Prowler Shows Confused Deputy High-Severity Fail in EU-West-1 After Fixing in US-East-1 & US-East-2 #6474
Assignees
Labels
Comments
|
Hi @Krish3600, thanks for reaching us out. |
|
Please find the trust policy as requested,
[cid:6eebd21f-7852-4450-9739-bd18eeb808c0]
Thanks & Regards
Krish
…________________________________
From: Sergio Garcia ***@***.***>
Sent: Tuesday, January 14, 2025 2:28 AM
To: prowler-cloud/prowler ***@***.***>
Cc: Krish Mohan ***@***.***>; Mention ***@***.***>
Subject: Re: [prowler-cloud/prowler] Prowler Shows Confused Deputy High-Severity Fail in EU-West-1 After Fixing in US-East-1 & US-East-2 (Issue #6474)
Hi @Krish3600<https://github.com/Krish3600>, thanks for reaching us out.
Can you share the trust policy the Prowler is triggering as FAIL?
—
Reply to this email directly, view it on GitHub<#6474 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BON2UGXCYANKNMXXIIPUKDL2KQSGTAVCNFSM6AAAAABVDAC7LCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOBYGE4DIMJQHE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi @Krish3600, I cannot see the screenshot, can you send it again? |
|
Hello Sergio
Thank you for your prompt response. As requested, please find attached a PDF containing detailed screenshots and information about the false-positive resources we’re seeing in the Prowler dashboard. Specifically:
1. List of False Positive Resources in the Prowler Dashboard
2. Examples of Resource ARNs and Their Trust Policies
* Resource ARN: arn:aws:iam::412239032805:role/cloud-saas-api-cacheInvalidateIamRole-us-east-1
* Trust Relationship shown in the attached PDF
* Resource ARN: arn:aws:iam::412239032805:role/cloud-saas-api-cacheInvalidateIamRole-us-west-2
* Trust Relationship shown in the attached PDF
* Resource ARN: arn:aws:iam::412239032805:role/cloud-saas-api-qa-us-east-1-apiLambdaFunctionRole-LZIEIBNZCED
* Trust Relationship shown in the attached PDF
We’ve confirmed that none of these resources actually reside in eu-west-1. Most are in us-east-1 (and one is in us-west-2), yet they keep appearing in the wrong region in the Prowler Cloud reports.
To expedite resolution, could we arrange a screen-sharing session or call to walk through our Prowler Cloud dashboard live? This will help us demonstrate the discrepancies in real time and potentially identify any configuration or logic issues leading to these false positives.
Please let me know if there’s any additional information or logs you need before scheduling a session. We appreciate your continued support and look forward to resolving this issue together.
Best regards,
Krish
…________________________________
From: Sergio Garcia ***@***.***>
Sent: Tuesday, January 14, 2025 11:04 PM
To: prowler-cloud/prowler ***@***.***>
Cc: Krish Mohan ***@***.***>; Mention ***@***.***>
Subject: Re: [prowler-cloud/prowler] Prowler Shows Confused Deputy High-Severity Fail in EU-West-1 After Fixing in US-East-1 & US-East-2 (Issue #6474)
Hi @Krish3600<https://github.com/Krish3600>, I cannot see the screenshot, can you send it again?
—
Reply to this email directly, view it on GitHub<#6474 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BON2UGQ54FLZN7NXWDYVC632KVDATAVCNFSM6AAAAABVDAC7LCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJQGY2TMMZVGY>.
You are receiving this because you were mentioned.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Steps to Reproduce
Configure IAM and CloudFormation resources in us-east-1 and us-east-2 to prevent confused deputy attacks (verified via trust policies and recommended AWS configurations).
Run a Prowler scan across all regions.
Observe that Prowler flags eu-west-1 resources as “FAIL” for cross-service confused deputy checks, despite identical (or global) configurations across regions.
Expected behavior
Prowler should correctly identify that the confused deputy vulnerability has been addressed across all regions, including eu-west-1.
The checks should show a “PASS” if the policies and roles adhere to AWS best practices.
As there is no resource in eu-west-1 region
Actual Result with Screenshots or Logs
Actual Behavior (Screenshot):
Below is a screenshot demonstrating the repeated High FAIL findings in eu-west-1 for both CloudFormation and IAM (indicating a “confused deputy” vulnerability):
How did you install Prowler?
Cloning the repository from github.com (git clone)
Environment Resource
ec2-instance
OS used
Amazon linux
Prowler version
latest
Pip version
latest
Context
We have verified that all trust policies and resource configurations align with AWS recommended best practices.
Re-scanning multiple times still produces the same results.
This appears to be a false-positive or region-detection issue within Prowler.
Request:
Investigate why eu-west-1 is still showing as “FAIL” for confused deputy checks after successful fixes in other regions.
Provide any guidance or confirm if this is a bug in the scanning logic for global resources.
Please advise if there’s a configuration tweak or an updated check we can apply to resolve this discrepancy. Thank you for your help!
The text was updated successfully, but these errors were encountered: