aquasecurity · simar7 · Jun 20, 2023 · Jun 19, 2023
@@ -0,0 +1,15 @@
+
+In iam:PassRole the service carrying out the actions is "provided" a role by the calling principal and implicitly takes on that role to carry out the actions (instead of executing sts:AssumeRole).
+       The privileges attached to the role are distinct from those of the primary ordering the action and may even be larger and can cause security issues.
+
+
+### Impact
+Compromise on security of aws resources.
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
+
+
@@ -0,0 +1,38 @@
+# METADATA
+# title: "IAM Pass Role Filtering"
+# description: "Ensures any IAM pass role attched to roles are flagged and warned."
+# scope: package
+# schemas:
+# - input: schema["cloud"]
+# related_resources:
+# - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html 
+# custom:
+#   avd_id: AVD-AWS-0342
+#   provider: aws
+#   service: iam
+#   severity: MEDIUM
+#   short_code: filer-passrole-access
+#   recommended_action: "Resolve permission escalations by denying pass role'"
+#   input:
+#     selector:
+#     - type: cloud
+#       subtypes:
+#         - service: iam
+#           provider: aws
+package builtin.aws.iam.aws0342
+
+allows_permission(statements, permission, effect) {
+	statement := statements[_]
+	statement.Effect == effect
+	action = statement.Action[_]
+	action == permission
+}
+
+deny[res] {
+	policy := input.aws.iam.policies[_]
+	value = json.unmarshal(policy.document.value)
+	statements = value.Statement
+	not allows_permission(statements, "iam:PassRole", "Deny")
+	allows_permission(statements, "iam:PassRole", "Allow")
+	res = result.new("IAM policy allows 'iam:PassRole' action", policy.document)
+}
@@ -0,0 +1,28 @@
+package builtin.aws.iam.aws0342
+
+test_with_allow_iam_pass_role {
+	policies := [{
+		"name": "policy_with_iam_pass_role",
+		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
+	}]
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 1
+}
+
+test_with_deny_iam_pass_role {
+	policies := [{
+		"name": "policy_with_iam_pass_role",
+		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Deny\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"iam:PassRole\"],\"NotAction\":null,\"Resource\":[\"arn:aws:iam::193063503752:role/atc-node\"],\"NotResource\":null,\"Condition\":{}}]}"},
+	}]
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 0
+}
+
+test_with_no_iam_pass_role {
+	policies := [{
+		"name": "policy_without_iam_pass_role",
+		"document": {"value": "{\"Version\":\"2012-10-17\",\"Id\":\"\",\"Statement\":[{\"Sid\":\"\",\"Effect\":\"Allow\",\"Principal\":{},\"NotPrincipal\":{},\"Action\":[\"s3:GetObject\"],\"NotAction\":null,\"Resource\":[\"arn:aws:s3:::examplebucket/*\"],\"NotResource\":null,\"Condition\":{}}]}"},
+	}]
+	r := deny with input as {"aws": {"iam": {"policies": policies}}}
+	count(r) == 0
+}