Skip to content

Commit

Permalink
feat(aws): add new check iam_root_credentials_management_enabled
Browse files Browse the repository at this point in the history
  • Loading branch information
@MrCloudSec
MrCloudSec committed Nov 15, 2024
1 parent 78b518e commit 6904594
Show file tree
Hide file tree
Showing 20 changed files with 522 additions and 291 deletions.
61 changes: 31 additions & 30 deletions prowler/providers/aws/services/iam/iam_no_root_access_key/iam_no_root_access_key.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,35 +5,36 @@
class iam_no_root_access_key(Check):
def execute(self) -> Check_Report_AWS:
findings = []
response = iam_client.credential_report

for user in response:
if user["user"] == "<root_account>":
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
if (
user["access_key_1_active"] == "false"
and user["access_key_2_active"] == "false"
):
report.status = "PASS"
report.status_extended = (
f"User {user['user']} does not have access keys."
)
elif (
user["access_key_1_active"] == "true"
and user["access_key_2_active"] == "true"
):
report.status = "FAIL"
report.status_extended = (
f"User {user['user']} has two active access keys."
)
else:
report.status = "FAIL"
report.status_extended = (
f"User {user['user']} has one active access key."
)
findings.append(report)
# Check if the root credentials are managed by AWS Organizations
if "RootCredentialsManagement" not in iam_client.organization_features:
for user in iam_client.credential_report:
if user["user"] == "<root_account>":
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
if (
user["access_key_1_active"] == "false"
and user["access_key_2_active"] == "false"
):
report.status = "PASS"
report.status_extended = (
"Root account does not have access keys."
)
elif (
user["access_key_1_active"] == "true"
and user["access_key_2_active"] == "true"
):
report.status = "FAIL"
report.status_extended = (
"Root account has two active access keys."
)
else:
report.status = "FAIL"
report.status_extended = (
"Root account has one active access key."
)
findings.append(report)
break

return findings
Empty file added prowler/providers/aws/services/iam/iam_root_credentials_management_enabled/__init__.py
View file
Empty file.
33 changes: 33 additions & 0 deletions ...root_credentials_management_enabled/iam_root_credentials_management_enabled.metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{
"Provider": "aws",
"CheckID": "iam_root_credentials_management_enabled",
"CheckTitle": "Ensure centralized root credentials management is enabled",
"CheckType": [],
"ServiceName": "iam",
"SubServiceName": "",
"ResourceIdTemplate": "arn:partition:service:region:account-id:resource-id",
"Severity": "high",
"ResourceType": "Other",
"Description": "Checks if centralized management of root credentials for member accounts in AWS Organizations is enabled. This ensures that root credentials are managed centrally, reducing the risk of unauthorized access or mismanagement.",
"Risk": "Without centralized root credentials management, member accounts retain full control over their root user credentials, increasing the risk of credential misuse, mismanagement, or compromise.",
"RelatedUrl": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user-access-management",
"Remediation": {
"Code": {
"CLI": "aws iam enable-organizations-root-credentials-management",
"NativeIaC": "",
"Other": "",
"Terraform": ""
},
"Recommendation": {
"Text": "Enable centralized management of root access for member accounts using the CLI or IAM console.",
"Url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html"
}
},
"Categories": [],
"DependsOn": [],
"RelatedTo": [
"iam_root_hardware_mfa_enabled",
"iam_root_mfa_enabled"
],
"Notes": ""
}
27 changes: 27 additions & 0 deletions ...es/iam/iam_root_credentials_management_enabled/iam_root_credentials_management_enabled.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
from prowler.lib.check.models import Check, Check_Report_AWS
from prowler.providers.aws.services.iam.iam_client import iam_client
from prowler.providers.aws.services.organizations.organizations_client import (
organizations_client,
)


class iam_root_credentials_management_enabled(Check):
def execute(self) -> Check_Report_AWS:
findings = []
if (
organizations_client.organization
and organizations_client.organization.status == "ACTIVE"
):
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_arn = iam_client.audited_account_arn
report.resource_id = iam_client.audited_account
if "RootCredentialsManagement" in iam_client.organization_features:
report.status = "PASS"
report.status_extended = "Root credentials management is enabled."
else:
report.status = "FAIL"
report.status_extended = "Root credentials management is not enabled."
findings.append(report)

return findings
51 changes: 28 additions & 23 deletions ...providers/aws/services/iam/iam_root_hardware_mfa_enabled/iam_root_hardware_mfa_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,31 +5,36 @@
class iam_root_hardware_mfa_enabled(Check):
def execute(self) -> Check_Report_AWS:
findings = []
# This check is only avaible in Commercial Partition
# This check is only available in Commercial Partition
if iam_client.audited_partition == "aws":
if iam_client.account_summary:
virtual_mfa = False
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = "<root_account>"
report.resource_arn = iam_client.mfa_arn_template
# Check if the root credentials are managed by AWS Organizations
if "RootCredentialsManagement" not in iam_client.organization_features:
if iam_client.account_summary:
virtual_mfa = False
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = "<root_account>"
report.resource_arn = iam_client.mfa_arn_template

if iam_client.account_summary["SummaryMap"]["AccountMFAEnabled"] > 0:
for mfa in iam_client.virtual_mfa_devices:
# If the ARN of the associated IAM user of the Virtual MFA device is "arn:aws:iam::[aws-account-id]:root", your AWS root account is not using a hardware-based MFA device for MFA protection.
if "root" in mfa.get("User", {}).get("Arn", ""):
virtual_mfa = True
report.status = "FAIL"
report.status_extended = "Root account has a virtual MFA instead of a hardware MFA device enabled."
if not virtual_mfa:
report.status = "PASS"
report.status_extended = (
"Root account has a hardware MFA device enabled."
)
else:
report.status = "FAIL"
report.status_extended = "MFA is not enabled for root account."
if (
iam_client.account_summary["SummaryMap"]["AccountMFAEnabled"]
> 0
):
for mfa in iam_client.virtual_mfa_devices:
# If the ARN of the associated IAM user of the Virtual MFA device is "arn:aws:iam::[aws-account-id]:root", your AWS root account is not using a hardware-based MFA device for MFA protection.
if "root" in mfa.get("User", {}).get("Arn", ""):
virtual_mfa = True
report.status = "FAIL"
report.status_extended = "Root account has a virtual MFA instead of a hardware MFA device enabled."
if not virtual_mfa:
report.status = "PASS"
report.status_extended = (
"Root account has a hardware MFA device enabled."
)
else:
report.status = "FAIL"
report.status_extended = "MFA is not enabled for root account."

findings.append(report)
findings.append(report)

return findings
32 changes: 18 additions & 14 deletions prowler/providers/aws/services/iam/iam_root_mfa_enabled/iam_root_mfa_enabled.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,23 @@
class iam_root_mfa_enabled(Check):
def execute(self) -> Check_Report_AWS:
findings = []
if iam_client.credential_report:
for user in iam_client.credential_report:
if user["user"] == "<root_account>":
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
if user["mfa_active"] == "false":
report.status = "FAIL"
report.status_extended = "MFA is not enabled for root account."
else:
report.status = "PASS"
report.status_extended = "MFA is enabled for root account."
findings.append(report)
# Check if the root credentials are managed by AWS Organizations
if "RootCredentialsManagement" not in iam_client.organization_features:
if iam_client.credential_report:
for user in iam_client.credential_report:
if user["user"] == "<root_account>":
report = Check_Report_AWS(self.metadata())
report.region = iam_client.region
report.resource_id = user["user"]
report.resource_arn = user["arn"]
if user["mfa_active"] == "false":
report.status = "FAIL"
report.status_extended = (
"MFA is not enabled for root account."
)
else:
report.status = "PASS"
report.status_extended = "MFA is enabled for root account."
findings.append(report)

return findings
27 changes: 27 additions & 0 deletions prowler/providers/aws/services/iam/iam_service.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,8 @@ def __init__(self, provider):
self._get_last_accessed_services()
self.user_temporary_credentials_usage = {}
self._get_user_temporary_credentials_usage()
self.organization_features = []
self._list_organizations_features()
# List missing tags
self.__threading_call__(self._list_tags, self.users)
self.__threading_call__(self._list_tags, self.roles)
Expand Down Expand Up @@ -964,6 +966,31 @@ def _get_user_temporary_credentials_usage(self):
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)

def _list_organizations_features(self):
logger.info("IAM - List Organization Features...")
try:
organization_features = self.client.list_organizations_features()
self.organization_features = organization_features.get(
"EnabledFeatures", []
)
except ClientError as error:
if error.response["Error"]["Code"] == "OrganizationNotFoundException":
logger.warning(
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
elif error.response["Error"]["Code"] == "ServiceAccessNotEnabledException":
logger.warning(
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
else:
logger.error(
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)
except Exception as error:
logger.error(
f"{self.region} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
)


class MFADevice(BaseModel):
serial_number: str
Expand Down
12 changes: 5 additions & 7 deletions ...rganizations_account_part_of_organizations/organizations_account_part_of_organizations.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,19 @@
class organizations_account_part_of_organizations(Check):
def execute(self):
findings = []
for org in organizations_client.organizations:
if organizations_client.organization:
report = Check_Report_AWS(self.metadata())
if org.status == "ACTIVE":
if organizations_client.organization.status == "ACTIVE":
report.status = "PASS"
report.status_extended = (
f"AWS Organization {org.id} contains this AWS account."
)
report.status_extended = f"AWS Organization {organizations_client.organization.id} contains this AWS account."
else:
report.status = "FAIL"
report.status_extended = (
"AWS Organizations is not in-use for this AWS Account."
)
report.region = organizations_client.region
report.resource_id = org.id
report.resource_arn = org.arn
report.resource_id = organizations_client.organization.id
report.resource_arn = organizations_client.organization.arn
findings.append(report)

return findings
34 changes: 18 additions & 16 deletions ...izations/organizations_delegated_administrators/organizations_delegated_administrators.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,31 +14,33 @@ def execute(self):
)
)

for org in organizations_client.organizations:
if org.status == "ACTIVE":
report = Check_Report_AWS(self.metadata())
report.resource_id = org.id
report.resource_arn = org.arn
report.region = organizations_client.region
if org.delegated_administrators is None:
# Access Denied to list_policies
continue
if org.delegated_administrators:
for delegated_administrator in org.delegated_administrators:
if (
organizations_client.organization
and organizations_client.organization.status == "ACTIVE"
):
report = Check_Report_AWS(self.metadata())
report.resource_id = organizations_client.organization.id
report.resource_arn = organizations_client.organization.arn
report.region = organizations_client.region
if (
organizations_client.organization.delegated_administrators is not None
): # Check if Access Denied to list_delegated_administrators
if organizations_client.organization.delegated_administrators:
for (
delegated_administrator
) in organizations_client.organization.delegated_administrators:
if (
delegated_administrator.id
not in organizations_trusted_delegated_administrators
):
report.status = "FAIL"
report.status_extended = f"AWS Organization {org.id} has an untrusted Delegated Administrator: {delegated_administrator.id}."
report.status_extended = f"AWS Organization {organizations_client.organization.id} has an untrusted Delegated Administrator: {delegated_administrator.id}."
else:
report.status = "PASS"
report.status_extended = f"AWS Organization {org.id} has a trusted Delegated Administrator: {delegated_administrator.id}."
report.status_extended = f"AWS Organization {organizations_client.organization.id} has a trusted Delegated Administrator: {delegated_administrator.id}."
else:
report.status = "PASS"
report.status_extended = (
f"AWS Organization {org.id} has no Delegated Administrators."
)
report.status_extended = f"AWS Organization {organizations_client.organization.id} has no Delegated Administrators."

findings.append(report)

Expand Down
20 changes: 12 additions & 8 deletions ...ions/organizations_opt_out_ai_services_policy/organizations_opt_out_ai_services_policy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,23 @@ class organizations_opt_out_ai_services_policy(Check):
def execute(self):
findings = []

for org in organizations_client.organizations:
if org.policies is not None: # Access Denied to list_policies
if organizations_client.organization:
if (
organizations_client.organization.policies is not None
): # Access Denied to list_policies
report = Check_Report_AWS(self.metadata())
report.resource_id = org.id
report.resource_arn = org.arn
report.resource_id = organizations_client.organization.id
report.resource_arn = organizations_client.organization.arn
report.region = organizations_client.region
report.status = "FAIL"
report.status_extended = (
"AWS Organizations is not in-use for this AWS Account."
)
if org.status == "ACTIVE":
report.status_extended = f"AWS Organization {org.id} has not opted out of all AI services, granting consent for AWS to access its data."
for policy in org.policies.get("AISERVICES_OPT_OUT_POLICY", []):
if organizations_client.organization.status == "ACTIVE":
report.status_extended = f"AWS Organization {organizations_client.organization.id} has not opted out of all AI services, granting consent for AWS to access its data."
for policy in organizations_client.organization.policies.get(
"AISERVICES_OPT_OUT_POLICY", []
):
if (
policy.content.get("services", {})
.get("default", {})
Expand All @@ -29,7 +33,7 @@ def execute(self):
== "optOut"
):
report.status = "PASS"
report.status_extended = f"AWS Organization {org.id} has opted out of all AI services, not granting consent for AWS to access its data."
report.status_extended = f"AWS Organization {organizations_client.organization.id} has opted out of all AI services, not granting consent for AWS to access its data."
break

findings.append(report)
Expand Down
Loading

0 comments on commit 6904594

Please sign in to comment.