/
no-iam-priv-esc-roles.yaml
132 lines (132 loc) · 3.68 KB
/
no-iam-priv-esc-roles.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
rules:
- id: no-iam-priv-esc-roles
patterns:
- pattern-either:
- patterns:
- pattern-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...
]
...
})
...
}
- pattern-not-inside: |
resource $TYPE "..." {
...
policy = jsonencode({
...
Statement = [
...,
{... Effect = "Deny" ...},
...
]
...
})
...
}
- pattern: |
Action = $ACTION
- metavariable-pattern:
metavariable: $TYPE
pattern-either:
- pattern: |
"aws_iam_role_policy"
- pattern: |
"aws_iam_policy"
- pattern: |
"aws_iam_user_policy"
- pattern: |
"aws_iam_group_policy"
- patterns:
- pattern-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
}
...
}
- pattern-not-inside: |
data aws_iam_policy_document "..." {
...
statement {
...
effect = "Deny"
...
}
...
}
- pattern: |
actions = $ACTION
- metavariable-pattern:
metavariable: $ACTION
pattern-either:
# TODO: this is a hack because generic currently doesn't work with [..., $ACTION, ...]
# we will replace this once full support for terraform gets released.
- patterns:
- pattern: |
[..., "sts:AssumeRole", ...]
- pattern: |
[..., "iam:UpdateAssumeRolePolicy", ...]
- patterns:
- pattern: |
[..., "iam:PassRole", ...]
- pattern: |
[..., "lambda:CreateFunction", ...]
- pattern: |
[..., "lambda:InvokeFunction", ...]
- patterns:
- pattern: |
[..., "iam:PassRole", ...]
- pattern: |
[..., "lambda:CreateFunction", ...]
- pattern: |
[..., "lambda:CreateEventSourceMapping", ...]
- pattern: |
"lambda:UpdateFunctionCode"
- patterns:
- pattern: |
[..., "iam:PassRole", ...]
- pattern: |
[..., "glue:CreateDevEndpoint", ...]
- patterns:
- pattern: |
[..., "iam:PassRole", ...]
- pattern: |
[..., "cloudformation:CreateStack", ...]
- patterns:
- pattern: |
[..., "iam:PassRole", ...]
- pattern: |
[..., "datapipeline:CreatePipeline", ...]
- pattern: |
[..., "datapipeline:PutPipelineDefinition", ...]
message: >-
Ensure that groups of actions that include iam:PassRole and could result in privilege escalation
are not all allowed for the same user. These actions could result in an attacker gaining full admin
access of an AWS account. Try not to use these actions in conjuction.
metadata:
references:
- https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
category: security
cwe:
- 'CWE-269: Improper Privilege Management'
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
technology:
- terraform
- aws
owasp:
- A04:2021 - Insecure Design
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
languages: [hcl]
severity: WARNING