From 70fbf1676a4c9c6082754b77671de2c9b7c1490c Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Fri, 22 Sep 2023 12:59:10 +0200 Subject: [PATCH] fix(iam_inline_policy_no_administrative_privileges): set resource id as the entity name (#2820) --- ...iam_inline_policy_no_administrative_privileges.py | 2 +- prowler/providers/aws/services/iam/iam_service.py | 5 +++++ ...nline_policy_no_administrative_privileges_test.py | 12 ++++++------ tests/providers/aws/services/iam/iam_service_test.py | 3 +++ 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py b/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py index 5c6c5190bb..ca92514d79 100644 --- a/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py +++ b/prowler/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges.py @@ -10,7 +10,7 @@ def execute(self) -> Check_Report_AWS: report = Check_Report_AWS(self.metadata()) report.region = iam_client.region report.resource_arn = policy.arn - report.resource_id = policy.name + report.resource_id = policy.entity report.resource_tags = policy.tags report.status = "PASS" report.status_extended = f"{policy.type} policy {policy.name} for IAM identity {policy.arn} does not allow '*:*' administrative privileges." diff --git a/prowler/providers/aws/services/iam/iam_service.py b/prowler/providers/aws/services/iam/iam_service.py index 6ac5a1268e..a02eabf397 100644 --- a/prowler/providers/aws/services/iam/iam_service.py +++ b/prowler/providers/aws/services/iam/iam_service.py @@ -398,6 +398,7 @@ def __list_inline_user_policies__(self): Policy( name=policy, arn=user.arn, + entity=user.name, type="Inline", attached=True, version_id="v1", @@ -438,6 +439,7 @@ def __list_inline_group_policies__(self): Policy( name=policy, arn=group.arn, + entity=group.name, type="Inline", attached=True, version_id="v1", @@ -478,6 +480,7 @@ def __list_inline_role_policies__(self): Policy( name=policy, arn=role.arn, + entity=role.name, type="Inline", attached=True, version_id="v1", @@ -536,6 +539,7 @@ def __list_policies__(self, scope): Policy( name=policy["PolicyName"], arn=policy["Arn"], + entity=policy["PolicyId"], version_id=policy["DefaultVersionId"], type="Custom" if scope == "Local" else "AWS", attached=True @@ -714,6 +718,7 @@ class Certificate(BaseModel): class Policy(BaseModel): name: str arn: str + entity: str version_id: str type: str attached: bool diff --git a/tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py b/tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py index 7ab4595196..4e9566e111 100644 --- a/tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py +++ b/tests/providers/aws/services/iam/iam_inline_policy_no_administrative_privileges/iam_inline_policy_no_administrative_privileges_test.py @@ -128,7 +128,7 @@ def test_groups_admin_inline_policy(self): assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == group_arn - assert results[0].resource_id == policy_name + assert results[0].resource_id == group_name assert results[0].resource_tags == [] assert results[0].status == "FAIL" assert ( @@ -172,7 +172,7 @@ def test_groups_no_admin_inline_policy(self): assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == group_arn - assert results[0].resource_id == policy_name + assert results[0].resource_id == group_name assert results[0].resource_tags == [] assert results[0].status == "PASS" assert ( @@ -316,7 +316,7 @@ def test_roles_admin_inline_policy(self): assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == role_arn - assert results[0].resource_id == policy_name + assert results[0].resource_id == role_name assert results[0].resource_tags == [] assert results[0].status == "FAIL" assert ( @@ -363,7 +363,7 @@ def test_roles_no_admin_inline_policy(self): assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == role_arn - assert results[0].resource_id == policy_name + assert results[0].resource_id == role_name assert results[0].resource_tags == [] assert results[0].status == "PASS" assert ( @@ -507,7 +507,7 @@ def test_users_admin_inline_policy(self): assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == user_arn - assert results[0].resource_id == policy_name + assert results[0].resource_id == user_name assert results[0].resource_tags == [] assert results[0].status == "FAIL" assert ( @@ -553,7 +553,7 @@ def test_users_no_admin_inline_policy(self): assert len(results) == 1 assert results[0].region == AWS_REGION assert results[0].resource_arn == user_arn - assert results[0].resource_id == policy_name + assert results[0].resource_id == user_name assert results[0].resource_tags == [] assert results[0].status == "PASS" assert ( diff --git a/tests/providers/aws/services/iam/iam_service_test.py b/tests/providers/aws/services/iam/iam_service_test.py index 105d11a2b6..44f581220c 100644 --- a/tests/providers/aws/services/iam/iam_service_test.py +++ b/tests/providers/aws/services/iam/iam_service_test.py @@ -818,6 +818,7 @@ def test__list_inline_user_policies__(self): type="Inline", attached=True, document=INLINE_POLICY_NOT_ADMIN, + entity=user_name, ) # Test IAM Group Inline Policy @@ -861,6 +862,7 @@ def test__list_inline_group_policies__(self): type="Inline", attached=True, document=INLINE_POLICY_NOT_ADMIN, + entity=group_name, ) # Test IAM Role Inline Policy @@ -906,4 +908,5 @@ def test__list_inline_role_policies__(self): type="Inline", attached=True, document=INLINE_POLICY_NOT_ADMIN, + entity=role_name, )