Prowler AWSDenyAll Check

[be-lka]

Hi all! I have a quick question regarding how Prowler evaluates the policies attached in roles;
Once it finds something that is deemed vulnerable, does Prowler takes into account if there is an AWSDenyAll policy attached to that role, pretty much rendering the role itself useless?
Thanks in advance.

[jfagoagas]

Hi @exiett, this question is pretty interesting. Right now we are not checking if the AWSDenyAll policy is attached to the entity but we are going to discuss it internally to see if it is interesting to include it in the Prowler business logic.

Thanks for the suggestion and for using Prowler 🚀

[be-lka]

Hi @jfagoagas ! Thanks for your reply. Just giving more insight in why to include the AWSDenyAll check into roles: There are some use-cases where a company have legacy roles that may or may not be still used in production environment that have some nasty permissions attached to it, but we as a security team do not want to disrupt any services while mitigating these risks. Attaching the AWSDenyAll role is a way to check if there is any disruption in service before proceeding to delete a role or resize its permissions.

[jfagoagas]

That's so interesting, thanks for giving us more context about that.