Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False positive on iam_policy_allows_privilege_escalation for iam:CreateAccessKey restricted to current user #5731

Open
enver opened this issue Nov 12, 2024 · 4 comments
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/medium Results in some unexpected or undesired behavior.

Comments

@enver
Copy link

enver commented Nov 12, 2024

Steps to Reproduce

  1. Create AWS IAM policy:
{
    "Statement": [
        {
            "Action": [
                "iam:UpdateAccessKey",
                "iam:ListAccessKeys",
                "iam:DeleteAccessKey",
                "iam:CreateAccessKey"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::123456789012:user/*/${aws:username}",
                "arn:aws:iam::123456789012:user/${aws:username}"
            ],
            "Sid": "AllowManageOwnAccessKeys"
        }
    ],
    "Version": "2012-10-17"
}
  1. Run prowler aws --check iam_policy_allows_privilege_escalation

Expected behavior

Check for policy above should pass considering that target resources are restricted only to current user.

Actual Result with Screenshots or Logs

Check will fail with:

Custom Policy arn:aws:iam::123456789012:policy/IAMSelfManagement-xxxxxx allows privilege escalation using the following actions: 'iam:CreateAccessKey'.

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

Workstation

OS used

MacOS

Prowler version

4.6.0

Pip version

24.2

Context

I'm using https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/submodules/iam-group-with-policies?tab=inputs to provision user groups with self management policy (part of which is in example above)

https://github.com/terraform-aws-modules/terraform-aws-iam/blob/e20e0b9a42084bbc885fd5abb18b8744810bd567/modules/iam-group-with-policies/policies.tf#L48

@enver enver added bug status/needs-triage Issue pending triage labels Nov 12, 2024
@jfagoagas jfagoagas added provider/aws Issues/PRs related with the AWS provider and removed status/needs-triage Issue pending triage labels Nov 12, 2024
@jfagoagas jfagoagas assigned jfagoagas and unassigned jfagoagas Nov 12, 2024
@jfagoagas
Copy link
Member

Hello @enver, we will review this as soon as we can and we'll get back to you.

Thanks!

@jfagoagas jfagoagas added the severity/medium Results in some unexpected or undesired behavior. label Nov 12, 2024
@garym-krrv
Copy link
Contributor

Just tested against latest codebase in master and I cant reproduce the issue

@enver
Copy link
Author

enver commented Nov 24, 2024

I can confirm it is still reproducible with latest master version (53a4befb0172bbb806cb39f05179af77a705fc7f)

@garym-krrv
Copy link
Contributor

Nope your right. It does indeed fail @enver

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/medium Results in some unexpected or undesired behavior.
Projects
None yet
Development

No branches or pull requests

3 participants