Prisma Cloud: False Positive Alert for Policy:"Roles with high privileges can be assumed by a service in an external account"

Prisma Cloud: False Positive Alert for Policy:"Roles with high privileges can be assumed by a service in an external account"

717
Created On 12/18/24 11:08 AM - Last Modified 01/26/26 22:12 PM


Symptom


  • The policy “Roles with High Privileges Can Be Assumed by a Service in an External Account” is generating alerts. However, the alerts are referencing internal accounts, whereas the policy is intended to query for external accounts.

Environment


  • Prisma Cloud Enterprise Edition
  • AWS

Cause


  • External account, per our definition, is an account that is not known to Prisma cloud at all.
    the only way to achieve this information is to search in the “Default account group” and check weather the source account is in this group.
  • Changes made:
    1. We have added to the RQL a check if the source account is a known 3rd-party vendor.
    2. We have added a “How to investigate” section in the description. so now the user can Identify such cases, and if the alert was open for a source account only because it is not in the “Default account group” it is recommended to add it to this group.

 

Resolution


  • How to investigate?
    1. In the Prisma Cloud Console, select 'Investigate'
    2. Paste the following query into the investigation prompt, replacing the placeholder with the account ID you wish to verify:  
    config from iam where dest.cloud.type = 'AWS' AND source.cloud.account='<account-id>' and dest.cloud.account='<account-id>'

    3. If results are returned:
    • this is an indicator that Prisma is scanning the account, and as such is aware of it
    • If this is the case, select 'settings' and then 'Account Groups'
    • Search for the default account group, under 'Actions' select 'Edit'.
    • Search for the account in question and add it
  • Or If no results are returned:  
    • This means Prisma has no knowledge of the account in question (i.e it is not onboarded and in the eyes of Prisma, external)
    • In order to continue the investigation, using the AWS CLI, run 'aws organizations list-accounts', and you will receive a list of all the accounts within the AWS organization
    • Repeat this process for every AWS organization you own. If the account in question does not appear, it can be concluded as external

 

  • In order to remove its access, use the following remediation steps:
     1. Log in to your AWS account
     2. Navigate to the affected role, and select the 'Trusted entities' tab.
     3. Select 'Edit trust policy' and remove the entries allowing assumption from external sources.
     4. Ensure the remaining entries are required, and save your changes.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000TpQQCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language