Check failing due to IAM Roles created by AWS Control Tower and AFT with AdministratorAccess policy

[jfagoagas]

Discussed in #3809

^{Originally posted by @dmkim22-lguplus April 18, 2024}
Hello,

IAM Roles created by AWS Control Tower and AFT (Account Factory for Terraform) have AdministratorAccess policy attached, and it seems "Ensure IAM AWS-Managed policies that allow full ":" administrative privileges are not attached" is failing due to this.

Should the following IAM Roles in an account be excluded from this check?

• aws-controltower-AdministratorExecutionRole
• AWSAFTExecution
• AWSAFTService
• AWSControlTowerExecution
• stacksets-exec-*

Thank you in advance.

[jfagoagas]

We need to do further investigation because the check iam_aws_attached_policy_no_administrative_privileges analyzes IAM Managed policies so the resource_id is the policy name. So there is no quick solution for this issue as of today, we need to think about having related resources in the same findings and use the allowlist.

[mtronrd]

I consider this the correct behavior. These will generally be accepted risks but they should still be flagged as risks and accepted/suppressed by a downstream process. Alternately, Prowler could support some sort of mechanism to suppress accepted risks at scan time, eg via resource tags or a configurable ignorelist. I would still say that should be at the discretion of the end user, and we should not hardcode role namespaces to ignore in this check.

[jfagoagas]

@mtronrd for sure, we were talking about including this into the https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/mutelist/. But for that we'd need to store more than one resource into the finding since now the resource_id is just the policy and not the policy and the role attached to it.