search

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.53k stars 1.51k forks source link

Confused Deputy Attack finding for AWS EKS service #4745

Open woodyweaver opened 4 weeks ago

woodyweaver commented 4 weeks ago

Steps to Reproduce

Run scan, inspect finding.

Expected behavior

I want for prowler to detect defects in configuration, and it does an excellent job on this front. However, I'm getting a "confused deputy" finding on our AWS EKS cluster role. The remediation guidance suggests following AWS guidance, to include "aws:SourceAccount" and/or "aws:SourceArn" condition keys. This was not successful. Opening a ticket with AWS produced language from Omar M.:

You mentioned that you were following the AWS recommendations by adding the “aws:SourceAccount” and “aws:SourceArn” condition keys and that you were still getting the error. I was able to reproduce this similar issue from my end as well and I have check and verified with our internal team that as of now EKS services does not support these conditions to prevent cross-account confused deputy attacks. Also, currently there are no other condition that you can use. It seems that there is currently no way to get around this finding for your use case (with EKS).

I reached out to our service team to provide this feedback but as a support engineer we do not have any ETA when will EKS provide support to these conditions. I was able to find an active feature request to add support for these conditions. I have gone ahead and have added a +1 and have added your case to the request in support of it. Unfortunately, I do not have any ETA for when/if this feature will be released. However, I do recommend keeping an eye on the AWS What’s New page [2] and AWS News Blog [3] for information on new feature releases.

I think it would be helpful to add an explanation to the finding guidance that it is not possible (according to AWS) to clear the finding using the AWS guidance.

Actual Result with Screenshots or Logs

Screenshot from 2024-08-14 15-17-46

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

EC2 instance

OS used

RHEL 9

Prowler version

Prowler 4.3.1 (latest is 4.3.3, upgrade for the latest features)

Pip version

pip 21.2.3 from /usr/lib/python3.9/site-packages/pip (python 3.9)

Context

No response

puchy22 commented 3 weeks ago

Hi @woodyweaver,

I will add a note in the finding's metadata to indicate that the AWS guidance involving aws:SourceAccount and aws:SourceArn conditions is not applicable to EKS, as confirmed by AWS. This will clarify that there is currently no way to clear the finding for EKS.

In the meantime, you could mute the finding using the Prowler mutelist since it's not remediable for now. I'll make a PR to address this soon. Thanks for your suggestion and for using Prowler! 🚀

Update: Here is the PR with the changes, please let me know if it fits the case or needs some improvement, I look forward to your response thanks for everything.