Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(iam): add new check iam_role_administratoraccess_policy #2822

Merged
merged 21 commits into from
Sep 12, 2023
Merged

feat(iam): add new check iam_role_administratoraccess_policy #2822

merged 21 commits into from
Sep 12, 2023

Conversation

kagahd
Copy link
Contributor

@kagahd kagahd commented Sep 11, 2023

Context

The existing check iam_aws_attached_policy_no_administrative_privileges was not appropriate for us because it only lists the resource that the check was running on, in this case all "*:*" open policies such as the AWS managed policy AdministratorAccess, and not for every role where such a policy is attached to.
However, we have some company-wide rules in place, to which the AdministratorAccess policy is attached for good reasons. In order to be able to allowlist these roles, I wrote the new check iam_role_administratoraccess_policy.

Description

The new check iam_role_administratoraccess_policy fails for roles where the AdministratorAccess policy is attached to. The check reports the role name so you may allowlist specific roles.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

kagahd and others added 19 commits May 3, 2023 18:24
@kagahd
remove redundant lines
167ef57
@kagahd
Merge branch 'prowler-cloud:master' into master
a4be6a9
@kagahd
Merge branch 'prowler-cloud:master' into master
785ffdb
@kagahd
fix typo
63e732d
@kagahd
fix typo
eae8cb1
@kagahd
Merge branch 'prowler-cloud:master' into master
570977c
@kagahd
[documentation] iam_policy_no_administrative_privileges does not exis…
b48f9ed 
…t and maps not to check122
@kagahd
[documentation] respect line order
1e726c0
@kagahd
[documentation] add missing s, respect json format
4652b1b
@kagahd @n4ch04
fix typo
b17bf05
@kagahd @n4ch04
fix typo
573c44a
@kagahd @n4ch04
[documentation] iam_policy_no_administrative_privileges does not exis…
156d152 
…t and maps not to check122
@kagahd @n4ch04
[documentation] respect line order
98f541a
@kagahd @n4ch04
[documentation] add missing s, respect json format
09db384
@kagahd
Merge remote-tracking branch 'origin/master'
ca53b86
@kagahd
Update README.md
d96808d
@kagahd
Merge remote-tracking branch 'origin/master'
b15c64d
@kagahd
Merge branch 'prowler-cloud:master' into master
a58b559
@kagahd
feat(iam): add new check iam_role_administratoraccess_policy
345703b
@kagahd kagahd requested a review from a team September 11, 2023 10:11
MrCloudSec
MrCloudSec approved these changes Sep 12, 2023
View reviewed changes
Copy link
Member

@MrCloudSec MrCloudSec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome PR! love the check and tests 🚀

@MrCloudSec MrCloudSec merged commit f1bea27 into prowler-cloud:master Sep 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrCloudSec MrCloudSec MrCloudSec approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kagahd @MrCloudSec