Skip to content
This repository has been archived by the owner on Sep 17, 2021. It is now read-only.

Robertoriv feature/check assume role from unknown #485

Merged
merged 5 commits into from Jan 4, 2017
Merged

Robertoriv feature/check assume role from unknown #485

merged 5 commits into from Jan 4, 2017

Conversation

scriptsrc
Copy link
Collaborator

This PR extends #478.

It adds minor fixes. @robertoriv - Could you review my changes?

I had to remove one of the self.i_am_singular lines and replace it with a hardcoded "IAM Role" because the nested method definitions could not access self. (Scope issue?)

I'll try to merge this by Tuesday.

@scriptsrc scriptsrc mentioned this pull request Jan 1, 2017
Closed
@coveralls
Copy link

Coverage Status

Coverage decreased (-0.2%) to 51.386% when pulling 4e4fd6a on robertoriv-feature/check_assume_role_from_unknown into 198ed04 on develop.

@robertoriv
Copy link
Contributor

@MonkeySecurity, ran some quick tests.

2017-01-03 11:28:14,065 DEBUG: Saving NEW issue IAMRoleAuditor -- IAM Role allows assume-role from an Unknown Account (<first_test_account>) -- {"Action": "sts:AssumeRole", "Sid": "", "Effect": "Allow", "Principal": {"AWS": ["*", "arn:aws:iam::<first_test_account>:root", "arn:aws:iam::<second_test_account>:root"]}} -- 10 -- [] ...
2017-01-03 11:28:14,066 DEBUG: Saving NEW issue IAMRoleAuditor -- IAM Role allows assume-role from an Unknown Account (<second_test_account>) -- {"Action": "sts:AssumeRole", "Sid": "", "Effect": "Allow", "Principal": {"AWS": ["*", "arn:aws:iam::<first_test_account>:root", "arn:aws:iam::<second_test_account>:root"]}} -- 10 -- [] ...
2017-01-03 11:28:14,066 DEBUG: Saving NEW issue IAMRoleAuditor -- IAM Role has iam:PassRole privileges. -- {"Action": ["iam:PassRole"], "Resource": ["*"], "Effect": "Allow", "Sid": "Stmt1483463973000"} -- 9 -- [] ...
2017-01-03 11:28:14,066 DEBUG: Saving NEW issue IAMRoleAuditor -- IAM Role has IAM privileges. -- {"Action": ["iam:AddUserToGroup"], "Resource": ["*"], "Effect": "Allow", "Sid": "Stmt1483463935000"} -- 9 -- [] ...
2017-01-03 11:28:14,066 DEBUG: Saving NEW issue IAMRoleAuditor -- IAM Role has full IAM privileges. -- {"Action": ["iam:*"], "Resource": ["*"], "Effect": "Allow", "Sid": "Stmt1483463880000"} -- 10 -- [] ...
2017-01-03 11:28:14,066 DEBUG: Saving NEW issue IAMRoleAuditor -- IAM Role contains NotAction. -- "iam:*" -- 10 -- [] ...
2017-01-03 11:28:14,066 DEBUG: Saving NEW issue IAMRoleAuditor -- IAM Role can change security groups. -- ec2:AuthorizeSecurityGroupIngress -- 7 -- [] ...
2017-01-03 11:28:14,067 DEBUG: Saving NEW issue IAMRoleAuditor -- IAM Role allows assume-role from anyone -- {"Action": "sts:AssumeRole", "Sid": "", "Effect": "Allow", "Principal": {"AWS": ["*", "arn:aws:iam::<first_test_account>:root", "arn:aws:iam::<second_test_account>:root"]}} -- 10 -- [] ...

👍 LGTM

@scriptsrc scriptsrc merged commit 0ef6596 into develop Jan 4, 2017
@scriptsrc scriptsrc mentioned this pull request Jan 13, 2017
Merged
@scriptsrc scriptsrc deleted the robertoriv-feature/check_assume_role_from_unknown branch February 17, 2017 15:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@scriptsrc @coveralls @robertoriv