diff --git a/assets/libraries/common.rego b/assets/libraries/common.rego index adb594e96c8..1020eae3bd9 100644 --- a/assets/libraries/common.rego +++ b/assets/libraries/common.rego @@ -541,3 +541,125 @@ is_aws_ebs_optimized_by_default(instanceType) { inArray(data.common_lib.aws_ebs_optimized_by_default, instanceType) } +get_group_from_policy_attachment(attachment) = group { + group := split(attachment.groups[_], ".")[1] +} else = group { + group := split(attachment.group, ".")[1] +} + +get_role_from_policy_attachment(attachment) = role { + role := split(attachment.roles[_], ".")[1] +} else = role { + role := split(attachment.role, ".")[1] +} + +get_user_from_policy_attachment(attachment) = user { + user := split(attachment.users[_], ".")[1] +} else = user { + user := split(attachment.user, ".")[1] +} + +unrecommended_permission_policy(resourcePolicy, permission) { + policy := json_unmarshal(resourcePolicy.policy) + + st := get_statement(policy) + statement := st[_] + + is_allow_effect(statement) + + equalsOrInArray(statement.Resource, "*") + equalsOrInArray(statement.Action, lower(permission)) +} + +group_unrecommended_permission_policy_scenarios(targetGroup, permission) { + # get the IAM group policy + groupPolicy := input.document[_].resource.aws_iam_group_policy[_] + + # get the group referenced in IAM group policy and confirm it is the target group + group := split(groupPolicy.group, ".")[1] + group == targetGroup + + # verify that the policy is unrecommended + unrecommended_permission_policy(groupPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_group_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the group referenced in IAM policy attachment and confirm it is the target group + group := get_group_from_policy_attachment(attachment) + group == targetGroup + + # confirm that policy associated is unrecommended + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + +role_unrecommended_permission_policy_scenarios(targetRole, permission) { + # get the IAM role policy + rolePolicy := input.document[_].resource.aws_iam_role_policy[_] + + # get the role referenced in IAM role policy and confirm it is the target role + role := split(rolePolicy.role, ".")[1] + role == targetRole + + # verify that the policy is unrecommended + unrecommended_permission_policy(rolePolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_role_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the role referenced in IAM policy attachment and confirm it is the target role + role := get_role_from_policy_attachment(attachment) + role == targetRole + + # confirm that policy associated is unrecommended + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} + +user_unrecommended_permission_policy_scenarios(targetUser, permission) { + # get the IAM user policy + userPolicy := input.document[_].resource.aws_iam_user_policy[_] + + # get the user referenced in IAM user policy and confirm it is the target user + user := split(userPolicy.user, ".")[1] + user == targetUser + + # verify that the policy is unrecommended + unrecommended_permission_policy(userPolicy, permission) +} else { + + # find attachment + attachments := {"aws_iam_policy_attachment", "aws_iam_user_policy_attachment"} + attachment := input.document[_].resource[attachments[_]][_] + + # get the user referenced in IAM policy attachment and confirm it is the target user + user := get_user_from_policy_attachment(attachment) + user == targetUser + + # confirm that policy associated is unrecommended + policy := split(attachment.policy_arn, ".")[1] + + policies := {"aws_iam_role_policy", "aws_iam_user_policy", "aws_iam_group_policy", "aws_iam_policy"} + resourcePolicy := input.document[_].resource[policies[_]][policy] + + # verify that the policy is unrecommended + unrecommended_permission_policy(resourcePolicy, permission) + +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json new file mode 100644 index 00000000000..2d6cc1ec5b1 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "8f3c16b3-354d-45db-8ad5-5066778a9485", + "queryName": "Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "10f17e18", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego new file mode 100644 index 00000000000..7248a22fa9f --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:UpdateDevEndpoint") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..afc00fbf03c --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:UpdateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..767d9dbbb2a --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json new file mode 100644 index 00000000000..7d9f988341a --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "970ed7a2-0aca-4425-acf1-0453c9ecbca1", + "queryName": "Group With Privilege Escalation By Actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "576ba016", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego new file mode 100644 index 00000000000..7833a7a162d --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AddUserToGroup") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf new file mode 100644 index 00000000000..6f8e37d38f9 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json new file mode 100644 index 00000000000..dca2ecc1114 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json new file mode 100644 index 00000000000..b08ee0642f3 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "70b42736-efee-4bce-80d5-50358ed94990", + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "e42aec0c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego new file mode 100644 index 00000000000..782cb7b2e03 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..1165d914a6a --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf @@ -0,0 +1,23 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..3c3fd030c44 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json new file mode 100644 index 00000000000..a8b182da843 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "3dd96caa-0b5f-4a85-b929-acfac4646cc2", + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "5e39f36b", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego new file mode 100644 index 00000000000..c0d588c3c4c --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachRolePolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..85e037dc0c4 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..1e87698084e --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json new file mode 100644 index 00000000000..08ee41d46b6 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "db78d14b-10e5-4e6e-84b1-dace6327b1ec", + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "25a0ad8b", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego new file mode 100644 index 00000000000..a31676e6544 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:AttachUserPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..8fab90734f2 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..528dfaa32ea --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json new file mode 100644 index 00000000000..b20a91fef32 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "846646e3-2af1-428c-ac5d-271eccfa6faf", + "queryName": "Group With Privilege Escalation By Actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "5182dbde", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego new file mode 100644 index 00000000000..0678aed1724 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateAccessKey") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf new file mode 100644 index 00000000000..4a07b39ef11 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf @@ -0,0 +1,23 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateAccessKey", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json new file mode 100644 index 00000000000..96eba745bcc --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json new file mode 100644 index 00000000000..63a62419fde --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "04c686f1-e0cd-4812-88e1-4e038410074c", + "queryName": "Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "13604723", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego new file mode 100644 index 00000000000..97eabcf6c74 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..7f2ea9300b6 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..423c580bd76 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json new file mode 100644 index 00000000000..f2da59ecb59 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "ec49cbfd-fae4-45f3-81b1-860526d66e3f", + "queryName": "Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "04f8f6ca", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego new file mode 100644 index 00000000000..bc57a9aa926 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:CreatePolicyVersion") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..7752dd96fb0 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreatePolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..b08389ad245 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json new file mode 100644 index 00000000000..f77d0c8fedc --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "9b0ffadc-a61f-4c2a-b1e6-68fab60f6267", + "queryName": "Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "b02d4e3c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego new file mode 100644 index 00000000000..04a082a0ff9 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "cloudformation:CreateStack") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf new file mode 100644 index 00000000000..b5ba1fa0a56 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf @@ -0,0 +1,47 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateStack", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json new file mode 100644 index 00000000000..e012e5db9e4 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json new file mode 100644 index 00000000000..5984e33c9b8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "15e6ad8c-f420-49a6-bafb-074f5eb1ec74", + "queryName": "Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "e6e9e8eb", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego new file mode 100644 index 00000000000..bd8a7447e68 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "ec2:RunInstances") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf new file mode 100644 index 00000000000..ad6cc30fdc9 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf @@ -0,0 +1,47 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:RunInstances", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json new file mode 100644 index 00000000000..e269c9d79e7 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json new file mode 100644 index 00000000000..cd3d066d7eb --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "7d544dad-8a6c-431c-84c1-5f07fe9afc0e", + "queryName": "Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "59598729", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego new file mode 100644 index 00000000000..3dcd89bf2b7 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "glue:CreateDevEndpoint") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..137004a85fd --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf @@ -0,0 +1,47 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:CreateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..03396830fe3 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json new file mode 100644 index 00000000000..d6fe3ecaaa4 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "034d0aee-620f-4bf7-b7fb-efdf661fdb9e", + "queryName": "Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "2a7afde0", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego new file mode 100644 index 00000000000..ca749a0ea74 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego @@ -0,0 +1,26 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:CreateFunction") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PassRole") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:InvokeFunction") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf new file mode 100644 index 00000000000..e94dde5adad --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf @@ -0,0 +1,48 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "lambda:InvokeFunction" + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json new file mode 100644 index 00000000000..3a5cbe039fe --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json new file mode 100644 index 00000000000..d0354ecc9f6 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "e77c89f6-9c85-49ea-b95b-5f960fe5be92", + "queryName": "Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "6ee8a28a", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego new file mode 100644 index 00000000000..549ac5911c5 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..519b60c37aa --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..e9e97ad162b --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json new file mode 100644 index 00000000000..6f1fcbbe40d --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "c0c1e744-0f37-445e-924a-1846f0839f69", + "queryName": "Group With Privilege Escalation By Actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "3a6914a5", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego new file mode 100644 index 00000000000..1c11809930a --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutRolePolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..f1afa71ac68 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf @@ -0,0 +1,23 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..a989eecfd2a --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json new file mode 100644 index 00000000000..d6e76815c71 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "60263b4a-6801-4587-911d-919c37ed733b", + "queryName": "Group With Privilege Escalation By Actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "fdfe7031", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego new file mode 100644 index 00000000000..ffc2f2c2c7b --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:PutUserPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..9c8127ef341 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf @@ -0,0 +1,23 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..490028dfcbc --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json new file mode 100644 index 00000000000..1e9d44bfc7f --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "7782d4b3-e23e-432b-9742-d9528432e771", + "queryName": "Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "2be560bc", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego new file mode 100644 index 00000000000..25de71b0662 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:SetDefaultPolicyVersion") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..8ecedfb5e21 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:SetDefaultPolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..891da8391d0 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json new file mode 100644 index 00000000000..309b76a97d3 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "78f1ec6f-5659-41ea-bd48-d0a142dce4f2", + "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "7fec1740", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego new file mode 100644 index 00000000000..8f4966c509d --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateAssumeRolePolicy") + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "sts:AssumeRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf new file mode 100644 index 00000000000..630fdb6522a --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf @@ -0,0 +1,47 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sts:AssumeRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json new file mode 100644 index 00000000000..d94146558e8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json new file mode 100644 index 00000000000..23616a2faa7 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "ad296c0d-8131-4d6b-b030-1b0e73a99ad3", + "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "06985b1b", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego new file mode 100644 index 00000000000..461ff8ab842 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "iam:UpdateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..7d10cbd0dcc --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..550cd399885 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json new file mode 100644 index 00000000000..1c1aa0148cc --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "571254d8-aa6a-432e-9725-535d3ef04d69", + "queryName": "Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy", + "platform": "Terraform", + "descriptionID": "1a80fe5c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego new file mode 100644 index 00000000000..4eeaa99e44b --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM group + group := input.document[i].resource.aws_iam_group[targetGroup] + + common_lib.group_unrecommended_permission_policy_scenarios(targetGroup, "lambda:UpdateFunctionCode") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_group", + "resourceName": tf_lib.get_resource_name(group, targetGroup), + "searchKey": sprintf("aws_iam_group[%s]", [targetGroup]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("group %s is not associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetGroup]), + "keyActualValue": sprintf("group %s is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetGroup]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_group", targetGroup], []), + } +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf new file mode 100644 index 00000000000..408b2c82b85 --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:UpdateFunctionCode", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json new file mode 100644 index 00000000000..87b739574ab --- /dev/null +++ b/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json new file mode 100644 index 00000000000..c7d38a2fc23 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "eda48c88-2b7d-4e34-b6ca-04c0194aee17", + "queryName": "Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "bff18777", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego new file mode 100644 index 00000000000..56b15fb0bef --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:UpdateDevEndpoint") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..18df0aeb618 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:UpdateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..b9701be2aa2 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json new file mode 100644 index 00000000000..d7a44efd71b --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "b8a31292-509d-4b61-bc40-13b167db7e9c", + "queryName": "Role With Privilege Escalation By Actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "058bc100", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego new file mode 100644 index 00000000000..58198360fa3 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AddUserToGroup") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf new file mode 100644 index 00000000000..d858fc83c92 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json new file mode 100644 index 00000000000..87e158ac96f --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json new file mode 100644 index 00000000000..9fa743550b3 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "f906113d-cdc0-415a-ba60-609cc6daaf4d", + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "54b22492", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego new file mode 100644 index 00000000000..9a8922ee8df --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..17065aa9bf9 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf @@ -0,0 +1,24 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..a5ef5c51455 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json new file mode 100644 index 00000000000..bf7518ffdb8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "f465fff1-0a0f-457d-aa4d-1bddb6f204ff", + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "aaf96d6e", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego new file mode 100644 index 00000000000..ddd7a711e60 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachRolePolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..2cacd60b923 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..778b7cad94f --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json new file mode 100644 index 00000000000..335bf7a690c --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "7c96920c-6fd0-449d-9a52-0aa431b6beaf", + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "4efcf3e9", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego new file mode 100644 index 00000000000..7a6e0880990 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:AttachUserPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..80aa241f409 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..235e2957902 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json new file mode 100644 index 00000000000..7d6e098c1ae --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "5b4d4aee-ac94-4810-9611-833636e5916d", + "queryName": "Role With Privilege Escalation By Actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "0d94441c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego new file mode 100644 index 00000000000..4f4cf19e059 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateAccessKey") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf new file mode 100644 index 00000000000..5e6e58822bf --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateAccessKey", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json new file mode 100644 index 00000000000..26052310d14 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json new file mode 100644 index 00000000000..e9800a053d0 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "9a205ba3-0dd1-42eb-8d54-2ffec836b51a", + "queryName": "Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "0e9af0ce", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego new file mode 100644 index 00000000000..c6d1eb47219 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..f59a8ac1761 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf @@ -0,0 +1,23 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..b95a680f239 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json new file mode 100644 index 00000000000..93f37d8d144 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "ee49557d-750c-4cc1-aa95-94ab36cbefde", + "queryName": "Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "fe987a1d", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego new file mode 100644 index 00000000000..949f5a21b38 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:CreatePolicyVersion") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..2143c1caa27 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreatePolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..ed344d9f4b6 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json new file mode 100644 index 00000000000..742a4b28370 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "be2aa235-bd93-4b68-978a-1cc65d49082f", + "queryName": "Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "779be66e", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego new file mode 100644 index 00000000000..90927485015 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "cloudformation:CreateStack") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf new file mode 100644 index 00000000000..93323198e5e --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf @@ -0,0 +1,47 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateStack", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json new file mode 100644 index 00000000000..525fe5c1c92 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json new file mode 100644 index 00000000000..3c089a73438 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "30b88745-eebe-4ecb-a3a9-5cf886e96204", + "queryName": "Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "b3d6f7cf", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego new file mode 100644 index 00000000000..1f0f3614136 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "ec2:RunInstances") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf new file mode 100644 index 00000000000..980fceb6b1f --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf @@ -0,0 +1,47 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:RunInstances", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json new file mode 100644 index 00000000000..832085a4c0e --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json new file mode 100644 index 00000000000..c64c4274e40 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "0a592060-8166-49f5-8e65-99ac6dce9871", + "queryName": "Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "0bc279fe", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego new file mode 100644 index 00000000000..44fa920085f --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "glue:CreateDevEndpoint") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..71ca1742eef --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf @@ -0,0 +1,47 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:CreateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..ab36af18cc2 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json new file mode 100644 index 00000000000..8d4ace67046 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "fa62ac4f-f5b9-45b9-97c1-625c8b6253ca", + "queryName": "Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "628b0909", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego new file mode 100644 index 00000000000..fe28ba65771 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/query.rego @@ -0,0 +1,26 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:CreateFunction") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PassRole") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:InvokeFunction") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf new file mode 100644 index 00000000000..620960fd62e --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive1.tf @@ -0,0 +1,48 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "lambda:InvokeFunction" + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json new file mode 100644 index 00000000000..15cbd75d72d --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json new file mode 100644 index 00000000000..241b0f1c0bf --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "d6047119-a0b2-4b59-a4f2-127a36fb685b", + "queryName": "Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "ce1bbaeb", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego new file mode 100644 index 00000000000..43539212a59 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..88a2d3ecd16 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..fd4e74f0462 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json new file mode 100644 index 00000000000..68c8554b602 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7", + "queryName": "Role With Privilege Escalation By Actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "2d361444", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego new file mode 100644 index 00000000000..b207758df4f --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutRolePolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..e8ba070ff83 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf @@ -0,0 +1,23 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..6d0b68ceaa4 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json new file mode 100644 index 00000000000..08a8fcc557f --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "8f75840d-9ee7-42f3-b203-b40e3979eb12", + "queryName": "Role With Privilege Escalation By Actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "48764f87", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego new file mode 100644 index 00000000000..52d89989e3b --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:PutUserPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..aca7b0be485 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..f69e886cad1 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json new file mode 100644 index 00000000000..d8af02498a2 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "118281d0-6471-422e-a7c5-051bc667926e", + "queryName": "Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "a0ddfb38", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego new file mode 100644 index 00000000000..25c4a763722 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:SetDefaultPolicyVersion") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..713b6b7996e --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf @@ -0,0 +1,22 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:SetDefaultPolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..4c3ee4591ee --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json new file mode 100644 index 00000000000..d6635954e02 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "f1173d8c-3264-4148-9fdb-61181e031b51", + "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "2d747022", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego new file mode 100644 index 00000000000..376b3e5e075 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateAssumeRolePolicy") + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "sts:AssumeRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf new file mode 100644 index 00000000000..251aa49957e --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf @@ -0,0 +1,47 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sts:AssumeRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json new file mode 100644 index 00000000000..eff25985df7 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json new file mode 100644 index 00000000000..aa71439baa9 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "35ccf766-0e4d-41ed-9ec4-2dab155082b4", + "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "8bf480db", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego new file mode 100644 index 00000000000..786d452f9d4 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "iam:UpdateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..4b486019144 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf @@ -0,0 +1,23 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..d8772c4e53d --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json new file mode 100644 index 00000000000..bee58e3cd80 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "c583f0f9-7dfd-476b-a056-f47c62b47b46", + "queryName": "Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy", + "platform": "Terraform", + "descriptionID": "d6861f3e", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego new file mode 100644 index 00000000000..2b75d2333be --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM role + role := input.document[i].resource.aws_iam_role[targetRole] + + common_lib.role_unrecommended_permission_policy_scenarios(targetRole, "lambda:UpdateFunctionCode") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_role", + "resourceName": tf_lib.get_resource_name(role, targetRole), + "searchKey": sprintf("aws_iam_role[%s]", [targetRole]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("role %s is not associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetRole]), + "keyActualValue": sprintf("role %s is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetRole]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_role", targetRole], []), + } +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf new file mode 100644 index 00000000000..eadf2c5e400 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf @@ -0,0 +1,23 @@ +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:UpdateFunctionCode", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + diff --git a/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json new file mode 100644 index 00000000000..c0d1c5dc6c7 --- /dev/null +++ b/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json new file mode 100644 index 00000000000..c8ed06faa0c --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "9b877bd8-94b4-4c10-a060-8e0436cc09fa", + "queryName": "User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "1a48ac37", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego new file mode 100644 index 00000000000..33da9a0674b --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:UpdateDevEndpoint") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'glue:UpdateDevEndpoint' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..6c56310f4ee --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:UpdateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} \ No newline at end of file diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..a5187a85df5 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json new file mode 100644 index 00000000000..d884ca9756e --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "bf9d42c7-c2f9-4dfe-942c-c8cc8249a081", + "queryName": "User With Privilege Escalation By Actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "b201d168", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego new file mode 100644 index 00000000000..15aade0830f --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AddUserToGroup") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AddUserToGroup' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf new file mode 100644 index 00000000000..b71e0166b16 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json new file mode 100644 index 00000000000..fadf1f82e70 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:AddUserToGroup'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json new file mode 100644 index 00000000000..02e1f959e46 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "6d23d87e-1c5b-4308-b224-92624300f29b", + "queryName": "User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "9f22319f", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego new file mode 100644 index 00000000000..a7fa7e23abc --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AttachGroupPolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..fddabd66a73 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..cc364849975 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json new file mode 100644 index 00000000000..3b1b0a923a1 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "e227091e-2228-4b40-b046-fc13650d8e88", + "queryName": "User With Privilege Escalation By Actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "a33a40e2", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego new file mode 100644 index 00000000000..ba7c18202cf --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachRolePolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AttachRolePolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..c7d8fe2316a --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..f13a564510c --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:AttachRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json new file mode 100644 index 00000000000..345e1809133 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "70cb518c-d990-46f6-bc05-44a5041493d6", + "queryName": "User With Privilege Escalation By Actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "98aa676c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego new file mode 100644 index 00000000000..f63f832ef6f --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:AttachUserPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:AttachUserPolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..11b1a6047bc --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..cfa007e434e --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:AttachUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json new file mode 100644 index 00000000000..9689aab8c99 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "113208f2-a886-4526-9ecc-f3218600e12c", + "queryName": "User With Privilege Escalation By Actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "29b987f3", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego new file mode 100644 index 00000000000..fcfb6772781 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateAccessKey") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:CreateAccessKey' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf new file mode 100644 index 00000000000..6bf052a9631 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateAccessKey", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json new file mode 100644 index 00000000000..91f4cdc0430 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:CreateAccessKey'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json new file mode 100644 index 00000000000..81e03d1806e --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "0fd7d920-4711-46bd-aff2-d307d82cd8b7", + "queryName": "User With Privilege Escalation By Actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "43ba4982", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego new file mode 100644 index 00000000000..633881acb6a --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:CreateLoginProfile' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..6976b4215cc --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..143dfff1de7 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:CreateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json new file mode 100644 index 00000000000..673afac2bb6 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "1743f5f1-0bb0-4934-acef-c80baa5dadfa", + "queryName": "User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "e894d408", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego new file mode 100644 index 00000000000..a0c6310fdeb --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:CreatePolicyVersion") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:CreatePolicyVersion' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..f652e0936e8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive1.tf @@ -0,0 +1,29 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreatePolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..b352f43641b --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json new file mode 100644 index 00000000000..1f05798663e --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "19ffbe31-9d72-4379-9768-431195eae328", + "queryName": "User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "c878232c", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego new file mode 100644 index 00000000000..9582ea49258 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "cloudformation:CreateStack") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf new file mode 100644 index 00000000000..7bf8fb48688 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateStack", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json new file mode 100644 index 00000000000..879bd188148 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json new file mode 100644 index 00000000000..0c6f533728c --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "89561b03-cb35-44a9-a7e9-8356e71606f4", + "queryName": "User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "05f5544f", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego new file mode 100644 index 00000000000..0a45ae04348 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "ec2:RunInstances") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf new file mode 100644 index 00000000000..1db184aa245 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:RunInstances", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json new file mode 100644 index 00000000000..0c13f4076a7 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json new file mode 100644 index 00000000000..a7f3c3f8d1c --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "94fbe150-27e3-4eba-9ca6-af32865e4503", + "queryName": "User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "8d9e01f1", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego new file mode 100644 index 00000000000..fd6ffad525e --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "glue:CreateDevEndpoint") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf new file mode 100644 index 00000000000..4b53cde802b --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:CreateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json new file mode 100644 index 00000000000..1a3d09d345f --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json new file mode 100644 index 00000000000..136683b819e --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "8055dec2-efb8-4fe6-8837-d9bed6ff202a", + "queryName": "User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "da252d8a", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego new file mode 100644 index 00000000000..687b039f221 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/query.rego @@ -0,0 +1,26 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:CreateFunction") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PassRole") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:InvokeFunction") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf new file mode 100644 index 00000000000..0f6b83b4571 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive1.tf @@ -0,0 +1,50 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "lambda:InvokeFunction" + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json new file mode 100644 index 00000000000..4cee4fa0fd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json new file mode 100644 index 00000000000..d5543976726 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "8bfbf7ab-d5e8-4100-8618-798956e101e0", + "queryName": "User With Privilege Escalation By Actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "024a2d0d", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego new file mode 100644 index 00000000000..66bc53825e3 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutGroupPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:PutGroupPolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf new file mode 100644 index 00000000000..fd0ea4df28b --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..a91dbda2cc9 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:PutGroupPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json new file mode 100644 index 00000000000..b7452c7fe20 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "eeb4d37a-3c59-4789-a00c-1509bc3af1e5", + "queryName": "User With Privilege Escalation By Actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "367257fe", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego new file mode 100644 index 00000000000..09b1a59e9fc --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutRolePolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:PutRolePolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf new file mode 100644 index 00000000000..89411b4a9cd --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..8b92368e2b1 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:PutRolePolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json new file mode 100644 index 00000000000..1bad1d3ac1c --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "0c10d7da-85c4-4d62-b2a8-d6c104f1bd77", + "queryName": "User With Privilege Escalation By Actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "b99501af", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego new file mode 100644 index 00000000000..9843200d46a --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:PutUserPolicy") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:PutUserPolicy' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf new file mode 100644 index 00000000000..edd49854001 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive1.tf @@ -0,0 +1,31 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json new file mode 100644 index 00000000000..77d75f77411 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:PutUserPolicy'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json new file mode 100644 index 00000000000..7bcb5321fd6 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "43a41523-386a-4cb1-becb-42af6b414433", + "queryName": "User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "85e8d749", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego new file mode 100644 index 00000000000..f0ea1c64d3e --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:SetDefaultPolicyVersion") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:SetDefaultPolicyVersion' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf new file mode 100644 index 00000000000..193341e24ee --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:SetDefaultPolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json new file mode 100644 index 00000000000..2f7cf644813 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json new file mode 100644 index 00000000000..b9b48531b80 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "33627268-1445-4385-988a-318fd9d1a512", + "queryName": "User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "7ab86e7e", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego new file mode 100644 index 00000000000..b3d7be95032 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/query.rego @@ -0,0 +1,25 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateAssumeRolePolicy") + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "sts:AssumeRole") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf new file mode 100644 index 00000000000..99663d5260e --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive1.tf @@ -0,0 +1,49 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sts:AssumeRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json new file mode 100644 index 00000000000..89f59bd7941 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json new file mode 100644 index 00000000000..99a7cd32378 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "6deb34e2-5d9c-499a-801b-ea6d9eda894f", + "queryName": "User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "559f74f0", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego new file mode 100644 index 00000000000..adaf15dc120 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "iam:UpdateLoginProfile") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'iam:UpdateLoginProfile' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf new file mode 100644 index 00000000000..a21d05bf9c9 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json new file mode 100644 index 00000000000..f7792753ab7 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +] diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json new file mode 100644 index 00000000000..e78c79470e0 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/metadata.json @@ -0,0 +1,11 @@ +{ + "id": "b69247e5-7e73-464e-ba74-ec9b715c6e12", + "queryName": "User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "category": "Access Control", + "descriptionText": "User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy", + "platform": "Terraform", + "descriptionID": "f5d372a0", + "cloudProvider": "aws" +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego new file mode 100644 index 00000000000..0e276c3b793 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/query.rego @@ -0,0 +1,24 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + + # get a AWS IAM user + user := input.document[i].resource.aws_iam_user[targetUser] + + common_lib.user_unrecommended_permission_policy_scenarios(targetUser, "lambda:UpdateFunctionCode") + + + result := { + "documentId": input.document[i].id, + "resourceType": "aws_iam_user", + "resourceName": tf_lib.get_resource_name(user, targetUser), + "searchKey": sprintf("aws_iam_user[%s]", [targetUser]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("user %s is not associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetUser]), + "keyActualValue": sprintf("user %s is associated with a policy that has Action set to 'lambda:UpdateFunctionCode' and Resource set to '*'", [targetUser]), + "searchLine": common_lib.build_search_line(["resource", "aws_iam_user", targetUser], []), + } +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf new file mode 100644 index 00000000000..4977af6ebd8 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/negative1.tf @@ -0,0 +1,21 @@ +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf new file mode 100644 index 00000000000..8e9a4e1cd86 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive1.tf @@ -0,0 +1,30 @@ +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:UpdateFunctionCode", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + diff --git a/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json new file mode 100644 index 00000000000..86b7d699b34 --- /dev/null +++ b/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode/test/positive_expected_result.json @@ -0,0 +1,8 @@ +[ + { + "queryName": "User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive1.tf" + } +]