From 198c7f48ca0df6cb82107315a3771a680dcf3abe Mon Sep 17 00:00:00 2001
From: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Date: Fri, 18 Mar 2022 11:51:42 +0100
Subject: [PATCH] fix(bucket_region): check extra764 doesn't handle bucket
 region properly (#1077)

* fix(bucket_region): check extra764 doesn't handle bucket region properly
---
 checks/check_extra764 | 43 +++++++++++++++++++++----------------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/checks/check_extra764 b/checks/check_extra764
index e3b3a46a..f0815c3e 100644
--- a/checks/check_extra764
+++ b/checks/check_extra764
@@ -26,49 +26,48 @@ CHECK_CAF_EPIC_extra764='Data Protection'
 
 
 extra764(){
-  LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1)
+  LIST_OF_BUCKETS=$(${AWSCLI} s3api list-buckets ${PROFILE_OPT} --query Buckets[*].Name --output text --region ${REGION}|xargs -n1)
   if [[ $LIST_OF_BUCKETS ]]; then
     for bucket in $LIST_OF_BUCKETS;do
       TEMP_STP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX)
-      BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text 2>&1)
-      if [[ $(echo "$BUCKET_LOCATION" | grep AccessDenied) ]]; then
-        textInfo "Access Denied Trying to Get Bucket Location for $bucket"
+      BUCKET_LOCATION=$(${AWSCLI} s3api get-bucket-location ${PROFILE_OPT} --region ${REGION} --bucket ${bucket} --output text 2>&1)
+      if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${BUCKET_LOCATION}"; then
+        textInfo "Access Denied Trying to Get Bucket Location for ${bucket}"
         continue
       fi
-      if [[ $BUCKET_LOCATION == "None" ]]; then
+      if [[ "${BUCKET_LOCATION}" == "None" ]]; then
         BUCKET_LOCATION="us-east-1"
       fi
-      if [[ $BUCKET_LOCATION == "EU" ]]; then
+      if [[ "${BUCKET_LOCATION}" == "EU" ]]; then
         BUCKET_LOCATION="eu-west-1"
       fi
       # get bucket policy
-      $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy --region $BUCKET_LOCATION > $TEMP_STP_POLICY_FILE 2>&1
-      if [[ $(grep AccessDenied $TEMP_STP_POLICY_FILE) ]]; then
-        textInfo "Access Denied Trying to Get Bucket Policy for $bucket"
-        rm -f $TEMP_STP_POLICY_FILE
+      TEMP_STP_POLICY_FILE=$(${AWSCLI} s3api get-bucket-policy ${PROFILE_OPT} --bucket ${bucket} --output text --query Policy --region ${BUCKET_LOCATION} 2>&1)
+      if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${TEMP_STP_POLICY_FILE}"; then
+        textInfo "Access Denied Trying to Get Bucket Policy for ${bucket}"
+        rm -f "${TEMP_STP_POLICY_FILE}"
         continue
       fi
-      if [[ $(grep NoSuchBucketPolicy $TEMP_STP_POLICY_FILE) ]]; then
-        textFail "No bucket policy for $bucket" "us-east-1" "$bucket"
-        rm -f $TEMP_STP_POLICY_FILE
+      if grep -q "NoSuchBucketPolicy" <<< $TEMP_STP_POLICY_FILE ; then
+        textFail "No bucket policy for ${bucket}" "${BUCKET_LOCATION}" "${bucket}"
+        rm -f "${TEMP_STP_POLICY_FILE}"
         continue
       fi
 
       # https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
       # checking if $TEMP_STP_POLICY_FILE is a valid json before converting it to json with jq
-      policy_str=$(cat "$TEMP_STP_POLICY_FILE")
-      if jq -e . >/dev/null 2>&1 <<< "$policy_str"; then
-        CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:${AWS_PARTITION}:s3:::${bucket}" \
-          '.Statement[]|select((((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Effect=="Deny" and (.Action=="s3:*" or .Action=="*") and (.Resource|type == "array") and (.Resource|map({(.):0})[]|has($arn)) and (.Resource|map({(.):0})[]|has($arn+"/*")) and .Condition.Bool."aws:SecureTransport" == "false")')
-        if [[ $CHECK_BUCKET_STP_POLICY_PRESENT ]]; then
-          textPass "Bucket $bucket has S3 bucket policy to deny requests over insecure transport" "us-east-1" "$bucket"
+      if jq -e . >/dev/null 2>&1 <<< "${TEMP_STP_POLICY_FILE}"; then
+        CHECK_BUCKET_STP_POLICY_PRESENT=$(jq --arg arn "arn:${AWS_PARTITION}:s3:::${bucket}" \
+          '.Statement[]|select((((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Effect=="Deny" and (.Action=="s3:*" or .Action=="*") and (.Resource|type == "array") and (.Resource|map({(.):0})[]|has($arn)) and (.Resource|map({(.):0})[]|has($arn+"/*")) and .Condition.Bool."aws:SecureTransport" == "false")' <<< "${TEMP_STP_POLICY_FILE}")
+        if [[ "${CHECK_BUCKET_STP_POLICY_PRESENT}" ]]; then
+          textPass "Bucket ${bucket} has S3 bucket policy to deny requests over insecure transport" "${BUCKET_LOCATION}" "${bucket}"
         else
-          textFail "Bucket $bucket allows requests over insecure transport" "us-east-1" "$bucket"
+          textFail "Bucket ${bucket} allows requests over insecure transport" "${BUCKET_LOCATION}" "${bucket}"
         fi
       else
-          textInfo "Unknown Error occurred: $policy_str"
+          textInfo "Unknown Error occurred: ${TEMP_STP_POLICY_FILE}"
       fi
-      rm -fr $TEMP_STP_POLICY_FILE
+      rm -fr "${TEMP_STP_POLICY_FILE}"
     done
 
   else