From cc9d015fc8db92360ae327d9c2179123fe359ba2 Mon Sep 17 00:00:00 2001 From: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com> Date: Sun, 19 Dec 2021 09:53:20 -0500 Subject: [PATCH 1/5] Backup AWS Credentials before AssumeRole and Restore them before CopyToS3 --- include/assume_role | 9 +++++++++ prowler | 14 ++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/include/assume_role b/include/assume_role index a02ae7cadd..d4237bcd5e 100644 --- a/include/assume_role +++ b/include/assume_role @@ -12,6 +12,9 @@ # specific language governing permissions and limitations under the License. assume_role(){ + MY_AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID + MY_AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY + MY_SESSION_TOKEN=$AWS_SESSION_TOKEN PROFILE_OPT=$PROFILE_OPT_BAK # Both variables are mandatory to be set together if [[ -z $ROLE_TO_ASSUME || -z $ACCOUNT_TO_ASSUME ]]; then @@ -84,3 +87,9 @@ cleanSTSAssumeFile() { rm -fr "${TEMP_STS_ASSUMED_FILE}" rm -fr "${TEMP_STS_ASSUMED_ERROR}" } + + restoreAWSCredentials() { + AWS_ACCESS_KEY_ID=$MY_AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY=$MY_AWS_SECRET_ACCESS_KEY + SESSION_TOKEN=$MY_AWS_SESSION_TOKEN +} diff --git a/prowler b/prowler index 6d2bc68f76..3cadc1bf12 100755 --- a/prowler +++ b/prowler @@ -662,6 +662,9 @@ if [[ $GROUP_ID_READ ]];then fi cleanTemp scoring + if [[ $ACCOUNT_TO_ASSUME ]]; then + restoreAWSCredentials + fi copyToS3 exit $EXITCODE else @@ -690,6 +693,9 @@ if [[ $CHECK_ID ]];then if [[ "${MODES[@]}" =~ "html" ]]; then addHtmlFooter >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML fi + if [[ $ACCOUNT_TO_ASSUME ]]; then + restoreAWSCredentials + fi copyToS3 scoring cleanTemp @@ -704,13 +710,9 @@ fi scoring cleanTemp -copyToS3 - if [[ $ACCOUNT_TO_ASSUME ]]; then - # unset env variables with assumed role credentials - unset AWS_ACCESS_KEY_ID - unset AWS_SECRET_ACCESS_KEY - unset AWS_SESSION_TOKEN + restoreAWSCredentials fi +copyToS3 exit $EXITCODE From 947c78cd76b5e412d5d80bd644f82d1d54a95aed Mon Sep 17 00:00:00 2001 From: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com> Date: Sun, 19 Dec 2021 11:47:34 -0500 Subject: [PATCH 2/5] exporting the ENV variables --- include/assume_role | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/assume_role b/include/assume_role index d4237bcd5e..d4a463340f 100644 --- a/include/assume_role +++ b/include/assume_role @@ -90,6 +90,8 @@ cleanSTSAssumeFile() { restoreAWSCredentials() { AWS_ACCESS_KEY_ID=$MY_AWS_ACCESS_KEY_ID + export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY=$MY_AWS_SECRET_ACCESS_KEY - SESSION_TOKEN=$MY_AWS_SESSION_TOKEN -} + export AWS_SECRET_ACCESS_KEY + SESSION_TOKEN=$MY_AWS_SESSION_TOKEN + export SESSION_TOKEN From 6cb3d23ed274f3cc585b0f434fc4b6a51c4fa6a1 Mon Sep 17 00:00:00 2001 From: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com> Date: Sun, 19 Dec 2021 11:48:32 -0500 Subject: [PATCH 3/5] fixed bracket --- include/assume_role | 1 + 1 file changed, 1 insertion(+) diff --git a/include/assume_role b/include/assume_role index d4a463340f..216850d273 100644 --- a/include/assume_role +++ b/include/assume_role @@ -95,3 +95,4 @@ cleanSTSAssumeFile() { export AWS_SECRET_ACCESS_KEY SESSION_TOKEN=$MY_AWS_SESSION_TOKEN export SESSION_TOKEN +} From 949c2056ab17d4c50ca46709e5f0d1e4b0938796 Mon Sep 17 00:00:00 2001 From: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com> Date: Tue, 21 Dec 2021 11:11:53 -0500 Subject: [PATCH 4/5] Added -D option to copy to S3 with the initial AWS credentials --- include/assume_role | 56 +++++++++++++++++++++++++----------------- include/outputs_bucket | 12 ++++----- prowler | 22 +++++++++++------ 3 files changed, 55 insertions(+), 35 deletions(-) diff --git a/include/assume_role b/include/assume_role index 216850d273..f5b4109549 100644 --- a/include/assume_role +++ b/include/assume_role @@ -12,10 +12,9 @@ # specific language governing permissions and limitations under the License. assume_role(){ - MY_AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID - MY_AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY - MY_SESSION_TOKEN=$AWS_SESSION_TOKEN + PROFILE_OPT=$PROFILE_OPT_BAK + # Both variables are mandatory to be set together if [[ -z $ROLE_TO_ASSUME || -z $ACCOUNT_TO_ASSUME ]]; then echo "$OPTRED ERROR!$OPTNORMAL - Both Account ID (-A) and IAM Role to assume (-R) must be set" @@ -67,18 +66,18 @@ assume_role(){ PROFILE_OPT="" # Set AWS environment variables with assumed role credentials - AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' "${TEMP_STS_ASSUMED_FILE}") - export AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' "${TEMP_STS_ASSUMED_FILE}") - export AWS_SECRET_ACCESS_KEY - AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' "${TEMP_STS_ASSUMED_FILE}") - export AWS_SESSION_TOKEN - AWS_SESSION_EXPIRATION=$(jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601' "${TEMP_STS_ASSUMED_FILE}") - export AWS_SESSION_EXPIRATION - echo TEMP AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID - echo TEMP AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY - echo TEMP AWS_SESSION_TOKEN: $AWS_SESSION_TOKEN - echo EXPIRATION EPOCH TIME: $AWS_SESSION_EXPIRATION + ASSUME_AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' "${TEMP_STS_ASSUMED_FILE}") + export AWS_ACCESS_KEY_ID=$ASSUME_AWS_ACCESS_KEY_ID + ASSUME_AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' "${TEMP_STS_ASSUMED_FILE}") + export AWS_SECRET_ACCESS_KEY=$ASSUME_AWS_SECRET_ACCESS_KEY + ASSUME_AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' "${TEMP_STS_ASSUMED_FILE}") + export AWS_SESSION_TOKEN=$ASSUME_AWS_SESSION_TOKEN + ASSUME_AWS_SESSION_EXPIRATION=$(jq -r '.Credentials.Expiration | sub("\\+00:00";"Z") | fromdateiso8601' "${TEMP_STS_ASSUMED_FILE}") + export AWS_SESSION_EXPIRATION=$ASSUME_AWS_SESSION_EXPIRATION + echo TEMP AWS_ACCESS_KEY_ID: $ASSUME_AWS_ACCESS_KEY_ID + echo TEMP AWS_SECRET_ACCESS_KEY: $ASSUME_AWS_SECRET_ACCESS_KEY + echo TEMP AWS_SESSION_TOKEN: $ASSUME_AWS_SESSION_TOKEN + echo EXPIRATION EPOCH TIME: $ASSUME_AWS_SESSION_EXPIRATION cleanSTSAssumeFile } @@ -88,11 +87,24 @@ cleanSTSAssumeFile() { rm -fr "${TEMP_STS_ASSUMED_ERROR}" } - restoreAWSCredentials() { - AWS_ACCESS_KEY_ID=$MY_AWS_ACCESS_KEY_ID - export AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY=$MY_AWS_SECRET_ACCESS_KEY - export AWS_SECRET_ACCESS_KEY - SESSION_TOKEN=$MY_AWS_SESSION_TOKEN - export SESSION_TOKEN +backupInitialAWSCredentials() { +# echo Backing up current AWS ENV Credentials + if [[ $(printenv AWS_ACCESS_KEY_ID) ]]; then +# echo Current AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID + MY_AWS_ACCESS_KEY_ID=$(printenv AWS_ACCESS_KEY_ID) + fi + if [[ $(printenv AWS_SECRET_ACCESS_KEY) ]]; then +# echo AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY + MY_AWS_SECRET_ACCESS_KEY=$(printenv AWS_SECRET_ACCESS_KEY) + fi + if [[ $(printenv AWS_SESSION_TOKEN) ]]; then +# echo AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN + MY_AWS_SESSION_TOKEN=$(printenv AWS_SESSION_TOKEN) + fi +} + +restoreInitialAWSCredentials() { + export AWS_ACCESS_KEY_ID=$MY_AWS_ACCESS_KEY_ID + export AWS_SECRET_ACCESS_KEY=$MY_AWS_SECRET_ACCESS_KEY + export AWS_SESSION_TOKEN=$MY_AWS_SESSION_TOKEN } diff --git a/include/outputs_bucket b/include/outputs_bucket index f89a7fd448..2101cdf459 100644 --- a/include/outputs_bucket +++ b/include/outputs_bucket @@ -15,18 +15,18 @@ if [[ $OUTPUT_BUCKET ]]; then # output mode has to be set to other than text if [[ "${MODES[@]}" =~ "html" ]] || [[ "${MODES[@]}" =~ "csv" ]] || [[ "${MODES[@]}" =~ "json" ]] || [[ "${MODES[@]}" =~ "json-asff" ]]; then OUTPUT_BUCKET_WITHOUT_FOLDERS=$(echo $OUTPUT_BUCKET | awk -F'/' '{ print $1 }') - OUTPUT_BUCKET_STATUS=$($AWSCLI s3api head-bucket --bucket "$OUTPUT_BUCKET" 2>&1 || true) - if [[ ! -z $OUTPUT_BUCKET_STATUS ]]; then - echo "$OPTRED ERROR!$OPTNORMAL wrong bucket name or not right permissions." - exit 1 - else +# OUTPUT_BUCKET_STATUS=$($AWSCLI s3api head-bucket --bucket "$OUTPUT_BUCKET" 2>&1 || true) +# if [[ -z $OUTPUT_BUCKET_STATUS ]]; then +# echo "$OPTRED ERROR!$OPTNORMAL wrong bucket name or not right permissions." +# exit 1 +# else # need to make sure last / is not set to avoid // in S3 if [[ $OUTPUT_BUCKET != *"/" ]]; then OUTPUT_BUCKET="$OUTPUT_BUCKET" else OUTPUT_BUCKET=${OUTPUT_BUCKET::-1} fi - fi +# fi else echo "$OPTRED ERROR!$OPTNORMAL - Mode (-M) has to be set as well. Use -h for help." exit 1 diff --git a/prowler b/prowler index 3cadc1bf12..9f0ae71307 100755 --- a/prowler +++ b/prowler @@ -107,6 +107,8 @@ USAGE: (i.e.: -M csv -o /tmp/reports/) -B Custom output bucket, requires -M and it can work also with -o flag. (i.e.: -M csv -B my-bucket or -M csv -B my-bucket/folder/) + -D Same as -B but do not use the assume role credentials to put objects to the bucket, instead + uses the initial credentials -F Custom output report name, if not specified will use default output/prowler-output-ACCOUNT_NUM-OUTPUT_DATE -z Failed Checks do not trigger exit code 3 -Z Specify one or multiple check ids separated by commas that will trigger exit code 3 if they fail. Unspecified checks will not trigger exit code 3. This will override "-z". @@ -117,7 +119,7 @@ USAGE: exit } -while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:F:zZ:" OPTION; do +while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:" OPTION; do case $OPTION in h ) usage @@ -211,6 +213,10 @@ while getopts ":hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:F:zZ:" OPTION; do B ) OUTPUT_BUCKET=$OPTARG ;; + D ) + OUTPUT_BUCKET=$OPTARG + OUTPUT_BUCKET_NOASSUME=1 + ;; F ) OUTPUT_FILE_NAME=$OPTARG ;; @@ -395,6 +401,7 @@ show_group_title() { execute_check() { if [[ -n "${ACCOUNT_TO_ASSUME}" || -n "${ROLE_TO_ASSUME}" ]]; then + echo ******* I am here again to check on my role ******* # Following logic looks for time remaining in the session and review it # if it is less than 600 seconds, 10 minutes. CURRENT_TIMESTAMP=$(date -u "+%s") @@ -644,6 +651,7 @@ fi # Gather account data / test aws cli connectivity getWhoami if [[ -n "${ACCOUNT_TO_ASSUME}" || -n "${ROLE_TO_ASSUME}" ]]; then + backupInitialAWSCredentials assume_role fi @@ -662,8 +670,8 @@ if [[ $GROUP_ID_READ ]];then fi cleanTemp scoring - if [[ $ACCOUNT_TO_ASSUME ]]; then - restoreAWSCredentials + if [[ $OUTPUT_BUCKET_NOASSUME ]]; then + restoreInitialAWSCredentials fi copyToS3 exit $EXITCODE @@ -693,8 +701,8 @@ if [[ $CHECK_ID ]];then if [[ "${MODES[@]}" =~ "html" ]]; then addHtmlFooter >> ${OUTPUT_FILE_NAME}.$EXTENSION_HTML fi - if [[ $ACCOUNT_TO_ASSUME ]]; then - restoreAWSCredentials + if [[ $OUTPUT_BUCKET_NOASSUME ]]; then + restoreInitialAWSCredentials fi copyToS3 scoring @@ -710,8 +718,8 @@ fi scoring cleanTemp -if [[ $ACCOUNT_TO_ASSUME ]]; then - restoreAWSCredentials +if [[ $OUTPUT_BUCKET_NOASSUME ]]; then + restoreInitialAWSCredentials fi copyToS3 From aa945f3b4667889e09ccdaec9e6206434a39e3b1 Mon Sep 17 00:00:00 2001 From: Andrea Di Fabio <39841198+sectoramen@users.noreply.github.com> Date: Tue, 21 Dec 2021 11:16:46 -0500 Subject: [PATCH 5/5] Cosmetic variable name change --- include/assume_role | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/assume_role b/include/assume_role index f5b4109549..91a3444403 100644 --- a/include/assume_role +++ b/include/assume_role @@ -91,20 +91,20 @@ backupInitialAWSCredentials() { # echo Backing up current AWS ENV Credentials if [[ $(printenv AWS_ACCESS_KEY_ID) ]]; then # echo Current AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID - MY_AWS_ACCESS_KEY_ID=$(printenv AWS_ACCESS_KEY_ID) + INITIAL_AWS_ACCESS_KEY_ID=$(printenv AWS_ACCESS_KEY_ID) fi if [[ $(printenv AWS_SECRET_ACCESS_KEY) ]]; then # echo AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY - MY_AWS_SECRET_ACCESS_KEY=$(printenv AWS_SECRET_ACCESS_KEY) + INITIAL_AWS_SECRET_ACCESS_KEY=$(printenv AWS_SECRET_ACCESS_KEY) fi if [[ $(printenv AWS_SESSION_TOKEN) ]]; then # echo AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN - MY_AWS_SESSION_TOKEN=$(printenv AWS_SESSION_TOKEN) + INITIAL_AWS_SESSION_TOKEN=$(printenv AWS_SESSION_TOKEN) fi } restoreInitialAWSCredentials() { - export AWS_ACCESS_KEY_ID=$MY_AWS_ACCESS_KEY_ID - export AWS_SECRET_ACCESS_KEY=$MY_AWS_SECRET_ACCESS_KEY - export AWS_SESSION_TOKEN=$MY_AWS_SESSION_TOKEN + export AWS_ACCESS_KEY_ID=$INITIAL_AWS_ACCESS_KEY_ID + export AWS_SECRET_ACCESS_KEY=$INITIAL_AWS_SECRET_ACCESS_KEY + export AWS_SESSION_TOKEN=$INITIAL_AWS_SESSION_TOKEN }