From 6cbd5b280acea4e8074c18b6c5b4f27703be395d Mon Sep 17 00:00:00 2001
From: Phaedra Solutions <phaedrasolutions@MacBook-Pro-3.local>
Date: Mon, 19 Jun 2023 08:07:12 -0700
Subject: [PATCH] Revert "fix: Revert AVD-AWS-0342 policy (#1309)"

This reverts commit b5376b04a53b335467d26ab787fec669d39b0fc9.
---
 avd_docs/aws/iam/AVD-AWS-0342/docs.md         | 15 ++++++++
 .../aws/iam/filter_iam_pass_role.rego         | 38 +++++++++++++++++++
 .../aws/iam/filter_iam_pass_role_test.rego    | 28 ++++++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 avd_docs/aws/iam/AVD-AWS-0342/docs.md
 create mode 100644 rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
 create mode 100644 rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego

diff --git a/avd_docs/aws/iam/AVD-AWS-0342/docs.md b/avd_docs/aws/iam/AVD-AWS-0342/docs.md
new file mode 100644
index 000000000..9e3642313
--- /dev/null
+++ b/avd_docs/aws/iam/AVD-AWS-0342/docs.md
@@ -0,0 +1,15 @@
+
+In iam:PassRole the service carrying out the actions is "provided" a role by the calling principal and implicitly takes on that role to carry out the actions (instead of executing sts:AssumeRole).
+       The privileges attached to the role are distinct from those of the primary ordering the action and may even be larger and can cause security issues.
+           
+
+### Impact
+Compromise on security of aws resources.
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
+
+
diff --git a/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego b/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
new file mode 100644
index 000000000..cd15cd78f
--- /dev/null
+++ b/rules/cloud/policies/aws/iam/filter_iam_pass_role.rego
@@ -0,0 +1,38 @@
+# METADATA
+# title: "IAM Pass Role Filtering"
+# description: "Ensures any IAM pass role attched to roles are flagged and warned."
+# scope: package
+# schemas:
+# - input: schema["cloud"]
+# related_resources:
+# - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html 
+# custom:
+#   avd_id: AVD-AWS-0342
+#   provider: aws
+#   service: iam
+#   severity: MEDIUM
+#   short_code: filer-passrole-access
+#   recommended_action: "Resolve permission escalations by denying pass role'"
+#   input:
+#     selector:
+#     - type: cloud
+#       subtypes:
+#         - service: iam
+#           provider: aws
+package builtin.aws.iam.aws0342
+
+allows_permission(statements, permission, effect) {
+	statement := statements[_]
+	statement.Effect == effect
+	action = statement.Action[_]
+	action == permission
+}
+
+deny[res] {
+	policy := input.aws.iam.policies[_]
+	value = json.unmarshal(policy.document.value)
+	statements = value.Statement
+	not allows_permission(statements, "iam:PassRole", "Deny")
+	allows_permission(statements, "iam:PassRole", "Allow")
+	res = result.new("IAM policy allows 'iam:PassRole' action", policy.document)
+}
diff --git a/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego b/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego
new file mode 100644
index 000000000..57fd58239
--- /dev/null
+++ b/rules/cloud/policies/aws/iam/filter_iam_pass_role_test.rego
@@ -0,0 +1,28 @@
+package builtin.aws.iam.aws0342
+
+test_with_allow_iam_pass_role {
+	policies := [{
+		"name": "policy_with_iam_pass_role",
+		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
+	}]
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 1
+}
+
+test_with_deny_iam_pass_role {
+	policies := [{
+		"name": "policy_with_iam_pass_role",
+		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Deny\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
+	}]
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 0
+}
+
+test_with_no_iam_pass_role {
+	policies := [{
+		"name": "policy_without_iam_pass_role",
+		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"s3:GetObject\"],\"NotAction\":null,\"Resource\":[\"arn:aws:s3:::examplebucket/*\"],\"NotResource\":null,\"Condition\":{}}]}"},
+	}]
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 0
+}