Added -D option to copy to S3 with the initial AWS credentials instea…

…d of the assumed as with -B option @sectoramen Added -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option @sectoramen
prowler-cloud · Dec 21, 2021 · 8b415ec · 8b415ec
2 parents 833ad79 + aa945f3
commit 8b415ec
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 26 deletions.
diff --git a/include/assume_role b/include/assume_role
@@ -12,7 +12,9 @@
 # specific language governing permissions and limitations under the License.
 
 assume_role(){
+
     PROFILE_OPT=$PROFILE_OPT_BAK
+
     # Both variables are mandatory to be set together
     if [[ -z $ROLE_TO_ASSUME || -z $ACCOUNT_TO_ASSUME ]]; then
         echo "$OPTRED ERROR!$OPTNORMAL - Both Account ID (-A) and IAM Role to assume (-R) must be set"
@@ -64,18 +66,18 @@ assume_role(){
     PROFILE_OPT=""   
 
     # Set AWS environment variables with assumed role credentials
-    AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' "${TEMP_STS_ASSUMED_FILE}")
-    export AWS_ACCESS_KEY_ID
-    AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey'  "${TEMP_STS_ASSUMED_FILE}")
-    export AWS_SECRET_ACCESS_KEY
-    AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken'  "${TEMP_STS_ASSUMED_FILE}")
-    export AWS_SESSION_TOKEN
-    AWS_SESSION_EXPIRATION=$(jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601'  "${TEMP_STS_ASSUMED_FILE}")
-    export AWS_SESSION_EXPIRATION
-    echo TEMP AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID
-    echo TEMP AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY
-    echo TEMP AWS_SESSION_TOKEN: $AWS_SESSION_TOKEN
-    echo EXPIRATION EPOCH TIME: $AWS_SESSION_EXPIRATION
+    ASSUME_AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' "${TEMP_STS_ASSUMED_FILE}")
+    export AWS_ACCESS_KEY_ID=$ASSUME_AWS_ACCESS_KEY_ID
+    ASSUME_AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey'  "${TEMP_STS_ASSUMED_FILE}")
+    export AWS_SECRET_ACCESS_KEY=$ASSUME_AWS_SECRET_ACCESS_KEY
+    ASSUME_AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken'  "${TEMP_STS_ASSUMED_FILE}")
+    export AWS_SESSION_TOKEN=$ASSUME_AWS_SESSION_TOKEN
+    ASSUME_AWS_SESSION_EXPIRATION=$(jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601'  "${TEMP_STS_ASSUMED_FILE}")
+    export AWS_SESSION_EXPIRATION=$ASSUME_AWS_SESSION_EXPIRATION
+    echo TEMP AWS_ACCESS_KEY_ID: $ASSUME_AWS_ACCESS_KEY_ID
+    echo TEMP AWS_SECRET_ACCESS_KEY: $ASSUME_AWS_SECRET_ACCESS_KEY
+    echo TEMP AWS_SESSION_TOKEN: $ASSUME_AWS_SESSION_TOKEN
+    echo EXPIRATION EPOCH TIME: $ASSUME_AWS_SESSION_EXPIRATION
 
     cleanSTSAssumeFile
 }
@@ -84,3 +86,25 @@ cleanSTSAssumeFile() {
     rm -fr "${TEMP_STS_ASSUMED_FILE}"
     rm -fr "${TEMP_STS_ASSUMED_ERROR}"
 }
+
+backupInitialAWSCredentials() {
+#    echo Backing up current AWS ENV Credentials
+    if [[ $(printenv AWS_ACCESS_KEY_ID) ]]; then 
+#        echo Current AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID      
+        INITIAL_AWS_ACCESS_KEY_ID=$(printenv AWS_ACCESS_KEY_ID)
+    fi
+    if [[ $(printenv AWS_SECRET_ACCESS_KEY) ]]; then 
+#        echo AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY      
+        INITIAL_AWS_SECRET_ACCESS_KEY=$(printenv AWS_SECRET_ACCESS_KEY)
+    fi
+    if [[ $(printenv AWS_SESSION_TOKEN) ]]; then 
+#        echo AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN      
+        INITIAL_AWS_SESSION_TOKEN=$(printenv AWS_SESSION_TOKEN)
+    fi    
+}
+
+restoreInitialAWSCredentials() {
+    export AWS_ACCESS_KEY_ID=$INITIAL_AWS_ACCESS_KEY_ID
+    export AWS_SECRET_ACCESS_KEY=$INITIAL_AWS_SECRET_ACCESS_KEY
+    export AWS_SESSION_TOKEN=$INITIAL_AWS_SESSION_TOKEN
+}
diff --git a/include/outputs_bucket b/include/outputs_bucket
@@ -15,18 +15,18 @@ if [[ $OUTPUT_BUCKET ]]; then
   # output mode has to be set to other than text
   if [[ "${MODES[@]}" =~ "html" ]] || [[ "${MODES[@]}" =~ "csv" ]] || [[ "${MODES[@]}" =~ "json" ]] || [[ "${MODES[@]}" =~ "json-asff" ]]; then
       OUTPUT_BUCKET_WITHOUT_FOLDERS=$(echo $OUTPUT_BUCKET | awk -F'/' '{ print $1 }')
-      OUTPUT_BUCKET_STATUS=$($AWSCLI s3api head-bucket --bucket "$OUTPUT_BUCKET" 2>&1 || true)
-      if [[ ! -z $OUTPUT_BUCKET_STATUS ]]; then 
-        echo "$OPTRED ERROR!$OPTNORMAL wrong bucket name or not right permissions."
-        exit 1
-      else 
+#      OUTPUT_BUCKET_STATUS=$($AWSCLI s3api head-bucket --bucket "$OUTPUT_BUCKET" 2>&1 || true)
+#      if [[ -z $OUTPUT_BUCKET_STATUS ]]; then 
+#        echo "$OPTRED ERROR!$OPTNORMAL wrong bucket name or not right permissions."
+#        exit 1
+#      else 
         # need to make sure last / is not set to avoid // in S3
         if [[ $OUTPUT_BUCKET != *"/" ]]; then 
           OUTPUT_BUCKET="$OUTPUT_BUCKET"
         else
           OUTPUT_BUCKET=${OUTPUT_BUCKET::-1}
         fi 
-      fi
+#      fi
   else
     echo "$OPTRED ERROR!$OPTNORMAL - Mode (-M) has to be set as well. Use -h for help."
     exit 1

diff --git a/prowler b/prowler
@@ -107,6 +107,8 @@ USAGE:
                             (i.e.: -M csv -o /tmp/reports/)
       -B                  Custom output bucket, requires -M <mode> and it can work also with -o flag.
                             (i.e.: -M csv -B my-bucket or -M csv -B my-bucket/folder/)
+      -D                  Same as -B but do not use the assume role credentials to put objects to the bucket, instead
+                          uses the initial credentials
       -F                  Custom output report name, if not specified will use default output/prowler-output-ACCOUNT_NUM-OUTPUT_DATE
       -z                  Failed Checks do not trigger exit code 3
       -Z                  Specify one or multiple check ids separated by commas that will trigger exit code 3 if they fail. Unspecified checks will not trigger exit code 3. This will override "-z".
@@ -117,7 +119,7 @@ USAGE:
   exit
 }
 
-while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:F:zZ:" OPTION; do
+while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:" OPTION; do
    case $OPTION in
      h )
         usage
@@ -211,6 +213,10 @@ while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:F:zZ:" OPTION; do
      B )
         OUTPUT_BUCKET=$OPTARG
         ;;
+     D )
+        OUTPUT_BUCKET=$OPTARG
+        OUTPUT_BUCKET_NOASSUME=1
+        ;;
      F )
         OUTPUT_FILE_NAME=$OPTARG
         ;;
@@ -395,6 +401,7 @@ show_group_title() {
 execute_check() {
 
   if [[ -n "${ACCOUNT_TO_ASSUME}" || -n "${ROLE_TO_ASSUME}" ]]; then
+    echo ******* I am here again to check on my role *******
     # Following logic looks for time remaining in the session and review it
     # if it is less than 600 seconds, 10 minutes.
     CURRENT_TIMESTAMP=$(date -u "+%s")
@@ -644,6 +651,7 @@ fi
 # Gather account data / test aws cli connectivity
 getWhoami
 if [[ -n "${ACCOUNT_TO_ASSUME}" || -n "${ROLE_TO_ASSUME}" ]]; then
+  backupInitialAWSCredentials
   assume_role
 fi
 
@@ -662,6 +670,9 @@ if [[ $GROUP_ID_READ ]];then
     fi
     cleanTemp
     scoring
+    if [[ $OUTPUT_BUCKET_NOASSUME ]]; then
+      restoreInitialAWSCredentials
+    fi
     copyToS3
     exit $EXITCODE
   else
@@ -690,6 +701,9 @@ if [[ $CHECK_ID ]];then
   if [[ "${MODES[@]}" =~ "html" ]]; then
     addHtmlFooter >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML
   fi
+  if [[ $OUTPUT_BUCKET_NOASSUME ]]; then
+    restoreInitialAWSCredentials
+  fi
   copyToS3
   scoring
   cleanTemp
@@ -704,13 +718,9 @@ fi
 
 scoring
 cleanTemp
-copyToS3
-
-if [[ $ACCOUNT_TO_ASSUME ]]; then
-  # unset env variables with assumed role credentials
-  unset AWS_ACCESS_KEY_ID
-  unset AWS_SECRET_ACCESS_KEY
-  unset AWS_SESSION_TOKEN
+if [[ $OUTPUT_BUCKET_NOASSUME ]]; then
+  restoreInitialAWSCredentials
 fi
+copyToS3
 
 exit $EXITCODE