MODIFIED_ROLE_OR_SERVICE always reports false-positives.
harti2006 opened this issue · 0 comments
harti2006 commented
There is a bug in the implementation of UnnaprovedServicesAndRolePlugin / PolicyProvider. It returns the AssumeRolePolicyDocument of the role, instead of the actual policy/policies.
A better implementation strategy would be:
- For each "managed" role:
- Verify there are no additional attached / inline policies
- get the default inline policy (same name as the role) and compare it to the template
See the following example API calls for clarification:
# GetRole
$ aws iam get-role --role-name "Shibboleth-PowerUser"
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRoleWithSAML",
"Principal": {
"Federated": "arn:aws:iam::123456789012:saml-provider/Shibboleth"
},
"Effect": "Allow",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
},
"Sid": ""
}
]
},
"RoleId": "XXXXXXXXXX",
"CreateDate": "2016-06-01T21:09:59Z",
"RoleName": "Shibboleth-PowerUser",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:role/Shibboleth-PowerUser"
}
}
# list attached policies
$ aws iam list-attached-role-policies --role-name "Shibboleth-PowerUser"
{
"AttachedPolicies": []
}
# list inline policies
$ aws iam list-role-policies --role-name "Shibboleth-PowerUser"
{
"PolicyNames": [
"Shibboleth-PowerUser"
]
}
# get the specific inline policy
$ aws iam get-role-policy --role-name "Shibboleth-PowerUser" --policy-name "Shibboleth-PowerUser"
{
"RoleName": "Shibboleth-PowerUser",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
/* rules omitted */
]
},
"PolicyName": "Shibboleth-PowerUser"
}