Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option @sectoramen #974

Merged
merged 5 commits into from
Dec 21, 2021
Merged

Added -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option @sectoramen #974

merged 5 commits into from
Dec 21, 2021

Conversation

sectoramen
Copy link
Contributor

@sectoramen sectoramen commented Dec 19, 2021
edited
Loading

Toni,

Does it make sense to save the original AWS credentials and then restore them before doing a copy to S3? I don't see a reason to keep the assumed credentials before the copy. The credentials of the individual/process that launched prowler are most likely to be the one used to perform other tasks, such as copy to S3. Optionally, we could add a new option, i.e.,
-Bn Custom output bucket used with original prowler role, requires -M and it can work also with -o flag.
(i.e.: -M csv -B my-bucket or -M csv -B my-bucket/folder/)

j2clerck
j2clerck reviewed Dec 20, 2021
View reviewed changes
Copy link

@j2clerck j2clerck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe there are more cases to cover here, depending on how Prowler is initially getting credentials:

  • Instance Profile
  • Named Profile
  • Environment Variables
  • AWS Config / Credentials file
    It might be worth reviewing the existing options and test how it behave. Setting environment variable to '' does not seem to bother aws cli. But you need to be able to revert the profile too at least. Happy to do some testing.

@toniblyx
Copy link
Member

I always have tried to keep Prowler consistent with the way that the cli works in terms of configuration settings and precedence

  1. Command line options – Overrides settings in any other location. You can specify --region, --output, and --profile as parameters on the command line.
  2. Environment variables – You can store values in your system's environment variables.
  3. CLI credentials file – ~/.aws/credentials on Linux or macOS, or at C:\Users\USERNAME.aws\credentials on Windows
  4. CLI configuration file – The credentials and config file are updated when you run the command aws configure. The config file is located at ~/.aws/config on Linux or macOS, or at C:\Users\USERNAME.aws\config on Windows.
  5. Container credentials
  6. Instance profile credentials

Additionally, Prowler handles:

  1. With credentials gotten from any of the previous 6 steps, Prowler can assume a role that the previous user or role has permission to assume in the same account or another one.

@sectoramen
Copy link
Contributor Author

This is ready to go. It was tested and it appears to work fine.

@toniblyx toniblyx changed the title Backup AWS Credentials are restore them before CopyToS3 Added -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option @sectoramen Dec 21, 2021
@toniblyx toniblyx merged commit 8b415ec into prowler-cloud:2.7 Dec 21, 2021
@toniblyx
Copy link
Member

Awesome, thanks @sectoramen!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@j2clerck j2clerck j2clerck left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sectoramen @toniblyx @j2clerck