fix(aws): Corrects privilege escalation vectors

[rieck-srlabs]

Context

Prowler includes a list of (combinations of) dangerous actions that allow for privilege escalation. This list is currently incorrect, leading to false positives and false negatives.

Description

This PR improves the AWS privilege escalation logic in Prowler.

I checked the actions defined in iam_policy_allows_privilege_escalation.py for mistakes after finding that Prowler produced false positives if a policy just included "cloudformation:CreateStack" and "cloudformation:DescribeStacks". These actions alone do not suffice for privilege escalation. Judging by the name, "iam:PassRole" is obviously missing.

I cross-checked the other definitions against this document. In total, I found three incorrect definitions:

• "PassRole+CloudFormation": missed the iam:PassRole action
• "PassRole+DataPipeline": missed the iam:PassRole action
• "GlueUpdateDevEndpoints": specified "glue:UpdateDevEndpoint" rather than "glue:UpdateDevEndpoints" (s missing!)

Fixes #3807

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[jfagoagas]

Thanks for the fix @rieck-srlabs 👏

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.51%. Comparing base (b466b47) to head (7661973).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3823      +/-   ##
==========================================
+ Coverage   85.46%   85.51%   +0.04%     
==========================================
  Files         737      737              
  Lines       22811    22811              
==========================================
+ Hits        19496    19506      +10     
+ Misses       3315     3305      -10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.