Fixed bug in the role trusts command introduced in 1.13.1 where cloud…

…fox only shows princiapls with :root trust and not ALL role trusts
BishopFox · Feb 2, 2024 · b5908fc · b5908fc
1 parent a656103
commit b5908fc
Showing 1 changed file with 22 additions and 23 deletions.
diff --git a/aws/role-trusts.go b/aws/role-trusts.go
@@ -241,33 +241,32 @@ func (m *RoleTrustsModule) printPrincipalTrusts(outputDirectory string) ([]strin
 	for _, role := range m.AnalyzedRoles {
 		for _, statement := range role.trustsDoc.Statement {
 			for _, principal := range statement.Principal.AWS {
-				if strings.Contains(principal, ":root") {
-					//check to see if the accountID is known
-					accountID := strings.Split(principal, ":")[4]
-					vendorName := m.vendors.GetVendorNameFromAccountID(accountID)
-					if vendorName != "" {
-						principal = fmt.Sprintf("%s (%s)", principal, vendorName)
-					}
+				//check to see if the accountID is known
+				accountID := strings.Split(principal, ":")[4]
+				vendorName := m.vendors.GetVendorNameFromAccountID(accountID)
+				if vendorName != "" {
+					principal = fmt.Sprintf("%s (%s)", principal, vendorName)
+				}
 
-					RoleTrustRow := RoleTrustRow{
-						RoleARN:          aws.ToString(role.roleARN),
-						RoleName:         GetResourceNameFromArn(aws.ToString(role.roleARN)),
-						TrustedPrincipal: principal,
-						ExternalID:       statement.Condition.StringEquals.StsExternalID,
-						IsAdmin:          role.Admin,
-						CanPrivEsc:       role.CanPrivEsc,
-					}
-					body = append(body, []string{
-						aws.ToString(m.Caller.Account),
-						RoleTrustRow.RoleARN,
-						RoleTrustRow.RoleName,
-						RoleTrustRow.TrustedPrincipal,
-						RoleTrustRow.ExternalID,
-						RoleTrustRow.IsAdmin,
-						RoleTrustRow.CanPrivEsc})
+				RoleTrustRow := RoleTrustRow{
+					RoleARN:          aws.ToString(role.roleARN),
+					RoleName:         GetResourceNameFromArn(aws.ToString(role.roleARN)),
+					TrustedPrincipal: principal,
+					ExternalID:       statement.Condition.StringEquals.StsExternalID,
+					IsAdmin:          role.Admin,
+					CanPrivEsc:       role.CanPrivEsc,
 				}
+				body = append(body, []string{
+					aws.ToString(m.Caller.Account),
+					RoleTrustRow.RoleARN,
+					RoleTrustRow.RoleName,
+					RoleTrustRow.TrustedPrincipal,
+					RoleTrustRow.ExternalID,
+					RoleTrustRow.IsAdmin,
+					RoleTrustRow.CanPrivEsc})
 			}
 		}
+
 	}
 
 	m.sortTrustsTablePerTrustedPrincipal()