Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update EC2 Permissions for Support Staff #3

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

ncc-erik-steringer
Copy link
Owner

In this PR demo, we show what would happen if we added some overly-broad permissions to the support staff IAM Role. There should be two checks that fail:

  • PMapper test looking at if Support can access any other users/roles.
  • Scout Suite test looking for inline policies allowing iam:PassRole for *

@github-actions
Copy link

PMapper Test Results:

test_no_privesc (test_permissions.TestAuthorizationBoundaries)
Ensure that nobody can escalate their privileges from non-admin to to admin. ... ok
test_support_cannot_put (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot call s3:PutObject for any of ... FAIL
test_support_has_no_edges (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot access any other ... FAIL

======================================================================
FAIL: test_support_cannot_put (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot call s3:PutObject for any of
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/Aerides/Aerides/testcode/test_permissions.py", line 70, in test_support_cannot_put
    self.fail(
AssertionError: role/support-staff is allowed to call s3:PutObject with arn:aws:s3:::tktk-service-api-logs/test_object

======================================================================
FAIL: test_support_has_no_edges (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot access any other
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/Aerides/Aerides/testcode/test_permissions.py", line 87, in test_support_has_no_edges
    self.fail('The support staff role had access to other users or roles in the account:\n\n{}'.format(
AssertionError: The support staff role had access to other users or roles in the account:

role/support-staff can use EC2 to run an instance with an existing instance profile to access role/APIEC2BackendHostRole
role/support-staff can use EC2 to run an instance and then associate an existing instance profile to access role/APIEC2BackendHostRole

----------------------------------------------------------------------
Ran 3 tests in 0.109s

FAILED (failures=2)

@github-actions
Copy link

Scout Suite Test Results:

test_ec2_no_ports_open_to_all (test_scoutsuite_rails.TestScoutSuiteExpected) ... ok
test_iam_no_inline_notaction (test_scoutsuite_rails.TestScoutSuiteExpected) ... ok
test_iam_no_inline_passrole (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify there are no inline policies granting iam:PassRole for * ... FAIL

======================================================================
FAIL: test_iam_no_inline_passrole (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify there are no inline policies granting iam:PassRole for *
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/Aerides/Aerides/testcode/test_scoutsuite_rails.py", line 115, in test_iam_no_inline_passrole
    self.fail(
AssertionError: The following IAM Users/Roles/Groups had an inline policy allowing iam:PassRole for all resources:

* arn:aws:iam::000000000000:role/support-staff

----------------------------------------------------------------------
Ran 3 tests in 0.011s

FAILED (failures=1)

@github-actions
Copy link

PMapper Test Results:

test_no_privesc (test_permissions.TestAuthorizationBoundaries)
Ensure that nobody can escalate their privileges from non-admin to to admin. ... ok
test_support_cannot_put (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot call s3:PutObject for any of the S3 buckets. ... FAIL
test_support_has_no_edges (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot access any other users or roles in the account. ... FAIL

======================================================================
FAIL: test_support_cannot_put (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot call s3:PutObject for any of the S3 buckets.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/Aerides/Aerides/testcode/test_permissions.py", line 82, in test_support_cannot_put
    self.fail('Support was allowed to upload files to S3:\n\n{}'.format(
AssertionError: Support was allowed to upload files to S3:

* role/support-staff is allowed to call s3:PutObject for arn:aws:s3:::tktk-service-api-logs/test_object

======================================================================
FAIL: test_support_has_no_edges (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot access any other users or roles in the account.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/Aerides/Aerides/testcode/test_permissions.py", line 95, in test_support_has_no_edges
    self.fail('The support staff role had access to other users or roles in the account:\n\n{}'.format(
AssertionError: The support staff role had access to other users or roles in the account:

role/support-staff can use EC2 to run an instance with an existing instance profile to access role/APIEC2BackendHostRole
role/support-staff can use EC2 to run an instance and then associate an existing instance profile to access role/APIEC2BackendHostRole

----------------------------------------------------------------------
Ran 3 tests in 0.128s

FAILED (failures=2)

@github-actions
Copy link

Scout Suite Test Results:

test_ec2_no_ports_open_to_all (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify that none of the security groups have a port open to 0.0.0.0/0 ... ok
test_iam_no_inline_notaction (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify no inline IAM Policies (for Users/Roles/Groups) use the NotAction field ... ok
test_iam_no_inline_passrole (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify there are no inline policies granting iam:PassRole for * ... FAIL

======================================================================
FAIL: test_iam_no_inline_passrole (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify there are no inline policies granting iam:PassRole for *
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/Aerides/Aerides/testcode/test_scoutsuite_rails.py", line 111, in test_iam_no_inline_passrole
    self.fail(
AssertionError: The following IAM Users/Roles/Groups had an inline policy allowing iam:PassRole for all resources:

* arn:aws:iam::000000000000:role/support-staff

----------------------------------------------------------------------
Ran 3 tests in 0.008s

FAILED (failures=1)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant