Github Actions OIDC IAM Role Trust Relation (panther-labs#1456)

bcpenta · bcpenta · arielkr256 · web-flow · commit faebb96cc4c8 · 2025-01-15T14:10:57.000-07:00
Co-authored-by: bcpenta &lt;bpenta@Bharats-Mac-mini.local&gt;
Co-authored-by: Ariel Ropek &lt;79653153+arielkr256@users.noreply.github.com&gt;
Co-authored-by: Ariel &lt;ariel.ropek@panther.com&gt;
diff --git a/packs/aws.yml b/packs/aws.yml
@@ -70,6 +70,7 @@ PackDefinition:
     - AWS.IAM.PolicyModified
     - AWS.IAM.User.MFA
     - AWS.IAMUser.ReconAccessDenied
+    - AWS.IAM.Role.GitHubActionsTrust
     - AWS.Password.Unused
     - AWS.PasswordPolicy.ComplexityGuidelines
     - AWS.PasswordPolicy.PasswordAgeLimit
diff --git a/policies/aws_iam_policies/aws_iam_role_github_actions_trust.py b/policies/aws_iam_policies/aws_iam_role_github_actions_trust.py
@@ -0,0 +1,38 @@
+from panther_base_helpers import deep_get
+
+
+def policy(resource):
+    assume_role_policy = deep_get(resource, "AssumeRolePolicyDocument", "Statement", default=[])
+    is_valid = False
+
+    for statement in assume_role_policy:
+        if statement.get(
+            "Effect"
+        ) != "Allow" or "sts:AssumeRoleWithWebIdentity" not in statement.get("Action", []):
+            continue
+
+        principal = deep_get(statement, "Principal", "Federated")
+        if not principal or principal == "*":
+            return False
+        if "oidc-provider/token.actions.githubusercontent.com" not in principal:
+            continue
+
+        # Validate the conditions only if the Principal is valid for GitHub Actions
+        conditions = statement.get("Condition", {})
+        audience = deep_get(conditions, "StringEquals", "token.actions.githubusercontent.com:aud")
+        subject = deep_get(
+            conditions, "StringLike", "token.actions.githubusercontent.com:sub", default=""
+        ) or deep_get(
+            conditions, "StringEquals", "token.actions.githubusercontent.com:sub", default=""
+        )
+
+        if (
+            audience != "sts.amazonaws.com"
+            or not subject.startswith("repo:")
+            or ("*" in subject and not subject.startswith("repo:org/repo:*"))
+        ):
+            return False
+
+        is_valid = True  # Mark as valid if all checks pass
+
+    return is_valid
diff --git a/policies/aws_iam_policies/aws_iam_role_github_actions_trust.yml b/policies/aws_iam_policies/aws_iam_role_github_actions_trust.yml
@@ -0,0 +1,202 @@
+AnalysisType: policy
+Filename: aws_iam_role_github_actions_trust.py
+PolicyID: "AWS.IAM.Role.GitHubActionsTrust"
+DisplayName: "AWS IAM Role Trust Relationship for GitHub Actions"
+Enabled: true
+ResourceTypes:
+  - AWS.IAM.Role
+Tags:
+  - AWS
+  - GitHub Actions
+  - Identity & Access Management
+Severity: High
+Description: >
+  This policy ensures that IAM roles used with GitHub Actions are securely configured to prevent unauthorized access to AWS resources. 
+  It validates trust relationships by checking for proper audience (aud) restrictions, ensuring it is set to sts.amazonaws.com, and subject (sub) conditions, 
+  confirming they are scoped to specific repositories or environments. Misconfigurations, such as overly permissive wildcards or missing conditions, 
+  can allow unauthorized repositories to assume roles, leading to potential data breaches or compliance violations. 
+  By enforcing these checks, the policy mitigates risks of exploitation, enhances security posture, and protects critical AWS resources from external threats.
+Runbook: >
+  To fix roles flagged by this policy:
+  1. Update the trust relationship of the flagged IAM role in the AWS Management Console or CLI.
+  2. Add a Condition block with 'StringLike' or 'StringEquals' for 'token.actions.githubusercontent.com:sub'.
+  3. Ensure the audience is set to 'sts.amazonaws.com'.
+  4. Avoid overly permissive wildcards in the sub condition.
+Reference: >
+  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_oidc.html
+  - https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers
+  - https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
+Tests:
+  - Name: Valid GitHub Actions Trust Relationship
+    ExpectedResult: true
+    Resource:
+      {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Principal": {
+                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                },
+                "StringLike": {
+                  "token.actions.githubusercontent.com:sub": "repo:org/repo:*"
+                }
+              }
+            }
+          ]
+        }
+      }
+
+  - Name: Missing Audience Condition
+    ExpectedResult: false
+    Resource:
+      {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Principal": {
+                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
+              },
+              "Condition": {
+                "StringLike": {
+                  "token.actions.githubusercontent.com:sub": "repo:org/repo:*"
+                }
+              }
+            }
+          ]
+        }
+      }
+
+  - Name: Missing Subject Restriction
+    ExpectedResult: false
+    Resource:
+      {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Principal": {
+                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                }
+              }
+            }
+          ]
+        }
+      }
+
+  - Name: Overly Permissive Wildcard in Subject
+    ExpectedResult: false
+    Resource:
+      {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Principal": {
+                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                },
+                "StringLike": {
+                  "token.actions.githubusercontent.com:sub": "*"
+                }
+              }
+            }
+          ]
+        }
+      }
+
+  - Name: Valid Subject Restriction with Specific Environment
+    ExpectedResult: true
+    Resource:
+      {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Principal": {
+                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+                  "token.actions.githubusercontent.com:sub": "repo:org/repo:environment:prod"
+                }
+              }
+            }
+          ]
+        }
+      }
+
+  - Name: Invalid Principal as Wildcard
+    ExpectedResult: false
+    Resource:
+      {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Principal": {
+                "Federated": "*"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                },
+                "StringLike": {
+                  "token.actions.githubusercontent.com:sub": "repo:org/repo:*"
+                }
+              }
+            }
+          ]
+        }
+      }
+
+  - Name: Non-GitHub OIDC Principal
+    ExpectedResult: false
+    Resource:
+      {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Action": "sts:AssumeRoleWithWebIdentity",
+              "Principal": {
+                "Federated": "arn:aws:iam::123456789012:oidc-provider/accounts.google.com"
+              },
+              "Condition": {
+                "StringEquals": {
+                  "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+                },
+                "StringLike": {
+                  "token.actions.githubusercontent.com:sub": "repo:org/repo:*"
+                }
+              }
+            }
+          ]
+        }
+      }
