iam_role_cross_service_confused_deputy_prevention remediation broke specific process

[migs017]

Steps to Reproduce

1. It isn't a command but a setup where cloudtrail will send logs to cloudwatch
2. AWS environment
3. Single account
4. Error
   

Expected behavior

Prowler recommends to remediate/prevent confused deputy its either use aws:SourceArn or aws:SourceAccount or both. If the specfici resource has been added in the condition nothing should break our process.

Actual Result with Screenshots or Logs

Prowlers solution works on some roles but for cloudtrail to cloudwatch process that a role will handle it breaks. We also encounter in IAM role that's assumed by aws transcoder when we add either aws:SourceArn or aws:SourceAccount or both. Our process will stop working.

The exact trust relationship policy for the transcoder role:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"Service": [
"elastictranscoder.amazonaws.com",
"transcribe.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account_id>"
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:elastictranscoder::<account_id>:pipeline/example_pipeline",
"arn:aws:elastictranscoder::<account_id>:job/",
"arn:aws:elastictranscoder::<account_id>:preset/"
]
}
}
}
]
}

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

Workstation

OS used

Windows

Prowler version

4.2.4

Pip version

pip 23.2.1

Context

We consulted the cloudtrail to cloudwatch process role to AWS Support and they mention "no documentation around which services do or do not support the aws:SourceArn or aws:SourceAccount condition keys because they're global condition keys and technically available to all services. The keys are supported in any situation where a service tries to access another service's resource with a call from their service principal. If it's not from a service principal, we don't expect those condition keys to be set."

[sergargar]

Hi @migs017, thanks for reaching us out!
This Prowler check was done regarding this official documentation , from what I understood is that both roles that are either assumed by CloudTrail or Transcoder break when the aws:SourceAccount or aws:SourceArn are set?

[migs017]

Hey @sergargar, Yup that's right

[sergargar]

"The keys are supported in any situation where a service tries to access another service's resource with a call from their service principal."

Is that your situation @migs017 ?

[migs017]

Hmm I don't think so, example in cloudtrail role the condition are aws:SourceArn : <arn_of_a_trail>. That means its the same service resource from the service principal that I'm trying to allow assuming the role right?

[sergargar]

Hmm I don't think so, example in cloudtrail role the condition are aws:SourceArn : <arn_of_a_trail>. That means its the same service resource from the service principal that I'm trying to allow assuming the role right?

Yes, but in that case the condition aws:SourceAccount should be use so only the cloudtrail of your account can assume it.

Can you try it again in the branch PRWLR-4858-check-policy-conditions-for-aws-lambda-public-checks? Thanks!