Inconsistency with securityhub rules

[NMuee]

Hello Prowler team,
I have quite a number of rules that I would like to check with the team.

1. iam_aws_attached_policy_no_administrative_privileges​​

AWS Managed policy: AdministratorAccess being flagged out as FAILED
No control over AWS Managed Policy

2. sns_topics_kms_encryption_at_rest_enabled​

My SNS resources are flagged as FAILED under this rule, but flagged as PASSED in AWS Security Hub/AWS Foundational Security Best Practices v1.0.0/[SNS.1]SNS topics should be encrypted at-rest using AWS KMS

Thank you.

[jfagoagas]

Hi @NMuee,

1. The check iam_aws_attached_policy_no_administrative_privileges verifies if any IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached. So, if you have a user with that policy attached Prowler will raise a FAIL.

2. The check sns_topics_kms_encryption_at_rest_enabled verifies if your topic has a KMS Key configured. Could you share your SNS topic configuration to verify it? With the latest version of Prowler this check works as expected, see the image below.
   

Thanks for using Prowler 🚀

[NMuee]

Thank you very much, previously I was using prowler v3.6.1, thus the sns_topics_kms_encryption_at_rest_enabled was providing the wrong output.

However, for iam_aws_attached_policy_no_administrative_privileges, is there a way for me to whitelist based on the entity attached to the policies? Thank you

[jfagoagas]

For the iam_aws_attached_policy_no_administrative_privileges check you can use the Allowlist feature not to raise a FAIL. Check the following tutorial to use it --> https://docs.prowler.cloud/en/latest/tutorials/allowlist/

Thanks!

[NMuee]

Regarding the Allowlist
I understand that prowler allowlist is able to filter resources based on arn

Currently the AWS Managed policies: AdministratorAccess is being flagged due to entities being attached to them.
Instead of me allowing the "AdministratorAccess" policies. I would still like to monitor this finding, based on certain entities attached to me. Any method can this be done by filtering based on entities?

[jfagoagas]

With the allowlist you can filter just one resource for a specific check in the case you need it. So you can allowlist the one raising a FAIL now but the following findings not related with that resource will be marked as PASS or FAIL.