def gen_overprivileged_function_findings(graph: Graph) -> List[Finding]:
"""Generates findings related to risk from Lambda functions being loaded with overprivileged roles"""
result = []
affected_roles = []
for node in graph.nodes:
if ':role/' in node.arn and node.is_admin:
if query_interface.resource_policy_authorization('lambda.amazonaws.com', arns.get_account_id(node.arn),
node.trust_policy, 'sts:AssumeRole', node.arn, {})\
== query_interface.ResourcePolicyEvalResult.SERVICE_MATCH:
affected_roles.append(node)
if len(affected_roles) > 0:
description_preamble = 'In AWS, Lambda functions can be assigned an IAM Role to use during execution. These ' \
'IAM Roles give the function access to call the AWS API with the permissions of the ' \
'IAM Role, depending on the policies attached to it. If the Lambda function can be ' \
'compromised, and the attacker can alter the code it executes, the attacker could ' \
'make AWS API calls with the IAM Role\'s permissions. The following IAM Roles have ' \
'administrative privileges, and can be passed to Lambda functions:\n\n'
description_body = ''
for node in affected_roles:
description_body += '* {}\n'.format(node.searchable_name())
result.append(Finding(
'IAM Roles Available to Lambda Functions Have Administrative Privileges' if len(affected_roles) > 1 else
'IAM Role Available to Lambda Functions Has Administrative Privileges',
'Medium',
'If an attacker can inject code or commands into the function, or if a lower-privileged principal can '
'alter the function, the AWS account as a whole could be compromised.',
description_preamble + description_body,
'Reduce the scope of permissions attached to the noted IAM Role(s).'
))
return result
def gen_overprivileged_stack_findings(graph: Graph) -> List[Finding]:
"""Generates findings related to risk from CloudFormation stacks being loaded with overprivileged roles"""
result = []
affected_roles = []
for node in graph.nodes:
if ':role/' in node.arn and node.is_admin:
if query_interface.resource_policy_authorization('cloudformation.amazonaws.com',
arns.get_account_id(node.arn), node.trust_policy,
'sts:AssumeRole', node.arn, {}) == \
query_interface.ResourcePolicyEvalResult.SERVICE_MATCH:
affected_roles.append(node)
if len(affected_roles) > 0:
description_preamble = 'In AWS, CloudFormation stacks can be given an IAM Role. When a stack has an IAM ' \
'Role, it can use that IAM Role to make AWS API calls to create the resources ' \
'defined in the template for that stack. If the IAM Role has administrator access ' \
'to the account, and an attacker is able to make the right CloudFormation API calls, ' \
'they would be able to use the IAM Role to escalate privileges and compromise the ' \
'account as a whole. The following IAM Roles can be used in CloudFormation and ' \
'have administrative privileges:\n\n'
description_body = ''
for node in affected_roles:
description_body += '* {}\n'.format(node.searchable_name())
result.append(
Finding(
'IAM Roles Available to CloudFormation Stacks Have Administrative Privileges'
if len(affected_roles) > 1 else
'IAM Role Available to CloudFormation Stacks Has Administrative Privileges',
'Low',
'If an attacker has the right permissions in the AWS Account, they can grant themselves adminstrative '
'access to the account to compromise the account.',
description_preamble + description_body,
'Reduce the scope of permissions attached to the noted IAM Role(s).'
))
return result