Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-perimeter
Overview
3Dashboards
62Benchmarks
0Queries
5Variables
GitHub

Control: IAM role trust policies should prohibit public access

Description

Check if IAM role trust policies provide public access, allowing any principal to assume the role.

Usage

Run the control in your terminal:

powerpipe control run aws_perimeter.control.iam_role_trust_policy_prohibit_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_perimeter.control.iam_role_trust_policy_prohibit_public_access --share

Steampipe Tables

aws_iam_role
AWS plugin

SQL

with wildcard_action_policies as (
  select
    arn,
    count(*) as statements_num
  from
    aws_iam_role,
    jsonb_array_elements(assume_role_policy_std -> 'Statement') as s
  where
    s ->> 'Effect' = 'Allow'
    -- aws:SourceOwner
    and s -> 'Condition' -> 'StringEquals' -> 'aws:sourceowner' is null
    and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:sourceowner' is null
    and (
      s -> 'Condition' -> 'StringLike' -> 'aws:sourceowner' is null
      or s -> 'Condition' -> 'StringLike' -> 'aws:sourceowner' ? '*'
    )
    -- aws:SourceAccount
    and s -> 'Condition' -> 'StringEquals' -> 'aws:sourceaccount' is null
    and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:sourceaccount' is null
    and (
      s -> 'Condition' -> 'StringLike' -> 'aws:sourceaccount' is null
      or s -> 'Condition' -> 'StringLike' -> 'aws:sourceaccount' ? '*'
    )
    -- aws:PrincipalOrgID
    and s -> 'Condition' -> 'StringEquals' -> 'aws:principalorgid' is null
    and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:principalorgid' is null
    and (
      s -> 'Condition' -> 'StringLike' -> 'aws:principalorgid' is null
      or s -> 'Condition' -> 'StringLike' -> 'aws:principalorgid' ? '*'
    )
    -- aws:PrincipalAccount
    and s -> 'Condition' -> 'StringEquals' -> 'aws:principalaccount' is null
    and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:principalaccount' is null
    and (
      s -> 'Condition' -> 'StringLike' -> 'aws:principalaccount' is null
      or s -> 'Condition' -> 'StringLike' -> 'aws:principalaccount' ? '*'
    )
    -- aws:PrincipalArn
    and s -> 'Condition' -> 'StringEquals' -> 'aws:principalarn' is null
    and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:principalarn' is null
    and (
      s -> 'Condition' -> 'StringLike' -> 'aws:principalarn' is null
      or s -> 'Condition' -> 'StringLike' -> 'aws:principalarn' ? '*'
    )
    and s -> 'Condition' -> 'ArnEquals' -> 'aws:principalarn' is null
    and (
      s -> 'Condition' -> 'ArnLike' -> 'aws:principalarn' is null
      or s -> 'Condition' -> 'ArnLike' -> 'aws:principalarn' ? '*'
    )
    -- aws:SourceArn
    and s -> 'Condition' -> 'StringEquals' -> 'aws:sourcearn' is null
    and s -> 'Condition' -> 'StringEqualsIgnoreCase' -> 'aws:sourcearn' is null
    and (
      s -> 'Condition' -> 'StringLike' -> 'aws:sourcearn' is null
      or s -> 'Condition' -> 'StringLike' -> 'aws:sourcearn' ? '*'
    )
    and s -> 'Condition' -> 'ArnEquals' -> 'aws:sourcearn' is null
    and (
      s -> 'Condition' -> 'ArnLike' -> 'aws:sourcearn' is null
      or s -> 'Condition' -> 'ArnLike' -> 'aws:sourcearn' ? '*'
    )
    and (
      s -> 'Principal' -> 'AWS' = '["*"]'
      or s ->> 'Principal' = '*'
    )
  group by
    arn
)
select
  r.arn as resource,
  case
    when p.arn is null then 'ok'
    else 'alarm'
  end as status,
  case
    when p.arn is null then title || ' trust policy does not allow public access.'
    else title || ' trust policy contains ' || coalesce(p.statements_num, 0) ||
    ' statement(s) that allow public access.'
  end as reason
  
  , r.region, r.account_id
from
  aws_iam_role as r
  left join wildcard_action_policies as p on p.arn = r.arn;

Tags

category = Perimeter
plugin = aws
service = AWS/IAM