Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Confused Deputy Attack finding for AWS EKS service #4745

Closed
woodyweaver opened this issue Aug 14, 2024 · 1 comment · Fixed by #4759
Closed

Confused Deputy Attack finding for AWS EKS service #4745

woodyweaver opened this issue Aug 14, 2024 · 1 comment · Fixed by #4759
Assignees
Labels
bug severity/low Bug won't result in any noticeable breakdown of the execution.

Comments

@woodyweaver
Copy link

Steps to Reproduce

Run scan, inspect finding.

Expected behavior

I want for prowler to detect defects in configuration, and it does an excellent job on this front. However, I'm getting a "confused deputy" finding on our AWS EKS cluster role. The remediation guidance suggests following AWS guidance, to include "aws:SourceAccount" and/or "aws:SourceArn" condition keys. This was not successful. Opening a ticket with AWS produced language from Omar M.:

You mentioned that you were following the AWS recommendations by adding the “aws:SourceAccount” and “aws:SourceArn” condition keys and that you were still getting the error. I was able to reproduce this similar issue from my end as well and I have check and verified with our internal team that as of now EKS services does not support these conditions to prevent cross-account confused deputy attacks. Also, currently there are no other condition that you can use. It seems that there is currently no way to get around this finding for your use case (with EKS).

I reached out to our service team to provide this feedback but as a support engineer we do not have any ETA when will EKS provide support to these conditions. I was able to find an active feature request to add support for these conditions. I have gone ahead and have added a +1 and have added your case to the request in support of it. Unfortunately, I do not have any ETA for when/if this feature will be released. However, I do recommend keeping an eye on the AWS What’s New page [2] and AWS News Blog [3] for information on new feature releases.

I think it would be helpful to add an explanation to the finding guidance that it is not possible (according to AWS) to clear the finding using the AWS guidance.

Actual Result with Screenshots or Logs

Screenshot from 2024-08-14 15-17-46

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

EC2 instance

OS used

RHEL 9

Prowler version

Prowler 4.3.1 (latest is 4.3.3, upgrade for the latest features)

Pip version

pip 21.2.3 from /usr/lib/python3.9/site-packages/pip (python 3.9)

Context

No response

@woodyweaver woodyweaver added bug status/needs-triage Issue pending triage labels Aug 14, 2024
@puchy22 puchy22 added severity/low Bug won't result in any noticeable breakdown of the execution. and removed status/needs-triage Issue pending triage labels Aug 16, 2024
@puchy22 puchy22 self-assigned this Aug 16, 2024
@puchy22
Copy link
Member

puchy22 commented Aug 16, 2024

Hi @woodyweaver,

I will add a note in the finding's metadata to indicate that the AWS guidance involving aws:SourceAccount and aws:SourceArn conditions is not applicable to EKS, as confirmed by AWS. This will clarify that there is currently no way to clear the finding for EKS.

In the meantime, you could mute the finding using the Prowler mutelist since it's not remediable for now. I'll make a PR to address this soon. Thanks for your suggestion and for using Prowler! 🚀

Update: Here is the PR with the changes, please let me know if it fits the case or needs some improvement, I look forward to your response thanks for everything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug severity/low Bug won't result in any noticeable breakdown of the execution.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants