in trust relationship policies to limit the permissions that a service has to a specific resource | https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention |   |   |   | ENS-RD2022: op.exp.8.r4.aws.ct.8 |   | ENV | 9.25522E+11 | us-east-1 | AWSServiceRoleForAmazonGuardDuty | arn:aws:iam::925522019539:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | --

How did you install Prowler?

From brew (brew install prowler)

Environment Resource

All AWS resources.

OS used

Amazon Linux 2

Prowler version

3.3.4

Pip version

23.1.2

Context

The False Positive is being reported in ALL AWS sevice-linked roles.

[n4ch04]

Hi @awsnacho we will evaluate this and keep you posted.

Thanks for using Prowler !!

[sergargar]

Hi @awsnacho, this should be fixed in the last version of Prowler (3.4.1). Could you please do pip install prowler --upgrade and let us know if you still have the same issue? Thanks.

[n4ch04]

Hi @awsnacho, If you look at the check syntax it looks for roles without aws-service-role in the role arn which are not the truly AWS service-linked roles where you can't edit the permissions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html). The other roles related to services detected by the check have assume role policies that can be edited to include the Condition block in the statement to avoid confused deputy attacks

[sergargar]

@awsnacho this issue is fixed in the latest version, feel free to reopen the issue if you any questions, thanks.

[awsnacho]

Great thank you very much.

Regards, Jose Arevalo Security Consultant AWS Professional Services +1.203.570.8738 – mobile @. [Certified Information Systems Security Professional (CISSP)] @. [AWS Certified Solutions Architect – Associate] [AWS Certified Security – Specialty] [signature_2420782810] Thoughts on our interaction? Provide feedback herehttps://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=arevlara&fn=Jose&ln=Arevalo__;!!PZ0xAML5PpHLxYfxmvfEjrhN5g!QkbRvEVA-O_8JQwRVoSR1GLrkoAGM4jGbeEAlQLisgD26onWZiUChbBL2rH4k6Qnw40iN__hH9RG3bvPmKRj4UQU$

From: Sergio Garcia @.> Reply-To: prowler-cloud/prowler @.> Date: Thursday, May 25, 2023 at 9:43 AM To: prowler-cloud/prowler @.> Cc: "Arevalo, Jose" @.>, Mention @.***> Subject: Re: [prowler-cloud/prowler] [Bug]: False positive in all AWS service linked IAM Roles (Issue #2314)

@awsnachohttps://github.com/awsnacho this issue is fixed in the latest version, feel free to reopen the issue if you any questions, thanks.

— Reply to this email directly, view it on GitHubhttps://github.com/prowler-cloud/prowler/issues/2314#issuecomment-1562935188, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7UKF3KWQFTLNZLT2CRHDN3XH5OYLANCNFSM6AAAAAAXXH3VJY. You are receiving this because you were mentioned.Message ID: @.***>

[awsnacho]

Hello Nacho and Team,

We still are seeing the issue without aws-service-role in the role ARN. If we add the condition it does not work , the only way it works is without condition:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Please advice.

Thanks and Regards, Jose Arevalo Security Consultant AWS Professional Services

[sergargar]

Hi @awsnacho, can you provide us the ARN of the role and the trust relationship that does not work? Thanks.

[awsnacho]

Great thank you.

There are many:

arn:aws:iam::559347774351:role/BLRoleForLambda-Power-TunninginitializerDEV

arn:aws:iam::559347774351:role/BLRoleForLambda-Power-TunningoptimizerDEV

arn:aws:iam::559347774351:role/BLRoleForLambda-Power-TunningsfnDEV

arn:aws:iam::559347774351:role/BLRoleForLambdaCardPinGenerator

arn:aws:iam::559347774351:role/BLRoleForLambdaES

arn:aws:iam::559347774351:role/BLRoleForLambdaGestionesBLB

arn:aws:iam::559347774351:role/BLRoleForLambdaNotificationsEventsDEV

arn:aws:iam::559347774351:role/BLRoleForLambdaRipple

arn:aws:iam::559347774351:role/BLRoleForLambdaS3Cleanup

arn:aws:iam::559347774351:role/BLRoleForLambdaS3Trigger

arn:aws:iam::559347774351:role/BLRoleForLambdaSDL

arn:aws:iam::559347774351:role/BLRoleForLambdaSelfManagement

arn:aws:iam::559347774351:role/BLRoleForLambdaServiredPlus

arn:aws:iam::559347774351:role/BLRoleForLambdaSGRRI

arn:aws:iam::559347774351:role/BLRoleforLambdaStartStop

arn:aws:iam::559347774351:role/BLRoleForLambdaSTI

arn:aws:iam::559347774351:role/BLRoleForNotificationsEventsLambdaDEV

arn:aws:iam::559347774351:role/BLRoleForOpenApiLambdaFunctionDEV

arn:aws:iam::559347774351:role/BLRoleForPallaApp

arn:aws:iam::559347774351:role/BLRoleForRdsNotifier

arn:aws:iam::559347774351:role/BLRoleForRemesas-CO-Lambda-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesas-CO-StepFunction-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesas-PB-Lambda-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesas-PB-StepFunction-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesas-PGO-Lambda-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesas-PGO-StepFunction-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesas-Reversar-Lambda-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesas-Reversar-StepFunction-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesasECRManaged-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesasECSCodeDeploy-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesasECSTask-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesasECSTaskExecution-DEV

arn:aws:iam::559347774351:role/BLRoleForRemesasLambda-DEV

arn:aws:iam::559347774351:role/BLRoleForServiredPlusBOECSTaskDEV

arn:aws:iam::559347774351:role/BLRoleForServiredPlusBOECSTaskExecutionDEV

arn:aws:iam::559347774351:role/BLRoleForServiredPlusBOLambdaDEV

arn:aws:iam::559347774351:role/BLRoleForServiredPlusBORDSMonitoringDEV

arn:aws:iam::559347774351:role/BLRoleForServiredPlusECSCodeDeploy-DEV

arn:aws:iam::559347774351:role/BLRoleForServiredPlusECSTask-DEV

This is one of the trust relationships:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": " lambda.amazonaws.com " }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": [ "559347774351" ] } } } ] }

Thanks and Regards, Jose Arevalo Security Consultant AWS Professional Services +1.203.570.8738 – mobile @. [Certified Information Systems Security Professional (CISSP)] @. [AWS Certified Solutions Architect – Associate] [AWS Certified Security – Specialty] [signature_615388857] Thoughts on our interaction? Provide feedback herehttps://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=arevlara&fn=Jose&ln=Arevalo__;!!PZ0xAML5PpHLxYfxmvfEjrhN5g!QkbRvEVA-O_8JQwRVoSR1GLrkoAGM4jGbeEAlQLisgD26onWZiUChbBL2rH4k6Qnw40iN__hH9RG3bvPmKRj4UQU$

From: Sergio Garcia @.> Reply-To: prowler-cloud/prowler @.> Date: Monday, June 26, 2023 at 9:24 AM To: prowler-cloud/prowler @.> Cc: "Arevalo, Jose" @.>, Mention @.***> Subject: Re: [prowler-cloud/prowler] [Bug]: False positive in all AWS service linked IAM Roles (Issue #2314)

Hi @awsnachohttps://github.com/awsnacho, can you provide us the ARN of the role and the trust relationship that does not work? Thanks.

— Reply to this email directly, view it on GitHubhttps://github.com/prowler-cloud/prowler/issues/2314#issuecomment-1607470348, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7UKF3LABUXZ7O3HCIN3CUTXNGEQRANCNFSM6AAAAAAXXH3VJY. You are receiving this because you were mentioned.Message ID: @.***>

[sergargar]

@awsnacho are you using the last version of Prowler (3.6.1) and auditing the account 559347774351? The trust relationship you indicated works on my side. Thanks.

[awsnacho]

Hello Sergio,

I will upgrade. Not sure what do you mean for audit account.

@.***

Regards, Jose Arevalo Security Consultant AWS Professional Services +1.203.570.8738 – mobile @. [Certified Information Systems Security Professional (CISSP)] @. [AWS Certified Solutions Architect – Associate] [AWS Certified Security – Specialty] [signature_1743350598] Thoughts on our interaction? Provide feedback herehttps://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=arevlara&fn=Jose&ln=Arevalo__;!!PZ0xAML5PpHLxYfxmvfEjrhN5g!QkbRvEVA-O_8JQwRVoSR1GLrkoAGM4jGbeEAlQLisgD26onWZiUChbBL2rH4k6Qnw40iN__hH9RG3bvPmKRj4UQU$

From: Sergio Garcia @.> Reply-To: prowler-cloud/prowler @.> Date: Monday, June 26, 2023 at 9:45 AM To: prowler-cloud/prowler @.> Cc: "Arevalo, Jose" @.>, Mention @.***> Subject: Re: [prowler-cloud/prowler] [Bug]: False positive in all AWS service linked IAM Roles (Issue #2314)

@awsnachohttps://github.com/awsnacho are you using the last version of Prowler (3.6.1) and auditing the account 559347774351? The trust relationship you indicated works on my side. Thanks.

— Reply to this email directly, view it on GitHubhttps://github.com/prowler-cloud/prowler/issues/2314#issuecomment-1607505183, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7UKF3IJW7GVKSRJLUE4BO3XNGG7DANCNFSM6AAAAAAXXH3VJY. You are receiving this because you were mentioned.Message ID: @.***>

[sergargar]

Let us know when you try it with the latest version of Prowler. The audit account is the AWS Account associated with your AWS credentials, it must be the same as the one in the trust relationship condition.

[awsnacho]

Hello Sergio.

No luck. Still the same issue after upgrading to latest version . Please advise.

@.***

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-CO-Lambda-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-CO-StepFunction-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-PB-Lambda-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-PB-StepFunction-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-PGO-Lambda-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-PGO-StepFunction-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-Reversar-Lambda-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-Reversar-StepFunction-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasECRManaged-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasECSCodeDeploy-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasECSTask-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasECSTaskExecution-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasLambda-DEV

Thanks and Regards, Jose Arevalo Security Consultant AWS Professional Services +1.203.570.8738 – mobile @. [Certified Information Systems Security Professional (CISSP)] @. [AWS Certified Solutions Architect – Associate] [AWS Certified Security – Specialty] [signature_2976981300] Thoughts on our interaction? Provide feedback herehttps://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=arevlara&fn=Jose&ln=Arevalo__;!!PZ0xAML5PpHLxYfxmvfEjrhN5g!QkbRvEVA-O_8JQwRVoSR1GLrkoAGM4jGbeEAlQLisgD26onWZiUChbBL2rH4k6Qnw40iN__hH9RG3bvPmKRj4UQU$

From: Sergio Garcia @.> Reply-To: prowler-cloud/prowler @.> Date: Monday, June 26, 2023 at 9:50 AM To: prowler-cloud/prowler @.> Cc: "Arevalo, Jose" @.>, Mention @.***> Subject: Re: [prowler-cloud/prowler] [Bug]: False positive in all AWS service linked IAM Roles (Issue #2314)

Let us know when you try it with the latest version of Prowler. The audit account is the AWS Account associated with your AWS credentials, it must be the same as the one in the trust relationship condition.

— Reply to this email directly, view it on GitHubhttps://github.com/prowler-cloud/prowler/issues/2314#issuecomment-1607514021, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7UKF3JEJS2HTOG5FZTT2YTXNGHQNANCNFSM6AAAAAAXXH3VJY. You are receiving this because you were mentioned.Message ID: @.***>

[sergargar]

@awsnacho, can you send us some of the trust relationships that are failing? which is the AWS account ID where you are getting those findings?

[awsnacho]

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": " lambda.amazonaws.com " }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": “925522019539”

                                                            }
                                            }
                            }
            ]

}

Jose Arevalo Security Consultant AWS Professional Services +1.203.570.8738 – mobile @. [Certified Information Systems Security Professional (CISSP)] @. [AWS Certified Solutions Architect – Associate] [AWS Certified Security – Specialty] [signature_796912626] Thoughts on our interaction? Provide feedback herehttps://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=arevlara&fn=Jose&ln=Arevalo__;!!PZ0xAML5PpHLxYfxmvfEjrhN5g!QkbRvEVA-O_8JQwRVoSR1GLrkoAGM4jGbeEAlQLisgD26onWZiUChbBL2rH4k6Qnw40iN__hH9RG3bvPmKRj4UQU$

From: Sergio Garcia @.> Reply-To: prowler-cloud/prowler @.> Date: Tuesday, June 27, 2023 at 9:56 AM To: prowler-cloud/prowler @.> Cc: "Arevalo, Jose" @.>, Mention @.***> Subject: Re: [prowler-cloud/prowler] [Bug]: False positive in all AWS service linked IAM Roles (Issue #2314)

@awsnachohttps://github.com/awsnacho, can you send us some of the trust relationships that are failing? which is the AWS account ID where you are getting those findings?

— Reply to this email directly, view it on GitHubhttps://github.com/prowler-cloud/prowler/issues/2314#issuecomment-1609560866, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7UKF3NX32TWB6CTAGJSEDDXNLQ5DANCNFSM6AAAAAAXXH3VJY. You are receiving this because you were mentioned.Message ID: @.***>

[sergargar]

@awsnacho which is the AWS Account ID that you are scanning?

[awsnacho]

925522019539

Jose Arevalo Security Consultant AWS Professional Services +1.203.570.8738 – mobile @. [Certified Information Systems Security Professional (CISSP)] @. [AWS Certified Solutions Architect – Associate] [AWS Certified Security – Specialty] [signature_3410640870] Thoughts on our interaction? Provide feedback herehttps://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=arevlara&fn=Jose&ln=Arevalo__;!!PZ0xAML5PpHLxYfxmvfEjrhN5g!QkbRvEVA-O_8JQwRVoSR1GLrkoAGM4jGbeEAlQLisgD26onWZiUChbBL2rH4k6Qnw40iN__hH9RG3bvPmKRj4UQU$

From: Sergio Garcia @.> Reply-To: prowler-cloud/prowler @.> Date: Tuesday, June 27, 2023 at 10:05 AM To: prowler-cloud/prowler @.> Cc: "Arevalo, Jose" @.>, Mention @.***> Subject: Re: [prowler-cloud/prowler] [Bug]: False positive in all AWS service linked IAM Roles (Issue #2314)

@awsnachohttps://github.com/awsnacho which is the AWS Account ID that you are scanning?

— Reply to this email directly, view it on GitHubhttps://github.com/prowler-cloud/prowler/issues/2314#issuecomment-1609578149, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7UKF3MDGVWC4QDPMALRSTDXNLR7VANCNFSM6AAAAAAXXH3VJY. You are receiving this because you were mentioned.Message ID: @.***>

[awsnacho]

Hello Team,

Do we have an idea how soon this issue will be resolved ?

Thanks in advance for your help.

Regards, Jose Arevalo Security Consultant AWS Professional Services +1.203.570.8738 – mobile @. [Certified Information Systems Security Professional (CISSP)] @. [AWS Certified Solutions Architect – Associate] [AWS Certified Security – Specialty] [signature_3583088128] Thoughts on our interaction? Provide feedback herehttps://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=arevlara&fn=Jose&ln=Arevalo__;!!PZ0xAML5PpHLxYfxmvfEjrhN5g!QkbRvEVA-O_8JQwRVoSR1GLrkoAGM4jGbeEAlQLisgD26onWZiUChbBL2rH4k6Qnw40iN__hH9RG3bvPmKRj4UQU$

From: "Arevalo, Jose" @.> Date: Tuesday, June 27, 2023 at 9:32 AM To: prowler-cloud/prowler @.>, prowler-cloud/prowler @.> Cc: Mention @.> Subject: Re: [prowler-cloud/prowler] [Bug]: False positive in all AWS service linked IAM Roles (Issue #2314)

Hello Sergio.

No luck. Still the same issue after upgrading to latest version . Please advise.

@.***

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-CO-Lambda-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-CO-StepFunction-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-PB-Lambda-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-PB-StepFunction-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-PGO-Lambda-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-PGO-StepFunction-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-Reversar-Lambda-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesas-Reversar-StepFunction-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasECRManaged-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasECSCodeDeploy-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasECSTask-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasECSTaskExecution-DEV

prowler-aws-iam_role_cross_service_confused_deputy_prevention-925522019539-us-east-1-BLRoleForRemesasLambda-DEV

Thanks and Regards, Jose Arevalo Security Consultant AWS Professional Services +1.203.570.8738 – mobile @. [Certified Information Systems Security Professional (CISSP)] @. [AWS Certified Solutions Architect – Associate] [AWS Certified Security – Specialty] [signature_2976981300] Thoughts on our interaction? Provide feedback herehttps://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=arevlara&fn=Jose&ln=Arevalo__;!!PZ0xAML5PpHLxYfxmvfEjrhN5g!QkbRvEVA-O_8JQwRVoSR1GLrkoAGM4jGbeEAlQLisgD26onWZiUChbBL2rH4k6Qnw40iN__hH9RG3bvPmKRj4UQU$

From: Sergio Garcia @.> Reply-To: prowler-cloud/prowler @.> Date: Monday, June 26, 2023 at 9:50 AM To: prowler-cloud/prowler @.> Cc: "Arevalo, Jose" @.>, Mention @.***> Subject: Re: [prowler-cloud/prowler] [Bug]: False positive in all AWS service linked IAM Roles (Issue #2314)

Let us know when you try it with the latest version of Prowler. The audit account is the AWS Account associated with your AWS credentials, it must be the same as the one in the trust relationship condition.

— Reply to this email directly, view it on GitHubhttps://github.com/prowler-cloud/prowler/issues/2314#issuecomment-1607514021, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7UKF3JEJS2HTOG5FZTT2YTXNGHQNANCNFSM6AAAAAAXXH3VJY. You are receiving this because you were mentioned.Message ID: @.***>

[sergargar]

Hi @awsnacho , we still cannot reproduce your error. Make sure that the spelling is correct and that there are no blank spaces in the texts. From the policy you sent us I can see blank spaces in " lambda.amazonaws.com ". Let me know if that was the issue. Thanks.

[jfagoagas]

Hi @awsnacho were you able to prove what @sergargar told you?

Thanks!

[awsnacho]

We did try several things without luck. For now it is assigned as a “False Positive” for the vulnerability management of the customer.

Thanks for your help.

Regards, Jose Arevalo Security Consultant AWS Professional Services +1.203.570.8738 – mobile @. [Certified Information Systems Security Professional (CISSP)] @. [AWS Certified Solutions Architect – Associate] [AWS Certified Security – Specialty] [signature_2616702754] Thoughts on our interaction? Provide feedback herehttps://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=arevlara&fn=Jose&ln=Arevalo__;!!PZ0xAML5PpHLxYfxmvfEjrhN5g!QkbRvEVA-O_8JQwRVoSR1GLrkoAGM4jGbeEAlQLisgD26onWZiUChbBL2rH4k6Qnw40iN__hH9RG3bvPmKRj4UQU$

From: Pepe Fagoaga @.> Reply-To: prowler-cloud/prowler @.> Date: Tuesday, August 1, 2023 at 7:17 AM To: prowler-cloud/prowler @.> Cc: "Arevalo, Jose" @.>, Mention @.***> Subject: Re: [prowler-cloud/prowler] [Bug]: False positive in all AWS service linked IAM Roles (Issue #2314)

Hi @awsnachohttps://github.com/awsnacho were you able to prove what @sergargarhttps://github.com/sergargar told you?

Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/prowler-cloud/prowler/issues/2314#issuecomment-1660108454, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A7UKF3KUGSD6MB46Z4JQFMTXTDQRPANCNFSM6AAAAAAXXH3VJY. You are receiving this because you were mentioned.Message ID: @.***>

[jfagoagas]

@awsnacho Could you send us again the policy with the trust relationship for one of the failing IAM roles?

And please confirm that the issue is still present in your environment with the latest version of Prowler, which is 3.8.0.

Thanks!

[jfagoagas]

Hi @awsnacho we're closing this issue since we did not receive any response. Please feel free to reopen it if you are still having the issue.

Thanks for using Prowler 🚀