Added logic to also check statement effect (#1287)

* Added logic to also check statement effect * Update rules/cloud/policies/aws/iam/filter_iam_pass_role.rego * changing spaces to tabs for linting --------- Co-authored-by: M-Akhtar <[email protected]> Co-authored-by: Gio Rodriguez <[email protected]>
aquasecurity · Apr 21, 2023 · 8b5e832 · 8b5e832
1 parent ff5de60
commit 8b5e832
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego b/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
@@ -21,9 +21,18 @@
 #           provider: aws
 package builtin.aws.iam.aws0342
 
+allows_permission(statements, permission, effect) {
+	statement := statements[_]
+	statement.Effect == effect
+	action = statement.Action[_]
+	action == permission
+}
+
 deny[res] {
 	policy := input.aws.iam.policies[_]
-	action := policy.document.value
-	contains(action, "iam:PassRole")
-	res = result.new("Warning: 'iam:PassRole' action is present in policy", policy.document)
+	value = json.unmarshal(policy.document.value)
+	statements = value.Statement
+	not allows_permission(statements, "iam:PassRole", "Deny")
+	allows_permission(statements, "iam:PassRole", "Allow")
+	res = result.new("IAM policy allows 'iam:PassRole' action", policy.document)
 }
diff --git a/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego b/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego
@@ -1,6 +1,6 @@
 package builtin.aws.iam.aws0342
 
-test_with_iam_pass_role {
+test_with_allow_iam_pass_role {
 	policies := [{
 		"name": "policy_with_iam_pass_role",
 		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
@@ -9,6 +9,15 @@ test_with_iam_pass_role {
 	count(r) == 1
 }
 
+test_with_deny_iam_pass_role {
+	policies := [{
+		"name": "policy_with_iam_pass_role",
+		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Deny\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
+	}]
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 0
+}
+
 test_with_no_iam_pass_role {
 	policies := [{
 		"name": "policy_without_iam_pass_role",