Merge pull request duo-labs#856 from clholm/main

Fix issue 855
m4maker · Nov 3, 2021 · a3fb88e · a3fb88e
2 parents a8a52fb + 9c618e0
commit a3fb88e
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 4 deletions.
diff --git a/account-data/demo/us-east-1/iam-get-account-authorization-details.json b/account-data/demo/us-east-1/iam-get-account-authorization-details.json
@@ -1,5 +1,20 @@
 {
-    "GroupDetailList": [],
+    "GroupDetailList": [
+        {
+            "Arn": "arn:aws:iam::aws:group/GROUP_WITH_BAD_INLINE_POLICY",
+            "AttachedManagedPolicies": [
+                {
+                    "PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM",
+                    "PolicyName": "AmazonEC2RoleforSSM"
+                }
+            ],
+            "CreateDate": "2021-03-13T18:40:54+00:00",
+            "GroupId": "AGPAS2OTVRSQPU55LUWSO",
+            "GroupName": "GROUP_WITH_BAD_INLINE_POLICY",
+            "GroupPolicyList": [],
+            "Path": "/"
+        }
+    ],
     "Policies": [
         {
             "Arn": "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM",
@@ -401,5 +416,33 @@
             "Tags": []
         }
     ],
-    "UserDetailList": []
+    "UserDetailList": [
+        {
+            "Arn": "arn:aws:iam::aws:user/USER_WITH_BAD_INLINE_POLICY",
+            "AttachedManagedPolicies": [
+                {
+                    "PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM",
+                    "PolicyName": "AmazonEC2RoleforSSM"
+                }
+            ],
+            "CreateDate": "2021-03-13T18:42:09+00:00",
+            "GroupList": [],
+            "Path": "/",
+            "Tags": [],
+            "UserId": "AIDAS2OTVRSQMBNO326VD",
+            "UserName": "USER_WITH_BAD_INLINE_POLICY"
+        },
+        {
+            "Arn": "arn:aws:iam::aws:user/USER",
+            "AttachedManagedPolicies": [],
+            "CreateDate": "2021-03-13T18:42:34+00:00",
+            "GroupList": [
+                "GROUP_WITH_BAD_INLINE_POLICY"
+            ],
+            "Path": "/",
+            "Tags": [],
+            "UserId": "AIDAS2OTVRSQISETXJGWF",
+            "UserName": "USER"
+        }
+    ]
 }
diff --git a/account-data/demo/us-east-1/iam-get-user/USER b/account-data/demo/us-east-1/iam-get-user/USER
@@ -0,0 +1,9 @@
+{
+    "User": {
+        "Arn": "arn:aws:iam::aws:user/USER",
+        "CreateDate": "2021-03-13T18:42:34+00:00",
+        "Path": "/",
+        "UserId": "AIDAS2OTVRSQISETXJGWF",
+        "UserName": "USER"
+    }
+}
diff --git a/account-data/demo/us-east-1/iam-get-user/USER_WITH_BAD_INLINE_POLICY b/account-data/demo/us-east-1/iam-get-user/USER_WITH_BAD_INLINE_POLICY
@@ -0,0 +1,9 @@
+{
+    "User": {
+        "Arn": "arn:aws:iam::aws:user/USER_WITH_BAD_INLINE_POLICY",
+        "CreateDate": "2021-03-13T18:42:09+00:00",
+        "Path": "/",
+        "UserId": "AIDAS2OTVRSQMBNO326VD",
+        "UserName": "USER_WITH_BAD_INLINE_POLICY"
+    }
+}
diff --git a/shared/iam_audit.py b/shared/iam_audit.py
@@ -393,7 +393,7 @@ def find_admins_in_account(
                     Finding(
                         region,
                         "IAM_KNOWN_BAD_POLICY",
-                        role["Arn"],
+                        group["Arn"],
                         resource_details={
                             "comment": KNOWN_BAD_POLICIES[policy["PolicyArn"]],
                             "policy": policy["PolicyArn"],
@@ -442,7 +442,7 @@ def find_admins_in_account(
                     Finding(
                         region,
                         "IAM_KNOWN_BAD_POLICY",
-                        role["Arn"],
+                        user["Arn"],
                         resource_details={
                             "comment": KNOWN_BAD_POLICIES[policy["PolicyArn"]],
                             "policy": policy["PolicyArn"],