You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are various AWS checks that currently only consider "Custom" policies:
iam_policy_no_full_access_to_cloudtrail
iam_policy_no_full_access_to_kms
iam_policy_allows_privilege_escalation
To reproduce,
Create an inline policy allowing full access to CloudTrail
Run prowler aws
Notice that prowler does not flag the full access CloudTrail policy as an issue.
Expected behavior
I expected overprivileged inline policies to be flagged by Prowler.
These checks should treat inline and custom policies identically. From a security POV, there is no practical distinction between custom policies and inline policies.
Actual Result with Screenshots or Logs
n/a
How did you install Prowler?
Cloning the repository from github.com (git clone)
Environment Resource
Local development environment
OS used
macOS
Prowler version
Prowler 4.1.0 (You are running the latest version, yay!)
Pip version
n/a
Context
No response
The text was updated successfully, but these errors were encountered:
@jfagoagas I was thinking about how to address this shortcoming myself.
It is straightforward to extend the existing checks to also cover "Inline" policies, but it seems like in general, Prowler aims to separate checks for custom policies from checks for inline policies (e.g. iam_inline_policy_no_administrative_privileges vs. iam_customer_attached_policy_no_administrative_privileges).
If I wanted to create a separate check just for inline policies, I'd have to duplicate a lot of code for iam_policy_allows_privilege_escalation and introduce quite of bit of maintenance overhead.
Hi @rieck-srlabs I think with the current approach we should create new checks for the inline policies. Regarding the iam_inline_policy_allows_privilege_escalation I think there is no need to duplicate code:
The same for the business logic code, it can be moved to another file and just call it from the checks, passing the required arguments and returning the necessary objects to verify the result in the check and generate a finding.
Steps to Reproduce
There are various AWS checks that currently only consider
"Custom"
policies:iam_policy_no_full_access_to_cloudtrail
iam_policy_no_full_access_to_kms
iam_policy_allows_privilege_escalation
To reproduce,
prowler aws
Expected behavior
I expected overprivileged inline policies to be flagged by Prowler.
These checks should treat inline and custom policies identically. From a security POV, there is no practical distinction between custom policies and inline policies.
Actual Result with Screenshots or Logs
n/a
How did you install Prowler?
Cloning the repository from github.com (git clone)
Environment Resource
Local development environment
OS used
macOS
Prowler version
Prowler 4.1.0 (You are running the latest version, yay!)
Pip version
n/a
Context
No response
The text was updated successfully, but these errors were encountered: