-
Notifications
You must be signed in to change notification settings - Fork 60
/
Copy pathcloudrail_results.txt
78 lines (58 loc) · 4.01 KB
/
cloudrail_results.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
WARNINGs found:
Rule: Ensure IAM policies pass Access Analyzer policy validation without SECURITY and ERROR issues
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_iam_role_policy.policy] (main.tf:25)
Violating Resource: [aws_iam_role_policy.policy] (main.tf:25)
Evidence:
Line 6, Col 8:
| Using wildcards (*) in the action and the resource can be overly permissive because it allows iam:PassRole permissions on all resources
| We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-action-and-resource
Line 6, Col 17:
| The action 'iam: AttachUser*' does not exist
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-invalid-action
-----------------------------------------------
Rule: Ensure IAM policies pass Access Analyzer policy validation without WARNING and SUGGESTION issues
- 2 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_iam_role_policy.policy] (main.tf:25)
Violating Resource: [aws_iam_role_policy.policy] (main.tf:25)
Evidence:
Line 6, Col 8:
| Using wildcards (*) in the action and the resource can allow creation of unintended service-linked roles because it allows iam:CreateServiceLinkedRole permissions on all resources
| We recommend that you specify resource ARNs instead
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-general-warning-create-slr-with-star-in-action-and-resource
- Exposed Resource: [aws_iam_role.role] (main.tf:5)
Violating Resource: [aws_iam_role.role] (main.tf:5)
Evidence:
Line 10, Col 17:
| Add a value to the empty string in the Sid element
| See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value
-----------------------------------------------
Rule: Ensure all resources that can be tagged have at least one tag
- 1 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_iam_role.role] (main.tf:5)
Violating Resource: [aws_iam_role.role] (main.tf:5)
Evidence:
| Resource IAM Role aws_iam_role.role does not have any tags set
-----------------------------------------------
Rule: Disallow IAM permissions which can lead to privilege escalation
- 2 Resources Exposed:
-----------------------------------------------
- Exposed Resource: [aws_iam_role_policy.allow-policy-1] (main.tf:25)
Violating Resource: [aws_iam_role_policy.allow-policy-1] (main.tf:25)
Evidence:
aws_iam_role_policy.allow-policy-1
| is applied to arn:aws:iam::000000000000:role/role
| in conjunction with aws_iam_role_policy.allow-policy-1, aws_iam_role_policy.allow-policy-2 {'iam:passrole', 'lambda:invokefunc*', 'lambda:createfunction'} allows a hacker to trigger a Lambda function with a role they choose
- Exposed Resource: [aws_iam_role_policy.policy] (main.tf:25)
Violating Resource: [aws_iam_role_policy.policy] (main.tf:25)
Evidence:
aws_iam_role_policy.policy
| is applied to arn:aws:iam::000000000000:role/role
| granting the problematic permissions {'iam:*', 'iam: AttachUser*'} which can allow for privilege escalation
-----------------------------------------------
Cloudrail ran this assessment without any policies and so all rule violations show as warnings.
You can increase a rule's enforcement level by creating a Policy in the Web UI and adding the rule to it.