Added setting to ignore managed IAM policies (#639)

aquasecurity · Apr 20, 2021 · 6b053ab · 6b053ab
1 parent ca61a0c
commit 6b053ab
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 6 deletions.
diff --git a/collectors/aws/collector.js b/collectors/aws/collector.js
@@ -492,8 +492,7 @@ var calls = {
             property: 'Policies',
             paginate: 'Marker',
             params: {
-                OnlyAttached: true,
-                Scope: 'Local'
+                OnlyAttached: true
             }
         },
         listVirtualMFADevices: {

diff --git a/plugins/aws/iam/iamRolePolicies.js b/plugins/aws/iam/iamRolePolicies.js
@@ -50,18 +50,34 @@ module.exports = {
                 'and value for this setting is set to true, a PASS results will be generated.',
             regex: '^(true|false)$',
             default: 'false'
+        },
+        ignore_aws_managed_iam_policies: {
+            name: 'Ignore AWS-Managed IAM Policies',
+            description: 'If set to true, skip AWS-managed policies attached to the role with the exception of AWS-managed AdministratorAccess policy',
+            regex: '^(true|false)$',
+            default: 'false'
+        },
+        ignore_customer_managed_iam_policies: {
+            name: 'Ignore Customer-Managed IAM Policies',
+            description: 'If set to true, skip customer-managed policies attached to the role',
+            regex: '^(true|false)$',
+            default: 'false'
         }
     },
 
     run: function(cache, settings, callback) {
         var config = {
             iam_role_policies_ignore_path: settings.iam_role_policies_ignore_path || this.settings.iam_role_policies_ignore_path.default,
             ignore_service_specific_wildcards: settings.ignore_service_specific_wildcards || this.settings.ignore_service_specific_wildcards.default,
-            ignore_identity_federation_roles: settings.ignore_identity_federation_roles || this.settings.ignore_identity_federation_roles.default
+            ignore_identity_federation_roles: settings.ignore_identity_federation_roles || this.settings.ignore_identity_federation_roles.default,
+            ignore_aws_managed_iam_policies: settings.ignore_aws_managed_iam_policies || this.settings.ignore_aws_managed_iam_policies.default,
+            ignore_customer_managed_iam_policies: settings.ignore_customer_managed_iam_policies || this.settings.ignore_customer_managed_iam_policies.default
         };
 
         config.ignore_service_specific_wildcards = (config.ignore_service_specific_wildcards === 'true');
         config.ignore_identity_federation_roles = (config.ignore_identity_federation_roles === 'true');
+        config.ignore_aws_managed_iam_policies = (config.ignore_aws_managed_iam_policies === 'true');
+        config.ignore_customer_managed_iam_policies = (config.ignore_customer_managed_iam_policies === 'true');
 
         var custom = helpers.isCustom(settings, this.settings);
 
@@ -134,14 +150,16 @@ module.exports = {
             if (listAttachedRolePolicies.data &&
                 listAttachedRolePolicies.data.AttachedPolicies) {
 
-                for (var a in listAttachedRolePolicies.data.AttachedPolicies) {
-                    var policy = listAttachedRolePolicies.data.AttachedPolicies[a];
-
+                for (var policy of listAttachedRolePolicies.data.AttachedPolicies) {
                     if (policy.PolicyArn === managedAdminPolicy) {
                         roleFailures.push('Role has managed AdministratorAccess policy');
                         break;
                     }
 
+                    if (config.ignore_aws_managed_iam_policies && /^arn:aws:iam::aws:.*/.test(policy.PolicyArn)) continue;
+
+                    if (config.ignore_customer_managed_iam_policies && /^arn:aws:iam::[0-9]{12}:.*/.test(policy.PolicyArn)) continue;
+
                     var getPolicy = helpers.addSource(cache, source,
                         ['iam', 'getPolicy', region, policy.PolicyArn]);
 

diff --git a/plugins/aws/iam/iamRolePolicies.spec.js b/plugins/aws/iam/iamRolePolicies.spec.js
@@ -238,6 +238,15 @@ describe('iamRolePolicies', function () {
             });
         });
 
+        it('should PASS if role policy allows wildcard actions but ignore managed iam policies is set to true', function (done) {
+            const cache = createCache([listRoles[0]], listAttachedRolePolicies[2], null, null, getPolicy[0], getPolicyVersion[0]);
+            iamRolePolicies.run(cache, { ignore_customer_managed_iam_policies : 'true' }, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                done();
+            });
+        });
+
         it('should FAIL if role policy allows all actions on selected resources', function (done) {
             const cache = createCache([listRoles[0]], {}, listRolePolicies[1], getRolePolicy[4]);
             iamRolePolicies.run(cache, {}, (err, results) => {