False positive on iam_policy_allows_privilege_escalation for iam:CreateAccessKey restricted to current user

[enver]

Steps to Reproduce

1. Create AWS IAM policy:

{
    "Statement": [
        {
            "Action": [
                "iam:UpdateAccessKey",
                "iam:ListAccessKeys",
                "iam:DeleteAccessKey",
                "iam:CreateAccessKey"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::123456789012:user/*/${aws:username}",
                "arn:aws:iam::123456789012:user/${aws:username}"
            ],
            "Sid": "AllowManageOwnAccessKeys"
        }
    ],
    "Version": "2012-10-17"
}

2. Run prowler aws --check iam_policy_allows_privilege_escalation

Expected behavior

Check for policy above should pass considering that target resources are restricted only to current user.

Actual Result with Screenshots or Logs

Check will fail with:

Custom Policy arn:aws:iam::123456789012:policy/IAMSelfManagement-xxxxxx allows privilege escalation using the following actions: 'iam:CreateAccessKey'.

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

Workstation

OS used

MacOS

Prowler version

4.6.0

Pip version

24.2

Context

I'm using https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/submodules/iam-group-with-policies?tab=inputs to provision user groups with self management policy (part of which is in example above)

https://github.com/terraform-aws-modules/terraform-aws-iam/blob/e20e0b9a42084bbc885fd5abb18b8744810bd567/modules/iam-group-with-policies/policies.tf#L48

[jfagoagas]

Hello @enver, we will review this as soon as we can and we'll get back to you.

Thanks!

[garym-krrv]

Just tested against latest codebase in master and I cant reproduce the issue

[enver]

I can confirm it is still reproducible with latest master version (53a4befb0172bbb806cb39f05179af77a705fc7f)

[garym-krrv]

Nope your right. It does indeed fail @enver

[MrCloudSec]

Hi @enver,

Thank you for reporting this. The iam_policy_allows_privilege_escalation check evaluates IAM policies broadly and does not currently differentiate between resource restrictions like ${aws:username}. This approach ensures comprehensive privilege escalation detection but may flag certain policies as risky even if their scope appears secure.

For your use case, since the policy is restricted to the current user and appears safe, you can add it to the Prowler mutelist. This will exclude the policy from this specific check. Here’s an example mutelist entry:

Mutelist:
  Accounts:
    "*":
      Checks:
        "iam_policy_allows_privilege_escalation":
          Regions:
            - "*"
          Resources:
            - "IAMSelfManagement-xxxxxx"

Please review the policy carefully before mutelisting to ensure it meets your security requirements. Let us know if you have further questions!