@@ -221,13 +221,17 @@ def audit_iam(findings, region):
221221 )
222222 find_admins_in_account (region , s3_get_findings , privs_to_look_for = ["s3:GetObject" ])
223223
224- for f in s3_listing_findings :
225- if f .issue_id != "IAM_UNEXPECTED_ADMIN_PRINCIPAL" :
224+ for flist in s3_listing_findings :
225+ if flist .issue_id != "IAM_UNEXPECTED_ADMIN_PRINCIPAL" :
226226 continue
227227
228- services = make_list (f .resource_details .get ("Principal" , {}).get ("Service" , "" ))
228+ services = make_list (flist .resource_details .get ("Principal" , {}).get ("Service" , "" ))
229229 for service in services :
230- if service in ["config.amazonaws.com" , "trustedadvisor.amazonaws.com" ]:
230+ if service in [
231+ "config.amazonaws.com" ,
232+ "trustedadvisor.amazonaws.com" ,
233+ "macie.amazonaws.com" ,
234+ ]:
231235 continue
232236
233237 # If we are here then we have a principal that can list S3 buckets,
@@ -237,12 +241,23 @@ def audit_iam(findings, region):
237241 for fget in s3_get_findings :
238242 if (
239243 fget .issue_id == "IAM_UNEXPECTED_ADMIN_PRINCIPAL"
240- and fget .resource_id == f .resource_id
244+ and fget .resource_id == flist .resource_id
241245 ):
242246 # If we are here, then the principal can list S3 buckets and get objects
243- # from them, and is not an unexpected service, so record this as a finding
244- f .issue_id = "IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL"
245- findings .add (f )
247+ # from them, and is not an unexpected service. Ensure we haven't already
248+ # recorded this as an unexpected admin.
249+
250+ already_recorded = False
251+ for f in findings :
252+ if f .resource_id == fget .resource_id and f .issue_id == "IAM_UNEXPECTED_ADMIN_PRINCIPAL" :
253+ already_recorded = True
254+ break
255+
256+ if not already_recorded :
257+ flist .issue_id = "IAM_UNEXPECTED_S3_EXFIL_PRINCIPAL"
258+ findings .add (flist )
259+
260+
246261
247262 # Don't record this multiple times if multiple services are listed
248263 break
0 commit comments