prowler-cloud/prowler

Integrating SCP/RCP Policy Awareness into Prowler Security Checks

Open

#7,114 opened on Mar 4, 2025

View on GitHub
 (2 comments) (0 reactions) (1 assignee)Python (8,957 stars) (1,322 forks)batch import
feature-requesthelp wanted

Description

New feature motivation

Prowler currently evaluates AWS resources based on direct API responses but does not consider the impact of Service Control Policies (SCPs) or Resource Control Policies (RCPs). As a result, security assessments may produce inaccurate findings, leading to potential false positives and unnecessary remediation efforts.

Prowler's security checks rely on API calls to validate configurations.

Example: For instance, when assessing an S3 bucket, Prowler verifies whether secure connection = True is explicitly set in the bucket policy. However, if an RCP enforces secure connections at the resource level, Prowler does not account for this enforcement and incorrectly flags the bucket as non-compliant.

Solution Proposed

To enhance the accuracy of Prowler’s security assessments, we propose incorporating SCP and RCP awareness into its security checks by:

Expanding API calls to identify whether an SCP or RCP enforces security controls at the organizational or resource level.

Correlating policy enforcement with scan findings to differentiate between missing configurations and policies that override default settings.

Updating reporting mechanisms to provide transparency regarding policy-enforced security controls and minimize false-positive alerts.

Describe alternatives you've considered

Use Cases:

S3 Secure Connection Enforcement: A security team runs Prowler to check S3 bucket policies for mandatory secure connections. Currently, if an RCP enforces secure connections at the bucket level, Prowler does not recognize this, leading to an incorrect compliance failure.

STS AssumeRole Restriction: An organization enforces an SCP that restricts sts:AssumeRole to its organization ID. Despite this enforcement, Prowler flags IAM role settings as non-compliant because it does not account for SCP-based restrictions.

General AWS API Evaluations: In cases where security policies enforce explicit deny rules via SCPs or RCPs, Prowler may not accurately reflect the security state due to missing policy validation.

Additional context

No response

Contributor guide

Tech stack
pythonaws
Domain
securitycloudcli
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
AWS Service Control PoliciesAWS Resource Control PoliciesPython programmingProwler's check framework
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate the existing Prowler check architecture (e.g., checks in prowler/checks/aws/) to understand how API calls are made and findings are generated. Study AWS SCP and RCP APIs (e.g., organizations:ListPolicies, s3:GetBucketPolicy) to retrieve policy details. Review the comments on this issue for additional context and any suggested approach from maintainers. Implement a correlation logic to modify findings based on enforced policies, updating reporting accordingly.