FIX: Lambda and Ec2 role policy check now only scan for allowed actions
This commit is contained in:
+14
-7
@@ -298,7 +298,6 @@ printResult(outTable, "AccountID, Type, Name")
|
||||
|
||||
|
||||
"""Check Lambda role and IAM instance profile permissions"""
|
||||
printTitle(1, "Iam service review")
|
||||
printTitle(2, "[Security] Check permissions of Lamda roles and Ec2 instance roles")
|
||||
printTitle(3, "Typically these roles should not have admin or iam permissions.")
|
||||
outTable = []
|
||||
@@ -336,6 +335,12 @@ for role in roles:
|
||||
roles = confirmed_roles
|
||||
printTitle(3, f"Roles to be examined: {len(confirmed_roles)}")
|
||||
|
||||
# predefined actions which should not be granted
|
||||
high_risk_actions = {
|
||||
"*",
|
||||
"iam:*"
|
||||
}
|
||||
|
||||
# Check inline policies for each role
|
||||
client = boto3.client('iam', region_name="us-east-1")
|
||||
for role in roles:
|
||||
@@ -344,13 +349,14 @@ for role in roles:
|
||||
response = client.get_role_policy(RoleName=role, PolicyName=policy_name)
|
||||
policy = response['PolicyDocument']
|
||||
|
||||
flat_actions = jmespath.search('Statement[].Action[]', policy)
|
||||
flat_actions = jmespath.search('Statement[?Effect=="Allow"].Action[]', policy)
|
||||
if flat_actions is None:
|
||||
print(json.dumps(policy))
|
||||
outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"])
|
||||
else:
|
||||
if "*" in flat_actions or "iam:*" in flat_actions:
|
||||
outTable.append([aid, role, policy_name, "Inline policy contains * or iam:*, please review it"])
|
||||
common = high_risk_actions.intersection(flat_actions)
|
||||
if len(common) >= 1:
|
||||
outTable.append([aid, role, policy_name, f"Inline policy contains {common}, please review it"])
|
||||
|
||||
# Check managed policies for each role
|
||||
for role in roles:
|
||||
@@ -367,13 +373,14 @@ for role in roles:
|
||||
version = client.get_policy_version(PolicyArn=policy_arn, VersionId=default_version_id)
|
||||
policy_document = version['PolicyVersion']['Document']
|
||||
|
||||
flat_actions = jmespath.search('Statement[].Action[]', policy_document)
|
||||
flat_actions = jmespath.search('Statement[?Effect=="Allow"].Action[]', policy_document)
|
||||
if flat_actions is None:
|
||||
print(json.dumps(policy_document))
|
||||
outTable.append([aid, role, policy_name, "Single statement policy not supported by this program"])
|
||||
else:
|
||||
if "*" in flat_actions or "iam:*" in flat_actions:
|
||||
outTable.append([aid, role, policy_name, "Managed policy contains * or iam:*, please review it"])
|
||||
common = high_risk_actions.intersection(flat_actions)
|
||||
if len(common) >= 1:
|
||||
outTable.append([aid, role, policy_name, f"Managed policy contains {common}, please review it"])
|
||||
|
||||
printResult(outTable, "AccountID, RoleName, PolicyName, Issue")
|
||||
|
||||
|
||||
Reference in New Issue
Block a user