prowler: [Bug]: iam_policy_allows_privilege_escalation passes when it should fail - regarding `iam:PassRole`

Steps to Reproduce

I run a prowler scan to check my AWS IAM policies. I run the following command - prowler aws -p ernie -c iam_policy_allows_privilege_escalation .

My AWS policy is as follows -

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::11223344:role/ecs",
        }
    ]
}

The scan fails with the message - Custom Policy arn:aws:iam::421474263769:policy/ernie-test-account-admin-minimized allows privilege escalation using the following actions: {‘iam:PassRole’}

Strangely, if I update the same IAM policy to be the following and I run the same exact prowler scan then the scan will pass on the policy. I think that prowler has a bug because it should not pass with the addition of "Action": "account:GetAccountInformation" -

{
    "Statement": [
        {
            "Action": "iam:PassRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::11223344:role/ecs"
        },
        {
            "Action": "account:GetAccountInformation",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

Also, I want to get the original policy without the "Action": "account:GetAccountInformation" addition to pass. From my research, If I update the policy with the condition show below I would think that it would then pass the prowler scan, however it still fails with the message - Custom Policy arn:aws:iam::421474263769:policy/ernie-test-account-admin-minimized allows privilege escalation using the following actions: {‘iam:PassRole’} :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::11223344:role/ecs",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ecs.amazonaws.com",
                    "aws:SourceAccount": "11223344"
                }
            }
        }
    ]
}

Expected behavior

The prowler scan should fail with the following policy - which it does :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::11223344:role/ecs",
        }
    ]
}

The prowler scan should fail with the following policy - which it does NOT :

{
    "Statement": [
        {
            "Action": "iam:PassRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::11223344:role/ecs"
        },
        {
            "Action": "account:GetAccountInformation",
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

I think that the prowler scan should pass with the following policy - which it still fails :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::11223344:role/ecs",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ecs.amazonaws.com",
                    "aws:SourceAccount": "11223344"
                }
            }
        }
    ]
}

Actual Result with Screenshots or Logs

2023-07-28T09:50:18.064060;prowler-aws-iam_policy_allows_privilege_escalation-XXXX-us-east-1-ernie-test-account-admin-minimized;aws;iam_policy_allows_privilege_escalation;Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation;Software and Configuration Checks,Industry and Regulatory Standards,CIS AWS Foundations Benchmark;FAIL;Custom Policy arn:aws:iam::XXXX:policy/ernie-test-account-admin-minimized allows privilege escalation using the following actions: {‘iam:PassRole’};iam;;high;AwsIamPolicy;;;Ensure no Customer Managed IAM policies allow actions that may lead into Privilege Escalation;Users with some IAM permissions are allowed to elevate their privileges up to administrator rights.;;Grant usage permission on a per-resource basis and applying least privilege principle.;https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege;;;;;AWS-Well-Architected-Framework-Security-Pillar: SEC02-BP06 | ENS-RD2022: op.acc.4.aws.iam.1, op.acc.4.aws.iam.2, op.exp.8.r4.aws.ct.8;;;;CAF Security Epic: IAM;ernie;XXXX;;;;;;us-east-1;ernie-test-account-admin-minimized;arn:aws:iam::XXXX:policy/ernie-test-account-admin-minimized

How did you install Prowler?

From brew (brew install prowler)

Environment Resource

  1. Workstation

OS used

  1. MacOS

Prowler version

Prowler 3.6.1

Pip version

I do not have pip installed

Context

Besides pointing out the bug I think I found, I am also hoping you can suggest a way to get the scan to pass using the policy shown below. Or is using iam:passRole just to much of a risk and it will always fail with using it and we have to accept that.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::11223344:role/ecs",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ecs.amazonaws.com",
                    "aws:SourceAccount": "11223344"
                }
            }
        }
    ]
}

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 22 (14 by maintainers)

Most upvoted comments

@jfagoagas it’s related, but there also seems to be bug that @ernievd has found with the logic (it doesnt pick up on the iam:PassRole action when there is multiple statements in the policy)

+1
Fennerr on Jul 31, 2023
Read more comments on GitHub
← kafka-ui: The 'all-topics' view does not display according to the RBAC filter
prowler: [Bug]: Scan was aborted (Azure) →