Add Security Test for Shadow Resource Vulnerability (Bucket Monopoly)

[hozohar1]

New feature motivation

Prowler has been an invaluable tool for AWS security assessments. However, a recently identified vulnerability,
referred to as "Bucket Monopoly" highlights the risk of AWS shadow resources being exploited to breach accounts.

This vulnerability occurs when attackers claim predictably named resources—automatically generated by AWS services—in multiple regions before legitimate users, bypassing typical security controls.

Adding specific checks for shadow resource misuse will enhance Prowler's ability to detect and mitigate this critical threat, further securing AWS environments.

Problem Statement:
Shadow resources are assets created automatically by AWS services, often following predictable naming patterns. Examples include:

• CloudFormation: cf-templates-{Hash}-{Region}
• Glue: aws-glue-assets-{Account-ID}-{Region}
• SageMaker: sagemaker-{Region}-{Account-ID}

An attacker can exploit this predictability to create these resources across regions before the legitimate user, enabling malicious actions such as:

- Denial of Service (DoS): Blocking legitimate resource creation.
- Information Disclosure: Extracting sensitive data from victim services.
- Remote Code Execution (RCE): Injecting malicious payloads.

Solution Proposed

To address this vulnerability, the following actions can be implemented as a new security test in Prowler:

1. Identify resources with names matching known AWS service patterns (e.g., CloudFormation, Glue, SageMaker, etc.).
2. Validate resource ownership to ensure they belong to the correct AWS account.
3. Raise an alert if an S3 bucket linked to the account is not owned by the account, as this could indicate potential misuse.

Describe alternatives you've considered

Unused Bucket Detection:
Identify available S3 bucket names that match predictable AWS service patterns but are not owned by the account.
Protection Assessment Metric:
Provide a protection percentage score based on the account's current resource ownership, offering a quick overview of vulnerability exposure.

Additional context

The vulnerability was extensively documented in Aqua Security's blog:
Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources.
By implementing this feature, Prowler can better protect AWS accounts from emerging threats related to shadow resources, enhancing its position as a leading AWS security assessment tool.

If the maintainers find this proposal beneficial, I am interested in contributing to the development of this feature. Please advise on the next steps or any specific requirements.

[danibarranqueroo]

Hi @hozohar1! Thank you for the detailed proposal and for highlighting the "Bucket Monopoly" vulnerability. This is a valuable addition, and we’ll discuss it with the team to evaluate its feasibility. We’ll provide feedback or next steps soon.

Thanks again for making Prowler better! 🚀

[danibarranqueroo]

Hello again @hozohar1,

We have studied your idea and it could be a great option to enhance Prowler's coverage. If you'd like to proceed with implementing this feature here are the steps you should follow:

1. Modify the Service File
   First, you’ll need to store the information required for the check by modifying the service file. This will ensure the necessary data is available when implementing the check. You can find guidance here: Service File Documentation.

2. Create the Check
   Next, create the check based on the requirements outlined in your issue. Our documentation provides useful information for building checks: Check Documentation.

3. Write Unit Tests
   To ensure code quality and maintainability, please write unit tests for the check. You can learn more about testing here: Unit Testing Documentation.

Additionally, feel free to join our Slack community, there you can ask questions, share progress, or seek clarification. We’re here to help if you need any assistance along the way.