search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.53k stars 1.51k forks source link

iam_role_cross_service_confused_deputy_prevention remediation broke specific process #4714

Open migs017 opened 1 month ago

migs017 commented 1 month ago

Steps to Reproduce

  1. It isn't a command but a setup where cloudtrail will send logs to cloudwatch
  2. AWS environment
  3. Single account
  4. Error iam role last activity date

Expected behavior

Prowler recommends to remediate/prevent confused deputy its either use aws:SourceArn or aws:SourceAccount or both. If the specfici resource has been added in the condition nothing should break our process.

Actual Result with Screenshots or Logs

iam role last activity date Prowlers solution works on some roles but for cloudtrail to cloudwatch process that a role will handle it breaks. We also encounter in IAM role that's assumed by aws transcoder when we add either aws:SourceArn or aws:SourceAccount or both. Our process will stop working.

The exact trust relationship policy for the transcoder role: { "Version": "2008-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "Service": [ "elastictranscoder.amazonaws.com", "transcribe.amazonaws.com" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "" }, "ArnLike": { "aws:SourceArn": [ "arn:aws:elastictranscoder:::pipeline/example_pipeline", "arn:aws:elastictranscoder:::job/", "arn:aws:elastictranscoder:::preset/" ] } } } ] }

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

Workstation

OS used

Windows

Prowler version

4.2.4

Pip version

pip 23.2.1

Context

We consulted the cloudtrail to cloudwatch process role to AWS Support and they mention "no documentation around which services do or do not support the aws:SourceArn or aws:SourceAccount condition keys because they're global condition keys and technically available to all services. The keys are supported in any situation where a service tries to access another service's resource with a call from their service principal. If it's not from a service principal, we don't expect those condition keys to be set."

sergargar commented 1 month ago

Hi @migs017, thanks for reaching us out! This Prowler check was done regarding this official documentation , from what I understood is that both roles that are either assumed by CloudTrail or Transcoder break when the aws:SourceAccount or aws:SourceArn are set?

migs017 commented 1 month ago

Hey @sergargar, Yup that's right

sergargar commented 1 month ago

"The keys are supported in any situation where a service tries to access another service's resource with a call from their service principal."

Is that your situation @migs017 ?

migs017 commented 1 month ago

Hmm I don't think so, example in cloudtrail role the condition are aws:SourceArn : . That means its the same service resource from the service principal that I'm trying to allow assuming the role right?