[Bug]: Checks failing in v3 when they shouldn't be

[mhamill2]

What happened?
The following checks are failing for us in version 3, but they were passing in version 2. I don't believe they should be failing:

1. ec2_security_group_not_used

This check is failing for us because of our default security groups, which cannot be deleted. In version 2, there was a specific case to ensure that the default security groups would not cause a failure: https://github.com/prowler-cloud/prowler/blob/2.12.1/checks/check_extra75

This special case does not exist in the version 3 implementation: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/services/ec2/ec2_securitygroup_not_used/ec2_securitygroup_not_used.py

I had a discussion open for this initially, but thought it might be better suited as a bug: #1781

2. iam_policy_no_administrative_privileges

In version 2, this check was checking to see if Action was equal to * and Resource was equal to *: https://github.com/prowler-cloud/prowler/blob/2.12.1/checks/check122#L35

In version 3, it is checking to see if * is contained in the Action and Resource: https://github.com/prowler-cloud/prowler/blob/3.1.2/prowler/providers/aws/services/iam/iam_policy_no_administrative_privileges/iam_policy_no_administrative_privileges.py#L21-L26

This is causing the check to fail with policies such as:

{
  "Effect": "Allow",
  "Action": "kms:*",
  "Resource": "*"
}

I don't think this should fail the check, as I believe only policies with full administrative privileges should fail, while this is limited to kms actions. The user guide in the aws doc states:

"This control checks whether the default version of IAM policies (also known as customer managed policies) has administrator access by including a statement with "Effect": "Allow" with "Action": "*" over "Resource": "*"."

To me this sounds like it should only fail when policies have Action: * and Resource: * exactly.

3. iam_avoid_root_usage

This check is failing for us with the following reason: "Root user in the account was last accessed 370 days ago."

Looking at the implementation, it seems the intended behavior should be to ensure the user account was not accessed in the last day: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/services/iam/iam_avoid_root_usage/iam_avoid_root_usage.py#L6

I'm not exactly sure where the issue is in the implementation, but I did notice that in the version 2 check, the value for the last accessed day of the account for us was -370, so the case of days_since_accessed > maximum_access_days was false and wouldn't fail. Seems like the implementation in version 3 needs to ensure the value for that is negative as well?

How to reproduce it
Steps to reproduce the behavior:

1. prowler aws -c ec2_security_group_not_used
2. See the check fails for the default security groups
3. Create an IAM policy similar to the one in the description above
4. prowler aws -c iam_policy_no_administrative_privileges
5. See the check fails
6. Ensure the root user was last accessed more than a day ago
7. prowler aws -c iam_avoid_root_usage
8. See the check fails

Expected behavior

1. The ec2 check should not fail for default security groups
2. The iam policy check should only fail when action and resource are both equal to *
3. The iam avoid root usage should not fail for us when the root user was last accessed 370 days ago.

From where are you running Prowler?

• Resource: Docker container manually
• OS: Alpine Linux v3.16
• Prowler Version: 3.1.2
• Python version: 3.9.15
• Pip version: 22.3.1
• Installation method: pip3 install prowler-cloud

[n4ch04]

Hi @mhamill2 we are going to check this out and let you know, thanks for using Prowler !!

[sergargar]

Thank you @mhamill2 for this information, it was really helpful!! The above PRs solve the issues, feel free to reopen this issue we did not fix your errors or open a new one with new issues.