IAM policy parser reporting incorrectly if multiple SID's in policy #177

mjseid · 2019-10-30T21:37:47Z

Description :
I am testing the "Reject if the role can be assumed by ANY role in ANY account" example given on your website. My test policy contains multiple SIDs, one with sts:AssumeRole to a specific arn and one with other permissions to *. The scenario fails even though the SID with the assume role permission is restricted.

To Reproduce

<Either a sample terraform code, or your terraform plan file if it doesn't have any confidential information>

resource "aws_iam_policy" "assumeany-policy" {
  name        = "assumeany-policy"
  path        = "/"
  description = "test policy"

  policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "lambda:InvokeFunction"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::123456583231:role/cross-role"
        }
    ]
}
EOF
}

default parameters
python package

    Scenario: Reject if a policy can assume ANY role in ANY account
        Given I have aws_iam_policy defined
        When it contains policy
        And it contains Statement
        And its Effect is Allow
        And its Action is sts:AssumeRole
        And it contains resource
        Then its value must not match the "\*" regex
          Failure: resource property in aws_iam_policy.assumeany-policy resource matches with \* regex. It is set to *.

<Your feature/scenario/steps>

  Scenario: Reject if a policy can assume ANY role in ANY account
      Given I have aws_iam_policy defined
      When it contains policy
      And it contains Statement
      And its Effect is Allow
      And its Action is sts:AssumeRole
      And it contains resource
      Then its value must not match the "\*" regex

Expected behavior :
I expect the scenario to pass since the assumerole permission is restricted.

Tested versions :

<terraform-compliance version (1.0.54)>
<terraform version (0.12.12)>
<python runtime version, if running as a python package (3.7.3)>

The text was updated successfully, but these errors were encountered:

eerkunt · 2019-10-31T09:46:18Z

Found the problem. It is due to failure of resource filtering on And its Action is sts:AssumeRole because it is trying to filter out of a list of list of lists.

Having a deeper look, this might take some time to fix.

eerkunt · 2019-11-05T13:03:22Z

Hi @mjseid,

Can you have a try with 1.0.55 version please ? Thanks al lot!

mjseid · 2019-11-05T16:13:23Z

yes, works as expected now. thank you

mjseid added the bug label Oct 30, 2019

mjseid assigned eerkunt Oct 30, 2019

eerkunt mentioned this issue Nov 4, 2019

Implement an IAM Policies Parser #72

Closed

eerkunt added the waiting for confirmation Workaround/Fix applied, waiting for confirmation label Nov 5, 2019

mjseid closed this as completed Nov 5, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IAM policy parser reporting incorrectly if multiple SID's in policy #177

IAM policy parser reporting incorrectly if multiple SID's in policy #177

mjseid commented Oct 30, 2019

eerkunt commented Oct 31, 2019

eerkunt commented Nov 5, 2019

mjseid commented Nov 5, 2019

IAM policy parser reporting incorrectly if multiple SID's in policy #177

IAM policy parser reporting incorrectly if multiple SID's in policy #177

Comments

mjseid commented Oct 30, 2019

eerkunt commented Oct 31, 2019

eerkunt commented Nov 5, 2019

mjseid commented Nov 5, 2019