diff --git a/account-data/demo/us-east-1/iam-get-account-authorization-details.json b/account-data/demo/us-east-1/iam-get-account-authorization-details.json index 3ea6b226e..de699ce9a 100644 --- a/account-data/demo/us-east-1/iam-get-account-authorization-details.json +++ b/account-data/demo/us-east-1/iam-get-account-authorization-details.json @@ -1,5 +1,20 @@ { - "GroupDetailList": [], + "GroupDetailList": [ + { + "Arn": "arn:aws:iam::aws:group/GROUP_WITH_BAD_INLINE_POLICY", + "AttachedManagedPolicies": [ + { + "PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM", + "PolicyName": "AmazonEC2RoleforSSM" + } + ], + "CreateDate": "2021-03-13T18:40:54+00:00", + "GroupId": "AGPAS2OTVRSQPU55LUWSO", + "GroupName": "GROUP_WITH_BAD_INLINE_POLICY", + "GroupPolicyList": [], + "Path": "/" + } + ], "Policies": [ { "Arn": "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM", @@ -401,5 +416,33 @@ "Tags": [] } ], - "UserDetailList": [] + "UserDetailList": [ + { + "Arn": "arn:aws:iam::aws:user/USER_WITH_BAD_INLINE_POLICY", + "AttachedManagedPolicies": [ + { + "PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM", + "PolicyName": "AmazonEC2RoleforSSM" + } + ], + "CreateDate": "2021-03-13T18:42:09+00:00", + "GroupList": [], + "Path": "/", + "Tags": [], + "UserId": "AIDAS2OTVRSQMBNO326VD", + "UserName": "USER_WITH_BAD_INLINE_POLICY" + }, + { + "Arn": "arn:aws:iam::aws:user/USER", + "AttachedManagedPolicies": [], + "CreateDate": "2021-03-13T18:42:34+00:00", + "GroupList": [ + "GROUP_WITH_BAD_INLINE_POLICY" + ], + "Path": "/", + "Tags": [], + "UserId": "AIDAS2OTVRSQISETXJGWF", + "UserName": "USER" + } + ] } \ No newline at end of file diff --git a/account-data/demo/us-east-1/iam-get-user/USER b/account-data/demo/us-east-1/iam-get-user/USER new file mode 100644 index 000000000..12645b17f --- /dev/null +++ b/account-data/demo/us-east-1/iam-get-user/USER @@ -0,0 +1,9 @@ +{ + "User": { + "Arn": "arn:aws:iam::aws:user/USER", + "CreateDate": "2021-03-13T18:42:34+00:00", + "Path": "/", + "UserId": "AIDAS2OTVRSQISETXJGWF", + "UserName": "USER" + } +} \ No newline at end of file diff --git a/account-data/demo/us-east-1/iam-get-user/USER_WITH_BAD_INLINE_POLICY b/account-data/demo/us-east-1/iam-get-user/USER_WITH_BAD_INLINE_POLICY new file mode 100644 index 000000000..75fcbbf45 --- /dev/null +++ b/account-data/demo/us-east-1/iam-get-user/USER_WITH_BAD_INLINE_POLICY @@ -0,0 +1,9 @@ +{ + "User": { + "Arn": "arn:aws:iam::aws:user/USER_WITH_BAD_INLINE_POLICY", + "CreateDate": "2021-03-13T18:42:09+00:00", + "Path": "/", + "UserId": "AIDAS2OTVRSQMBNO326VD", + "UserName": "USER_WITH_BAD_INLINE_POLICY" + } +} \ No newline at end of file diff --git a/shared/iam_audit.py b/shared/iam_audit.py index c26b392ec..f97c4aeee 100644 --- a/shared/iam_audit.py +++ b/shared/iam_audit.py @@ -392,7 +392,7 @@ def find_admins_in_account( Finding( region, "IAM_KNOWN_BAD_POLICY", - role["Arn"], + group["Arn"], resource_details={ "comment": KNOWN_BAD_POLICIES[policy["PolicyArn"]], "policy": policy["PolicyArn"], @@ -441,7 +441,7 @@ def find_admins_in_account( Finding( region, "IAM_KNOWN_BAD_POLICY", - role["Arn"], + user["Arn"], resource_details={ "comment": KNOWN_BAD_POLICIES[policy["PolicyArn"]], "policy": policy["PolicyArn"],