Add Confused Deputy Prevention

[dricross]

Description of the issue

To support confused deputy prevention, the CloudWatch Agent needs to be able to pass confused deputy context keys in the request headers of STS AssumeRole calls so that dependent service teams can allow their customers to use confused deputy context keys in their role policies.

For background on the confused deputy problem, see: https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html

Description of changes

• Move old assume_role test to credentials_file
  • The test uses aws sts assume-role call to grab credentials for a specific role and creates a credentials file which the agent will use. It does not actually test the agent's ability to assume a role via the agent configuration. The new tests do so a rename of the existing test is warranted to avoid confusion.
• Create a new assume_role test suite with several subtests, including positive and negative confused deputy prevention tests. This test runs on EC2 linux host only
  • Creates four IAM roles:
    • cwa-integ-assume-role-<test id>: Standard CloudWatch Agent permissions role with no confused deputy context keys
    • cwa-integ-assume-role-<test id>-source_arn_key: Standard CloudWatch Agent permissions role and uses the aws:SourceArn context key
    • cwa-integ-assume-role-<test id>-source_account_key: Standard CloudWatch Agent permissions role and uses the aws:SourceAccount context key
    • cwa-integ-assume-role-<test id>-all_context_keys: Standard CloudWatch Agent permissions role and uses the both the aws:SourceAccount and aws:SourceArn context keys
  • Runs the following tests:
    • AssumeRoleTest: Test that the agent can assume a standard IAM role and push metrics to CloudWatch
    • SourceArnKeyOnlyTest: Populate the AMZ_SOURCE_ACCOUNT and AMZ_SOURCE_ARN environment variables which configures the agent to populate confused deputy request headers and verify that the agent can assume an IAM role which uses a matching aws:SourceArn context key.
    • SourceAccountKeyOnlyTest: Populate the AMZ_SOURCE_ACCOUNT and AMZ_SOURCE_ARN environment variables which configures the agent to populate confused deputy request headers and verify that the agent can assume an IAM role which uses a matching aws:SourceAccount context key.
    • AllKeysTest: Populate the AMZ_SOURCE_ACCOUNT and AMZ_SOURCE_ARN environment variables which configuresthe agent to populate confused deputy request headers and verify that the agent can assume an IAM role which uses matching aws:SourceArn and the aws:SourceAccount context keys.
    • MissingSourceArnEnvTest: Populate only the AMZ_SOURCE_ACCOUNT environment variable and verify that the agent cannot assume an IAM role which uses the aws:SourceArn context keys.
    • MissingSourceAccountEnvTest: Populate only the AMZ_SOURCE_ARN environment variable and verify that the agent cannot assume an IAM role which uses the aws:SourceArn context keys.
    • ContextKeyMismatchAccountTest: Populate the AMZ_SOURCE_ACCOUNT and AMZ_SOURCE_ARN environment variables which configures the agent to populate confused deputy request headers which do not match the aws:SourceAccount context key of the IAM role it is configured to assume, and verify the agent is not able to assume the role
    • ContextKeyMismatchArnTest: Populate the AMZ_SOURCE_ACCOUNT and AMZ_SOURCE_ARN environment variables which configures the agent to populate confused deputy request headers which do not match the aws:SourceArn context key of the IAM role it is configured to assume, and verify the agent is not able to assume the role

+-------------------------------+----------------------------------------------------+----------------+------------+--------------------+------------+-----------------+
|             Test              |                   Role to Assume                   | AMZ_SOURCE_ARN | match role | AMZ_SOURCE_ACCOUNT | match role | expected result |
+-------------------------------+----------------------------------------------------+----------------+------------+--------------------+------------+-----------------+
| AssumeRoleTest                | cwa-integ-assume-role-<test id>                    | not populated  | n/a        | not populated      | n/a        | can assume      |
| SourceArnKeyOnlyTest          | cwa-integ-assume-role-<test id>-source_arn_key     | populated      | n/a        | populated          | yes        | can assume      |
| SourceAccountKeyOnlyTest      | cwa-integ-assume-role-<test id>-source_account_key | populated      | yes        | populated          | n/a        | can assume      |
| AllKeysTest                   | cwa-integ-assume-role-<test id>-all_context_keys   | populated      | yes        | populated          | yes        | can assume      |
| MissingSourceArnEnvTest       | cwa-integ-assume-role-<test id>-source_arn_key     | not populated  | n/a        | populated          | n/a        | cannot assume   |
| MissingSourceAccountEnvTest   | cwa-integ-assume-role-<test id>-source_account_key | populated      | yes        | not populated      | n/a        | cannot assume   |
| ContextKeyMismatchAccountTest | cwa-integ-assume-role-<test id>-all_context_keys   | populated      | yes        | fake account       | no         | cannot assume   |
| ContextKeyMismatchArnTest     | cwa-integ-assume-role-<test id>-all_context_keys   | fake ARN       | no         | populated          | yes        | cannot assume   |
+-------------------------------+----------------------------------------------------+----------------+------------+--------------------+------------+-----------------+

License

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Tests

Example run: https://github.com/aws/amazon-cloudwatch-agent/actions/runs/12778135116/job/35673452648

Note: the tests are currently failing as the test accounts needs to be specially onboarded with the STS service in order for STS to accept confused deputy keys in the request headers.