Skip to content
This repository has been archived by the owner on Sep 17, 2021. It is now read-only.

Feature Request: Expand IAM Policies sensitive action list #361

Closed
scriptsrc opened this issue Jun 8, 2016 · 1 comment
Closed

Feature Request: Expand IAM Policies sensitive action list #361

scriptsrc opened this issue Jun 8, 2016 · 1 comment
Labels
enhancement

Comments

@scriptsrc
Copy link
Contributor

Currently security_monkey has explicit checks for these actions in an IAM policy:

ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
iam:*
iam:passrole

Other actions should be added like certain KMS and CloudTrail permissions. Also, things like iam:putrolepolicy, iam:deleterolepolicy, rds:modifydbparametergroup, etc.

Read-only iam access should be removed or have it's score lowered. (def library_check_iamobj_has_iam_privileges - https://github.com/Netflix/security_monkey/blob/master/security_monkey/auditors/iam/iam_policy.py#L106 )
@scriptsrc
Copy link
Contributor Author

This has been been completed in #856.

PolicyUniverse is pulling action categories from the AWS Console. Sensitive permissions are those with AWS's "Permissions" group. A similar issue is raised for DataPlaneWriteAccess on sensitive services.

@scriptsrc scriptsrc mentioned this issue Nov 4, 2017
Merged
5 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scriptsrc