-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iam_role_cross_service_confused_deputy_prevention remediation broke specific process #4714
Comments
Hi @migs017, thanks for reaching us out! |
Hey @sergargar, Yup that's right |
Is that your situation @migs017 ? |
Hmm I don't think so, example in cloudtrail role the condition are aws:SourceArn : <arn_of_a_trail>. That means its the same service resource from the service principal that I'm trying to allow assuming the role right? |
Yes, but in that case the condition Can you try it again in the branch |
Hi @migs017, can you try it again in the new version 4.4.0 of Prowler? It may be solved. Thanks! |
Steps to Reproduce
Expected behavior
Prowler recommends to remediate/prevent confused deputy its either use aws:SourceArn or aws:SourceAccount or both. If the specfici resource has been added in the condition nothing should break our process.
Actual Result with Screenshots or Logs
Prowlers solution works on some roles but for cloudtrail to cloudwatch process that a role will handle it breaks. We also encounter in IAM role that's assumed by aws transcoder when we add either aws:SourceArn or aws:SourceAccount or both. Our process will stop working.
The exact trust relationship policy for the transcoder role:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"Service": [
"elastictranscoder.amazonaws.com",
"transcribe.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account_id>"
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:elastictranscoder::<account_id>:pipeline/example_pipeline",
"arn:aws:elastictranscoder::<account_id>:job/",
"arn:aws:elastictranscoder::<account_id>:preset/"
]
}
}
}
]
}
How did you install Prowler?
From pip package (pip install prowler)
Environment Resource
Workstation
OS used
Windows
Prowler version
4.2.4
Pip version
pip 23.2.1
Context
We consulted the cloudtrail to cloudwatch process role to AWS Support and they mention "no documentation around which services do or do not support the aws:SourceArn or aws:SourceAccount condition keys because they're global condition keys and technically available to all services. The keys are supported in any situation where a service tries to access another service's resource with a call from their service principal. If it's not from a service principal, we don't expect those condition keys to be set."
The text was updated successfully, but these errors were encountered: