Closed ivan-morhun closed 1 year ago
Hi @ivan-morhun, I don't know if I'm getting right the issue you described.
The allowlist feature is not aware if the AWS account is the management account since it is treated like another account.
Why are you assuming that all the IAM findings will be in the us-east-1
region? In the IAM service we just generate one Boto3 client using either the us-east-1
or your AWS profile, with preference given to the latter. If you execute the following command prowler --service iam --profile <your profile> --verbose
what is the region shown for the findings?
In our test environments using the managament account role with the following allowlist we get all the findings marked as WARNING
:
Allowlist:
Accounts:
"*":
Checks:
"iam_*":
Regions:
- "us-east-1"
Resources:
- "*"
Hi @jfagoagas,
Thanks for the reply!
As IAM is a global service I don't want to have duplicates in our scan reports.
Here is the part of the tool's output with --verbose
key
prowler aws -w allowlist.yaml --config-file config.yaml -f us-west-2 -s iam -p master --verbose
PASS us-west-2: AWS policy AWSOrganizationsServiceTrustPolicy is attached but does not allow '*:*' administrative privileges.
FAIL us-west-2: AWS policy AdministratorAccess is attached and allows '*:*' administrative privileges.
PASS us-west-2: AWS policy AmazonSSMManagedInstanceCore is attached but does not allow '*:*' administrative privileges.```
I use the same allowlist file for all other accounts in our organization and for all accounts, this exception works fine. Today I tried to check the master account and it doesn't. I the profile I don't have a region option configured.
Sorry, missed a bit that you asked to remove the region key. You are right, that wo region key Prowler uses the us-east-1 region for scan, but if I scan another region I don't want to see the same findings that i already have in the us-east-1 region.
PASS us-east-1: AWS policy AWSOrganizationsServiceTrustPolicy is attached but does not allow '*:*' administrative privileges.
FAIL us-east-1: AWS policy AdministratorAccess is attached and allows '*:*' administrative privileges.
For example here is the output for another account with the same allowlist and us-west-2 region
WARNING us-west-2: AWS policy AWSSupportServiceRolePolicy is attached but does not allow '*:*' administrative privileges.
WARNING us-west-2: AWS policy AmazonEKSServicePolicy is attached but does not allow '*:*' administrative privileges.
╭────────────┬───────────┬────────────┬────────────┬────────┬──────────┬───────╮
│ Provider │ Service │ Status │ Critical │ High │ Medium │ Low │
├────────────┼───────────┼────────────┼────────────┼────────┼──────────┼───────┤
│ aws │ iam │ PASS (187) │ 0 │ 0 │ 0 │ 0 │
╰────────────┴───────────┴────────────┴────────────┴────────┴──────────┴───────╯
@ivan-morhun As a global service if you scan IAM setting a specific region you will see results coming from IAM from that region, so I think it's better not to use that flag for global services or include all the regions except the one you are using to scan IAM in the allowlist.
Allowlist:
Accounts:
"*":
Checks:
"iam_*":
Regions:
- "us-east-1"
Resources:
- "*"
Without any profile region for IAM it'll use us-east-1
prowler --service iam --profile master --verbose --allowlist-file allowlist.yaml
All findings will be marked as WARNING
.
Allowlist:
Accounts:
"*":
Checks:
"iam_*":
Regions:
- "us-east-1"
Resources:
- "*"
prowler --service iam --profile master --verbose --allowlist-file allowlist.yaml --region eu-west-1
All findings won't be marked as WARNING
since the report.region
attribute is eu-west-1
.
I found the issue on my side.
I have other rules in the allowlist and didn't show them here because there are many. And one of the rules was like this
"cloudwatch_log_metric_filter_*":
Regions:
- "*"
Resources:
- "*"
Exceptions:
Accounts:
- "111111111111"
now I changed it to
"cloudwatch_log_metric_filter_*":
Regions:
- "*"
Resources:
- "*"
Exceptions:
Accounts:
- "111111111111"
Regions:
- "us-west-1"
where 111111111111 is the id of the master account
And now IAM findings are whitelisted.
Looks a bit weird when I didn't see the mandatory fields for the Exceptions
block in the documentation.
Thanks for your help!
Hi @ivan-morhun I'm glad that I've helped you to fix the issue.
What is the weird part about the Exceptions
block?
I understand that the cloudwatch_log_metric_filter_*
rule is an example and is not the one that is not marking the IAM findings as WARNING
right?
Weird that Regions is mandatory. If I already have a list of regions to exclude and scan some other region that is not in this list why should I add this region to the Exceptions block? An account is enough for me.
cloudwatch_log_metric_filter_*
is one of the similar cloudwatch rules with the same Exceptions block. I modified all of them and now everything works.
BTW, all other exception from the allowlist also didn't work as well as iam_*
@jfagoagas anyway thanks a lot for your help. Closing the issue.
Steps to Reproduce
Expected behavior
I expect that all IAM findings in all regions except us-east-1 will be ignored, like this
Actual Result with Screenshots or Logs
But I got this
How did you install Prowler?
From pip package (pip install prowler)
Environment Resource
OS used
2 macOS
Prowler version
v3.8.2
Pip version
pip 22.0.4
Context
No response