Giters

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more

Home Page:https://prowler.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Bug]: Check failing due to IAM Roles created by AWS Control Tower and AFT with AdministratorAccess policy

jfagoagas opened this issue · comments

commented

Discussed in #3809

Originally posted by @dmkim22-lguplus April 18, 2024
Hello,

IAM Roles created by AWS Control Tower and AFT (Account Factory for Terraform) have AdministratorAccess policy attached, and it seems "Ensure IAM AWS-Managed policies that allow full ":" administrative privileges are not attached" is failing due to this.

Should the following IAM Roles in an account be excluded from this check?

  • aws-controltower-AdministratorExecutionRole
  • AWSAFTExecution
  • AWSAFTService
  • AWSControlTowerExecution
  • stacksets-exec-*

Thank you in advance.

commented

We need to do further investigation because the check iam_aws_attached_policy_no_administrative_privileges analyzes IAM Managed policies so the resource_id is the policy name. So there is no quick solution for this issue as of today, we need to think about having related resources in the same findings and use the allowlist.