search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.75k stars 1.53k forks source link

[Bug]: Allowlist with checks for all accounts doesn't work for AWS Org management account #2742

Closed ivan-morhun closed 1 year ago

ivan-morhun commented 1 year ago

Steps to Reproduce

  1. prowler aws -w allowlist.yaml --config-file config.yaml -f us-west-2 -s iam -p master
  2. AWS
  3. Organization
  4. I want to ignore all iam_* findings in all regions except us-east-1, so i have a white list like: 
    Allowlist:
Accounts:
"*":
  Checks:
    "iam_*":
      Regions:
        - "eu-central-1"
        - "us-east-2"
        - "us-west-1"
        - "us-west-2"
      Resources:
        - "*"

Expected behavior

I expect that all IAM findings in all regions except us-east-1 will be ignored, like this

╭────────────┬───────────┬────────────┬────────────┬────────┬──────────┬───────╮
│ Provider   │ Service   │ Status     │   Critical │   High │   Medium │   Low │
├────────────┼───────────┼────────────┼────────────┼────────┼──────────┼───────┤
│ aws        │ iam       │ PASS (754) │          0 │      0 │        0 │     0 │
╰────────────┴───────────┴────────────┴────────────┴────────┴──────────┴───────╯

Actual Result with Screenshots or Logs

But I got this

╭────────────┬───────────┬───────────┬────────────┬────────┬──────────┬───────╮
│ Provider   │ Service   │ Status    │   Critical │   High │   Medium │   Low │
├────────────┼───────────┼───────────┼────────────┼────────┼──────────┼───────┤
│ aws        │ iam       │ FAIL (53) │          1 │     30 │       21 │     1 │
╰────────────┴───────────┴───────────┴────────────┴────────┴──────────┴───────╯

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

  1. Workstation

OS used

2 macOS

Prowler version

v3.8.2

Pip version

pip 22.0.4

Context

No response

jfagoagas commented 1 year ago

Hi @ivan-morhun, I don't know if I'm getting right the issue you described.

The allowlist feature is not aware if the AWS account is the management account since it is treated like another account.

Why are you assuming that all the IAM findings will be in the us-east-1 region? In the IAM service we just generate one Boto3 client using either the us-east-1 or your AWS profile, with preference given to the latter. If you execute the following command prowler --service iam --profile <your profile> --verbose what is the region shown for the findings?

In our test environments using the managament account role with the following allowlist we get all the findings marked as WARNING:

Allowlist:
  Accounts:
    "*":
      Checks:
        "iam_*":
          Regions:
            - "us-east-1"
          Resources:
            - "*"
ivan-morhun commented 1 year ago

Hi @jfagoagas, Thanks for the reply! As IAM is a global service I don't want to have duplicates in our scan reports. Here is the part of the tool's output with --verbose key prowler aws -w allowlist.yaml --config-file config.yaml -f us-west-2 -s iam -p master --verbose


PASS us-west-2: AWS policy AWSOrganizationsServiceTrustPolicy is attached but does not allow '*:*' administrative privileges.
    FAIL us-west-2: AWS policy AdministratorAccess is attached and allows '*:*' administrative privileges.
    PASS us-west-2: AWS policy AmazonSSMManagedInstanceCore is attached but does not allow '*:*' administrative privileges.```

I use the same allowlist file for all other accounts in our organization and for all accounts, this exception works fine. Today I tried to check the master account and it doesn't. I the profile I don't have a region option configured.
ivan-morhun commented 1 year ago

Sorry, missed a bit that you asked to remove the region key. You are right, that wo region key Prowler uses the us-east-1 region for scan, but if I scan another region I don't want to see the same findings that i already have in the us-east-1 region.

PASS us-east-1: AWS policy AWSOrganizationsServiceTrustPolicy is attached but does not allow '*:*' administrative privileges.
FAIL us-east-1: AWS policy AdministratorAccess is attached and allows '*:*' administrative privileges.

For example here is the output for another account with the same allowlist and us-west-2 region

WARNING us-west-2: AWS policy AWSSupportServiceRolePolicy is attached but does not allow '*:*' administrative privileges.
WARNING us-west-2: AWS policy AmazonEKSServicePolicy is attached but does not allow '*:*' administrative privileges.

╭────────────┬───────────┬────────────┬────────────┬────────┬──────────┬───────╮
│ Provider   │ Service   │ Status     │   Critical │   High │   Medium │   Low │
├────────────┼───────────┼────────────┼────────────┼────────┼──────────┼───────┤
│ aws        │ iam       │ PASS (187) │          0 │      0 │        0 │     0 │
╰────────────┴───────────┴────────────┴────────────┴────────┴──────────┴───────╯
jfagoagas commented 1 year ago

@ivan-morhun As a global service if you scan IAM setting a specific region you will see results coming from IAM from that region, so I think it's better not to use that flag for global services or include all the regions except the one you are using to scan IAM in the allowlist.

Working Case

Allowlist

Allowlist:
  Accounts:
    "*":
      Checks:
        "iam_*":
          Regions:
            - "us-east-1"
          Resources:
            - "*"

Prowler

Without any profile region for IAM it'll use us-east-1

prowler --service iam --profile master --verbose --allowlist-file allowlist.yaml

All findings will be marked as WARNING.

Non Working Case

Allowlist

Allowlist:
  Accounts:
    "*":
      Checks:
        "iam_*":
          Regions:
            - "us-east-1"
          Resources:
            - "*"

Prowler

prowler --service iam --profile master --verbose --allowlist-file allowlist.yaml --region eu-west-1

All findings won't be marked as WARNING since the report.region attribute is eu-west-1.

ivan-morhun commented 1 year ago

I found the issue on my side.

I have other rules in the allowlist and didn't show them here because there are many. And one of the rules was like this

"cloudwatch_log_metric_filter_*":
          Regions:
            - "*"
          Resources:
            - "*"
          Exceptions:
            Accounts:
              - "111111111111"

now I changed it to 

"cloudwatch_log_metric_filter_*":
          Regions:
            - "*"
          Resources:
            - "*"
          Exceptions:
            Accounts:
              - "111111111111"
            Regions:
              - "us-west-1"

where 111111111111 is the id of the master account And now IAM findings are whitelisted. Looks a bit weird when I didn't see the mandatory fields for the Exceptions block in the documentation. Thanks for your help!

jfagoagas commented 1 year ago

Hi @ivan-morhun I'm glad that I've helped you to fix the issue.

What is the weird part about the Exceptions block?

I understand that the cloudwatch_log_metric_filter_* rule is an example and is not the one that is not marking the IAM findings as WARNING right?

ivan-morhun commented 1 year ago

Weird that Regions is mandatory. If I already have a list of regions to exclude and scan some other region that is not in this list why should I add this region to the Exceptions block? An account is enough for me.

cloudwatch_log_metric_filter_* is one of the similar cloudwatch rules with the same Exceptions block. I modified all of them and now everything works.

ivan-morhun commented 1 year ago

BTW, all other exception from the allowlist also didn't work as well as iam_*

ivan-morhun commented 1 year ago

@jfagoagas anyway thanks a lot for your help. Closing the issue.