Open
Description
Describe the bug
The finding "Role Passed to Stack" has an incorrect condition. The intent to is find CloudFormation stacks where a role has not been specified. The linked AWS documentation for the finding says:
In most cases, users require full access to manage all of the resources in a template. AWS CloudFormation makes calls to create, modify, and delete those resources on their behalf. To separate permissions between a user and the AWS CloudFormation service, use a service role. AWS CloudFormation uses the service role's policy to make calls instead of the user's policy.
However, the finding check does this:
{
"description": "Role Passed to Stack",
"rationale": "Passing a role to CloudFormation stacks may result in privilege escalation because IAM users with privileges within the CloudFormation scope implicitly inherit the stack's role's permissions. Consequently, it should be ensured that the IAM privileges assigned to the stack's role follow the principle of least privilege.",
"references": [
"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html"
],
"dashboard_name": "Stacks",
"path": "cloudformation.regions.id.stacks.id",
"conditions": [
"and",
[
"this",
"withKey",
"iam_role"
],
[
"this.iam_role.id",
"notEmpty",
""
]
]
}The check "notEmpty" should instead be "empty", to find CloudFormation stacks without roles.
To Reproduce
Please provide:
- Create a CloudFormation Stack with an IAM Role
python scout.py aws