From b5376b04a53b335467d26ab787fec669d39b0fc9 Mon Sep 17 00:00:00 2001
From: simar7 <1254783+simar7@users.noreply.github.com>
Date: Sat, 6 May 2023 23:23:23 -0600
Subject: [PATCH] fix: Revert AVD-AWS-0342 policy (#1309)

* Revert "Added logic to also check statement effect (#1287)"

This reverts commit 8b5e8323bb56f01e4914f30132cf257db7447cef.

* Revert "filter iam pass role in policy document to prevent privilege escalations (#1259)"

This reverts commit 3514e46bbe1a251897152d1c1d2b82017ceb037b.
---
 avd_docs/aws/iam/AVD-AWS-0342/docs.md         | 15 --------
 .../aws/iam/filter_iam_pass_role.rego         | 38 -------------------
 .../aws/iam/filter_iam_pass_role_test.rego    | 28 --------------
 3 files changed, 81 deletions(-)
 delete mode 100644 avd_docs/aws/iam/AVD-AWS-0342/docs.md
 delete mode 100644 rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
 delete mode 100644 rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego

diff --git a/avd_docs/aws/iam/AVD-AWS-0342/docs.md b/avd_docs/aws/iam/AVD-AWS-0342/docs.md
deleted file mode 100644
index 9e3642313..000000000
--- a/avd_docs/aws/iam/AVD-AWS-0342/docs.md
+++ /dev/null
@@ -1,15 +0,0 @@
-
-In iam:PassRole the service carrying out the actions is "provided" a role by the calling principal and implicitly takes on that role to carry out the actions (instead of executing sts:AssumeRole).
-       The privileges attached to the role are distinct from those of the primary ordering the action and may even be larger and can cause security issues.
-           
-
-### Impact
-Compromise on security of aws resources.
-
-<!-- DO NOT CHANGE -->
-{{ remediationActions }}
-
-### Links
-- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
-
-
diff --git a/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego b/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
deleted file mode 100644
index cd15cd78f..000000000
--- a/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
+++ /dev/null
@@ -1,38 +0,0 @@
-# METADATA
-# title: "IAM Pass Role Filtering"
-# description: "Ensures any IAM pass role attched to roles are flagged and warned."
-# scope: package
-# schemas:
-# - input: schema["cloud"]
-# related_resources:
-# - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html 
-# custom:
-#   avd_id: AVD-AWS-0342
-#   provider: aws
-#   service: iam
-#   severity: MEDIUM
-#   short_code: filer-passrole-access
-#   recommended_action: "Resolve permission escalations by denying pass role'"
-#   input:
-#     selector:
-#     - type: cloud
-#       subtypes:
-#         - service: iam
-#           provider: aws
-package builtin.aws.iam.aws0342
-
-allows_permission(statements, permission, effect) {
-	statement := statements[_]
-	statement.Effect == effect
-	action = statement.Action[_]
-	action == permission
-}
-
-deny[res] {
-	policy := input.aws.iam.policies[_]
-	value = json.unmarshal(policy.document.value)
-	statements = value.Statement
-	not allows_permission(statements, "iam:PassRole", "Deny")
-	allows_permission(statements, "iam:PassRole", "Allow")
-	res = result.new("IAM policy allows 'iam:PassRole' action", policy.document)
-}
diff --git a/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego b/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego
deleted file mode 100644
index 57fd58239..000000000
--- a/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego
+++ /dev/null
@@ -1,28 +0,0 @@
-package builtin.aws.iam.aws0342
-
-test_with_allow_iam_pass_role {
-	policies := [{
-		"name": "policy_with_iam_pass_role",
-		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
-	}]
-	r := deny with input as {"aws": {"iam": {"policies": policies}}}
-	count(r) == 1
-}
-
-test_with_deny_iam_pass_role {
-	policies := [{
-		"name": "policy_with_iam_pass_role",
-		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Deny\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
-	}]
-	r := deny with input as {"aws": {"iam": {"policies": policies}}}
-	count(r) == 0
-}
-
-test_with_no_iam_pass_role {
-	policies := [{
-		"name": "policy_without_iam_pass_role",
-		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"s3:GetObject\"],\"NotAction\":null,\"Resource\":[\"arn:aws:s3:::examplebucket/*\"],\"NotResource\":null,\"Condition\":{}}]}"},
-	}]
-	r := deny with input as {"aws": {"iam": {"policies": policies}}}
-	count(r) == 0
-}