Comments (2)
Hi @yuliang29,
Thank you for reporting this issue and providing detailed steps to reproduce the false positive scenario in the Prowler AWS scan.
From the provided SQS access policy snippet, it seems that the condition indeed limits access based on the source S3 ARN, even though it lacks the account ID. This may be causing the misinterpretation in our policy condition parser.
To address this false positive, here are some insights and possible workarounds:
Policy Condition Parsing: The current policy condition parser might not accurately interpret conditions without explicit account IDs. This could lead to false positives, especially in scenarios where conditions are based solely on resource ARNs without account specifics.
Parser Enhancement: We can consider enhancing the parser logic to handle scenarios like the one you've described, where conditions might lack explicit account IDs but still have valid restrictions based on resource ARNs.
Adjusting Policies: In the meantime, as a workaround, you might explicitly specify the AWS account ID in your conditions wherever possible to ensure accurate evaluation by the policy parser.
from prowler.
Hi @yuliang29 @SimardeepSingh-zsh I was checking this issue and I noticed that this is fixed in the master
branch. As you can see in this part of the code https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/lib/policy_condition_parser/policy_condition_parser.py#L24-L43, we are handling the aws:SourceArn
using the ArnEquals
condition, so that check will raise a PASS
finding for a SQS queue with that policy.
I'm going to close it since it is no longer an issue. Please feel free to reopen it if you notice the same behaviour again.
Thanks for using Prowler 🚀
from prowler.
Related Issues (20)
- [Bug]: efs_not_publicly_accessible does not consider recommended AWS condition. HOT 3
- [Bug]: Encoding issue with Dashboard on Prowler 4.1.0 - Aces High HOT 6
- Look for externally shared DynamoDB Tables HOT 1
- Add support for AWS Lightsail resource HOT 1
- [Bug]: Unable to access the prowler dashboard from aws ec2 instance which has public IP HOT 4
- [Bug]: csv output is empty (only column names) HOT 4
- Add configuration for secret related checks HOT 5
- CIS 2.1.0 output has missing checks [Bug]: HOT 4
- [Bug]: empty json-ocsf output in 4.1.0 HOT 7
- [Bug]: efs_not_publicly_accessible check based on misunderstanding? HOT 5
- [Bug]: V4 sends muted fails to Security Hub HOT 2
- Support for custom metadata fields HOT 2
- [Bug]: Security group name missing from new json-oscf format HOT 5
- [Bug]: Separate Checks for Expired and Near-Expiration ACM Certificates HOT 11
- Add Service Account impersonation in GCP as a new authentication method
- [Bug]: Kubernetes RBAC errors HOT 10
- Bring back HTML reports HOT 1
- Getting FileNotFoundError while trying to set up prowler for aws HOT 13
- Getting Error when using prowler dashboard command - UnicodeDecodeError 'utf-8' codec can't decode byte 0x92 in position 5171 HOT 17
- [Bug]: Unix timestamp not working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from prowler.