v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 5.2 Ensure Batch roles are configured for cross-service confused deputy prevention

Description

The Cross-service confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action.

Cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the calling service) calls another serviceb(the called service). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access.

Remediation

From the Console:

  1. Login to the AWS Console using https://console.aws.amazon.com/iam/.
  2. On the left hand side under Access management, Click on Roles.
  3. Search for any roles identified above in the audit.
  4. Click on the role and update the Action AssumeRole, aws:SourceArn to contain the full ARN of the resource.
"aws:SourceArn": ["arn:aws:batch:us-east-1:123456789012:compute-environment/testCE",]
  1. Repeat for any roles defined in the Audit.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_5_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_5_2 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 5.2
cis_level = 1
cis_section_id = 5
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/Batch