Skip to content

Commit

Permalink
Added setting to ignore managed IAM policies
Browse files Browse the repository at this point in the history
  • Loading branch information
AkhtarAmir committed Apr 8, 2021
1 parent 9d5683d commit b33570e
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 7 deletions.
3 changes: 1 addition & 2 deletions collectors/aws/collector.js
Original file line number Diff line number Diff line change
Expand Up @@ -486,8 +486,7 @@ var calls = {
property: 'Policies',
paginate: 'Marker',
params: {
OnlyAttached: true,
Scope: 'Local'
OnlyAttached: true
}
},
listVirtualMFADevices: {
Expand Down
28 changes: 23 additions & 5 deletions plugins/aws/iam/iamRolePolicies.js
Original file line number Diff line number Diff line change
Expand Up @@ -50,18 +50,34 @@ module.exports = {
'and value for this setting is set to true, a PASS results will be generated.',
regex: '^(true|false)$',
default: 'false'
},
ignore_aws_managed_iam_policies: {
name: 'Ignore AWS-Managed IAM Policies',
description: 'If set to true, skip AWS-managed policies attached to the role with the exception of AWS-managed AdministratorAccess policy',
regex: '^(true|false)$',
default: 'false'
},
ignore_customer_managed_iam_policies: {
name: 'Ignore Customer-Managed IAM Policies',
description: 'If set to true, skip customer-managed policies attached to the role',
regex: '^(true|false)$',
default: 'false'
}
},

run: function(cache, settings, callback) {
var config = {
iam_role_policies_ignore_path: settings.iam_role_policies_ignore_path || this.settings.iam_role_policies_ignore_path.default,
ignore_service_specific_wildcards: settings.ignore_service_specific_wildcards || this.settings.ignore_service_specific_wildcards.default,
ignore_identity_federation_roles: settings.ignore_identity_federation_roles || this.settings.ignore_identity_federation_roles.default
ignore_identity_federation_roles: settings.ignore_identity_federation_roles || this.settings.ignore_identity_federation_roles.default,
ignore_aws_managed_iam_policies: settings.ignore_aws_managed_iam_policies || this.settings.ignore_aws_managed_iam_policies.default,
ignore_customer_managed_iam_policies: settings.ignore_customer_managed_iam_policies || this.settings.ignore_customer_managed_iam_policies.default
};

config.ignore_service_specific_wildcards = (config.ignore_service_specific_wildcards === 'true');
config.ignore_identity_federation_roles = (config.ignore_identity_federation_roles === 'true');
config.ignore_aws_managed_iam_policies = (config.ignore_aws_managed_iam_policies === 'true');
config.ignore_customer_managed_iam_policies = (config.ignore_customer_managed_iam_policies === 'true');

var custom = helpers.isCustom(settings, this.settings);

Expand All @@ -87,7 +103,7 @@ module.exports = {
}

async.each(listRoles.data, function(role, cb){
if (!role.RoleName) return cb();
if (!role.RoleName || role.RoleName != 'lambda-role-2') return cb();

// Skip roles with user-defined paths
if (config.iam_role_policies_ignore_path &&
Expand Down Expand Up @@ -134,14 +150,16 @@ module.exports = {
if (listAttachedRolePolicies.data &&
listAttachedRolePolicies.data.AttachedPolicies) {

for (var a in listAttachedRolePolicies.data.AttachedPolicies) {
var policy = listAttachedRolePolicies.data.AttachedPolicies[a];

for (var policy of listAttachedRolePolicies.data.AttachedPolicies) {
if (policy.PolicyArn === managedAdminPolicy) {
roleFailures.push('Role has managed AdministratorAccess policy');
break;
}

if (config.ignore_aws_managed_iam_policies && /^arn:aws:iam::aws:.*/.test(policy.PolicyArn)) continue;

if (config.ignore_customer_managed_iam_policies && /^arn:aws:iam::[0-9]{12}:.*/.test(policy.PolicyArn)) continue;

var getPolicy = helpers.addSource(cache, source,
['iam', 'getPolicy', region, policy.PolicyArn]);

Expand Down
9 changes: 9 additions & 0 deletions plugins/aws/iam/iamRolePolicies.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,15 @@ describe('iamRolePolicies', function () {
});
});

it('should PASS if role policy allows wildcard actions but ignore managed iam policies is set to true', function (done) {
const cache = createCache([listRoles[0]], listAttachedRolePolicies[2], null, null, getPolicy[0], getPolicyVersion[0]);
iamRolePolicies.run(cache, { ignore_customer_managed_iam_policies : 'true' }, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
done();
});
});

it('should FAIL if role policy allows all actions on selected resources', function (done) {
const cache = createCache([listRoles[0]], {}, listRolePolicies[1], getRolePolicy[4]);
iamRolePolicies.run(cache, {}, (err, results) => {
Expand Down

0 comments on commit b33570e

Please sign in to comment.