From b33570e65b2581d5caf9e27523d42ec4ab9dbb6f Mon Sep 17 00:00:00 2001
From: AkhtarAmir <makhtar.pucit@gmail.com>
Date: Wed, 7 Apr 2021 12:42:05 +0500
Subject: [PATCH] Added setting to ignore managed IAM policies

---
 collectors/aws/collector.js             |  3 +--
 plugins/aws/iam/iamRolePolicies.js      | 28 ++++++++++++++++++++-----
 plugins/aws/iam/iamRolePolicies.spec.js |  9 ++++++++
 3 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/collectors/aws/collector.js b/collectors/aws/collector.js
index b91f9ade5e..d10ec04688 100644
--- a/collectors/aws/collector.js
+++ b/collectors/aws/collector.js
@@ -486,8 +486,7 @@ var calls = {
             property: 'Policies',
             paginate: 'Marker',
             params: {
-                OnlyAttached: true,
-                Scope: 'Local'
+                OnlyAttached: true
             }
         },
         listVirtualMFADevices: {
diff --git a/plugins/aws/iam/iamRolePolicies.js b/plugins/aws/iam/iamRolePolicies.js
index 56a9e95e9f..557b95bc75 100644
--- a/plugins/aws/iam/iamRolePolicies.js
+++ b/plugins/aws/iam/iamRolePolicies.js
@@ -50,6 +50,18 @@ module.exports = {
                 'and value for this setting is set to true, a PASS results will be generated.',
             regex: '^(true|false)$',
             default: 'false'
+        },
+        ignore_aws_managed_iam_policies: {
+            name: 'Ignore AWS-Managed IAM Policies',
+            description: 'If set to true, skip AWS-managed policies attached to the role with the exception of AWS-managed AdministratorAccess policy',
+            regex: '^(true|false)$',
+            default: 'false'
+        },
+        ignore_customer_managed_iam_policies: {
+            name: 'Ignore Customer-Managed IAM Policies',
+            description: 'If set to true, skip customer-managed policies attached to the role',
+            regex: '^(true|false)$',
+            default: 'false'
         }
     },
 
@@ -57,11 +69,15 @@ module.exports = {
         var config = {
             iam_role_policies_ignore_path: settings.iam_role_policies_ignore_path || this.settings.iam_role_policies_ignore_path.default,
             ignore_service_specific_wildcards: settings.ignore_service_specific_wildcards || this.settings.ignore_service_specific_wildcards.default,
-            ignore_identity_federation_roles: settings.ignore_identity_federation_roles || this.settings.ignore_identity_federation_roles.default
+            ignore_identity_federation_roles: settings.ignore_identity_federation_roles || this.settings.ignore_identity_federation_roles.default,
+            ignore_aws_managed_iam_policies: settings.ignore_aws_managed_iam_policies || this.settings.ignore_aws_managed_iam_policies.default,
+            ignore_customer_managed_iam_policies: settings.ignore_customer_managed_iam_policies || this.settings.ignore_customer_managed_iam_policies.default
         };
 
         config.ignore_service_specific_wildcards = (config.ignore_service_specific_wildcards === 'true');
         config.ignore_identity_federation_roles = (config.ignore_identity_federation_roles === 'true');
+        config.ignore_aws_managed_iam_policies = (config.ignore_aws_managed_iam_policies === 'true');
+        config.ignore_customer_managed_iam_policies = (config.ignore_customer_managed_iam_policies === 'true');
 
         var custom = helpers.isCustom(settings, this.settings);
 
@@ -87,7 +103,7 @@ module.exports = {
         }
 
         async.each(listRoles.data, function(role, cb){
-            if (!role.RoleName) return cb();
+            if (!role.RoleName || role.RoleName != 'lambda-role-2') return cb();
 
             // Skip roles with user-defined paths
             if (config.iam_role_policies_ignore_path &&
@@ -134,14 +150,16 @@ module.exports = {
             if (listAttachedRolePolicies.data &&
                 listAttachedRolePolicies.data.AttachedPolicies) {
 
-                for (var a in listAttachedRolePolicies.data.AttachedPolicies) {
-                    var policy = listAttachedRolePolicies.data.AttachedPolicies[a];
-
+                for (var policy of listAttachedRolePolicies.data.AttachedPolicies) {
                     if (policy.PolicyArn === managedAdminPolicy) {
                         roleFailures.push('Role has managed AdministratorAccess policy');
                         break;
                     }
 
+                    if (config.ignore_aws_managed_iam_policies && /^arn:aws:iam::aws:.*/.test(policy.PolicyArn)) continue;
+
+                    if (config.ignore_customer_managed_iam_policies && /^arn:aws:iam::[0-9]{12}:.*/.test(policy.PolicyArn)) continue;
+
                     var getPolicy = helpers.addSource(cache, source,
                         ['iam', 'getPolicy', region, policy.PolicyArn]);
 
diff --git a/plugins/aws/iam/iamRolePolicies.spec.js b/plugins/aws/iam/iamRolePolicies.spec.js
index fa2aff3a1a..01b631ddd3 100644
--- a/plugins/aws/iam/iamRolePolicies.spec.js
+++ b/plugins/aws/iam/iamRolePolicies.spec.js
@@ -238,6 +238,15 @@ describe('iamRolePolicies', function () {
             });
         });
 
+        it('should PASS if role policy allows wildcard actions but ignore managed iam policies is set to true', function (done) {
+            const cache = createCache([listRoles[0]], listAttachedRolePolicies[2], null, null, getPolicy[0], getPolicyVersion[0]);
+            iamRolePolicies.run(cache, { ignore_customer_managed_iam_policies : 'true' }, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                done();
+            });
+        });
+
         it('should FAIL if role policy allows all actions on selected resources', function (done) {
             const cache = createCache([listRoles[0]], {}, listRolePolicies[1], getRolePolicy[4]);
             iamRolePolicies.run(cache, {}, (err, results) => {