From 1d409d04f2a396250ec0a45c59708048cf4c46f3 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Fri, 4 Feb 2022 11:58:22 -0500 Subject: [PATCH] Fix (extra7148 and add action #1017 (#1021) --- checks/check_extra7148 | 6 +++++- iam/create_role_to_assume_cfn.yaml | 1 + iam/prowler-additions-policy.json | 3 ++- util/codebuild/codebuild-prowler-audit-account-cfn.yaml | 1 + util/org-multi-account/ProwlerRole.yaml | 1 + .../serverless_codebuild/templates/ProwlerRole.yaml | 1 + util/terraform-kickstarter/main.tf | 3 ++- 7 files changed, 13 insertions(+), 3 deletions(-) diff --git a/checks/check_extra7148 b/checks/check_extra7148 index 4f035a88..dd76d1eb 100644 --- a/checks/check_extra7148 +++ b/checks/check_extra7148 @@ -33,7 +33,11 @@ extra7148() { if [[ $LIST_OF_EFS_SYSTEMS ]]; then for filesystem in $LIST_OF_EFS_SYSTEMS; do # if retention is 0 then is disabled - BACKUP_POLICY=$($AWSCLI efs describe-backup-policy $PROFILE_OPT --region $regx --file-system-id $filesystem --query BackupPolicy --output text) + BACKUP_POLICY=$($AWSCLI efs describe-backup-policy $PROFILE_OPT --region $regx --file-system-id $filesystem --query BackupPolicy --output text 2>&1) + if [[ $(echo "$BACKUP_POLICY" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then + textInfo "$regx: Access Denied trying to describe backup policy" "$regx" + continue + fi if [[ $BACKUP_POLICY == "DISABLED" ]]; then textFail "$regx: File system $filesystem does not have backup enabled!" "$regx" "$filesystem" else diff --git a/iam/create_role_to_assume_cfn.yaml b/iam/create_role_to_assume_cfn.yaml index b844d31b..0f1c04ff 100644 --- a/iam/create_role_to_assume_cfn.yaml +++ b/iam/create_role_to_assume_cfn.yaml @@ -67,4 +67,5 @@ Resources: - 's3:GetAccountPublicAccessBlock' - 'shield:GetSubscriptionState' - 'shield:DescribeProtection' + - 'elasticfilesystem:DescribeBackupPolicy' Resource: '*' diff --git a/iam/prowler-additions-policy.json b/iam/prowler-additions-policy.json index 6921d3ab..454c8078 100644 --- a/iam/prowler-additions-policy.json +++ b/iam/prowler-additions-policy.json @@ -14,7 +14,8 @@ "glue:SearchTables", "s3:GetAccountPublicAccessBlock", "shield:GetSubscriptionState", - "shield:DescribeProtection" + "shield:DescribeProtection", + "elasticfilesystem:DescribeBackupPolicy" ], "Resource": "*", "Effect": "Allow", diff --git a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml index efd19cd2..b2993326 100644 --- a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml +++ b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml @@ -196,6 +196,7 @@ Resources: - s3:GetAccountPublicAccessBlock - shield:GetSubscriptionState - shield:DescribeProtection + - elasticfilesystem:DescribeBackupPolicy Effect: Allow Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog' - PolicyName: CodeBuild diff --git a/util/org-multi-account/ProwlerRole.yaml b/util/org-multi-account/ProwlerRole.yaml index 183b2bee..122a7ec9 100644 --- a/util/org-multi-account/ProwlerRole.yaml +++ b/util/org-multi-account/ProwlerRole.yaml @@ -98,6 +98,7 @@ Resources: - tag:GetTagKeys - shield:GetSubscriptionState - shield:DescribeProtection + - elasticfilesystem:DescribeBackupPolicy - PolicyName: Prowler-S3-Reports PolicyDocument: Version: 2012-10-17 diff --git a/util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml b/util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml index d80ad88c..d5723b96 100644 --- a/util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml +++ b/util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml @@ -99,6 +99,7 @@ Resources: - tag:GetTagKeys - shield:GetSubscriptionState - shield:DescribeProtection + - elasticfilesystem:DescribeBackupPolicy - PolicyName: Prowler-S3-Reports PolicyDocument: Version: 2012-10-17 diff --git a/util/terraform-kickstarter/main.tf b/util/terraform-kickstarter/main.tf index 187b7723..a6e53f47 100644 --- a/util/terraform-kickstarter/main.tf +++ b/util/terraform-kickstarter/main.tf @@ -322,7 +322,8 @@ resource "aws_iam_policy" "prowler_kickstarter_iam_policy" { "glue:SearchTables", "s3:GetAccountPublicAccessBlock", "shield:GetSubscriptionState", - "shield:DescribeProtection" + "shield:DescribeProtection", + "elasticfilesystem:DescribeBackupPolicy" ] Effect = "Allow" Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"