feat(aws): add iam_policy_no_wildcard_marketplace_subscribe and iam_inline_policy_no_wildcard_marketplace_subscribe checks

[danibarranqueroo]

Context

Granting aws-marketplace:Subscribe on all resources (*) allows any principal with the policy to subscribe to any AWS Marketplace product, including expensive Amazon Bedrock foundation models, without governance controls. This can lead to uncontrolled costs from unauthorized model subscriptions, shadow AI usage outside compliance boundaries, and unapproved model deployments.

Description

Two new IAM checks that evaluate custom and inline IAM policies for overly broad aws-marketplace:Subscribe permissions granted on Resource: *:

• iam_policy_no_wildcard_marketplace_subscribe — Inspects customer-managed IAM policies (follows the same pattern as iam_policy_no_full_access_to_kms)
• iam_inline_policy_no_wildcard_marketplace_subscribe — Inspects inline IAM policies on users/roles/groups (follows the same pattern as iam_inline_policy_no_full_access_to_kms)

Both checks:

• Match actions via wildcard patterns (aws-marketplace:Subscribe, aws-marketplace:*, *)
• Handle case-insensitive action matching
• Account for explicit Deny statements on Resource: * that negate the finding
• Correctly ignore Deny statements scoped to specific resources (they don't negate a wildcard Allow)

Compliance framework mappings added to 17 frameworks (AWS Well-Architected, NIST 800-53, FedRAMP, HIPAA, SOC2, ISO 27001, etc.) under least-privilege controls.

Steps to review

1. Review the check implementations:
   • prowler/providers/aws/services/iam/iam_policy_no_wildcard_marketplace_subscribe/
   • prowler/providers/aws/services/iam/iam_inline_policy_no_wildcard_marketplace_subscribe/
2. Review the metadata files for correct severity, remediation, and compliance mappings
3. Review compliance framework mappings in prowler/compliance/aws/
4. Run the check tests:

   poetry run pytest tests/providers/aws/services/iam/iam_policy_no_wildcard_marketplace_subscribe/ tests/providers/aws/services/iam/iam_inline_policy_no_wildcard_marketplace_subscribe/ -v

5. Run the checks against a real environment (if possible):

   prowler aws --check iam_policy_no_wildcard_marketplace_subscribe iam_inline_policy_no_wildcard_marketplace_subscribe

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • If so, do we need to update permissions for the provider? No — uses existing IAM permissions (iam:ListPolicies, iam:GetPolicyVersion, iam:ListRolePolicies, iam:GetRolePolicy, etc.) already required by other IAM checks.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

❌ Patch coverage is 95.31250% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 19.15%. Comparing base (d18c5a8) to head (f6455b5).
⚠️ Report is 1 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (d18c5a8) and HEAD (f6455b5). Click for more details.

HEAD has 3 uploads less than BASE

Flag	BASE (d18c5a8)	HEAD (f6455b5)
prowler-py3.11-oraclecloud	1	0
prowler-py3.12-oraclecloud	1	0
prowler-py3.10-oraclecloud	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10525       +/-   ##
===========================================
- Coverage   59.88%   19.15%   -40.74%     
===========================================
  Files          87      843      +756     
  Lines        2862    24007    +21145     
===========================================
+ Hits         1714     4599     +2885     
- Misses       1148    19408    +18260     

Flag	Coverage Δ
prowler-py3.10-aws	19.15% <95.31%> (?)
prowler-py3.10-oraclecloud	?
prowler-py3.11-aws	19.15% <95.31%> (?)
prowler-py3.11-oraclecloud	?
prowler-py3.12-aws	19.14% <95.31%> (?)
prowler-py3.12-oraclecloud	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	19.15% <95.31%> (-40.74%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:20272cf
Last scan: 2026-03-31 12:19:56 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• iam_inline_policy_no_wildcard_marketplace_subscribe (aws): aws_well_architected_framework_security_pillar_aws, c5_aws, cisa_aws, csa_ccm_4.0_aws, fedramp_20x_ksi_low_aws, fedramp_moderate_revision_4_aws, ffiec_aws, hipaa_aws, iso27001_2022_aws, kisa_isms_p_2023_aws, kisa_isms_p_2023_korean_aws, nist_800_171_revision_2_aws, nist_800_53_revision_4_aws, nist_800_53_revision_5_aws, nist_csf_1.1_aws, nist_csf_2.0_aws, soc2_aws
• iam_policy_no_wildcard_marketplace_subscribe (aws): aws_well_architected_framework_security_pillar_aws, c5_aws, cisa_aws, csa_ccm_4.0_aws, fedramp_20x_ksi_low_aws, fedramp_moderate_revision_4_aws, ffiec_aws, hipaa_aws, iso27001_2022_aws, kisa_isms_p_2023_aws, kisa_isms_p_2023_korean_aws, nist_800_171_revision_2_aws, nist_800_53_revision_4_aws, nist_800_53_revision_5_aws, nist_csf_1.1_aws, nist_csf_2.0_aws, soc2_aws

Use the no-compliance-check label to skip this check.