From 8ab91e9f8edb605887cb48362341f545604df9ee Mon Sep 17 00:00:00 2001 From: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com> Date: Wed, 18 Nov 2020 20:21:44 +0000 Subject: [PATCH 1/3] fix: Store assumed role expiry time for later checking --- include/assume_role | 1 + include/os_detector | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/include/assume_role b/include/assume_role index cba07ef5..9e43c0b3 100644 --- a/include/assume_role +++ b/include/assume_role @@ -64,6 +64,7 @@ assume_role(){ export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId') export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey') export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken') + export AWS_SESSION_EXPIRATION=$(convert_date_to_timestamp "$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration')") rm -fr $TEMP_STS_ASSUMED_FILE } diff --git a/include/os_detector b/include/os_detector index af962d4c..a99ad45f 100644 --- a/include/os_detector +++ b/include/os_detector @@ -108,6 +108,14 @@ bsd_get_iso8601_timestamp() { "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ" } +gnu_convert_date_to_timestamp() { + date -d "$1" +%s +} + +bsd_convert_date_to_timestamp() { + date -j -f "%Y-%m-%dT%H:%M:%SZ" "$1" "+%s" +} + gnu_test_tcp_connectivity() { HOST=$1 PORT=$2 @@ -154,6 +162,9 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then test_tcp_connectivity() { gnu_test_tcp_connectivity "$1" "$2" "$3" } + convert_date_to_timestamp() { + gnu_convert_date_to_timestamp "$1" + } elif [[ "$OSTYPE" == "darwin"* ]]; then # BSD/OSX commands compatibility TEMP_REPORT_FILE=$(mktemp -t prowler.cred_report-XXXXXX) @@ -189,6 +200,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then get_iso8601_timestamp() { gnu_get_iso8601_timestamp } + convert_date_to_timestamp() { + gnu_convert_date_to_timestamp "$1" + } else how_older_from_today() { bsd_how_older_from_today "$1" @@ -208,6 +222,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then get_iso8601_timestamp() { bsd_get_iso8601_timestamp } + convert_date_to_timestamp() { + bsd_convert_date_to_timestamp "$1" + } fi if "$BASE64_CMD" --version >/dev/null 2>&1 ; then decode_report() { @@ -248,6 +265,9 @@ elif [[ "$OSTYPE" == "cygwin" ]]; then test_tcp_connectivity() { gnu_test_tcp_connectivity "$1" "$2" "$3" } + convert_date_to_timestamp() { + gnu_convert_date_to_timestamp "$1" + } else echo "Unknown Operating System! Valid \$OSTYPE: linux-gnu, linux-musl, darwin* or cygwin" echo "Found: $OSTYPE" From 5da54467b520640c210d6d8211d05a3ea6f4fe01 Mon Sep 17 00:00:00 2001 From: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com> Date: Wed, 18 Nov 2020 20:22:44 +0000 Subject: [PATCH 2/3] fix: Refresh assumed role credentials if session is nearing expiration --- prowler | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/prowler b/prowler index c88fab83..449b3ab0 100755 --- a/prowler +++ b/prowler @@ -310,6 +310,15 @@ show_group_title() { # Function to execute the check execute_check() { + if [[ $ACCOUNT_TO_ASSUME ]]; then + if (( "$AWS_SESSION_EXPIRATION" < (( "$(date -u "+%s")" + (( $SESSION_DURATION_TO_ASSUME / 10 )) )) )); then + unset AWS_ACCESS_KEY_ID + unset AWS_SECRET_ACCESS_KEY + unset AWS_SESSION_TOKEN + assume_role + fi + fi + # See if this is an alternate name for a check # for example, we might have been passed 1.01 which is another name for 1.1 local alternate_name_var=CHECK_ALTERNATE_$1 From 30eb4479197444b354d12968ad85ba2be5535334 Mon Sep 17 00:00:00 2001 From: Michael Dickinson <45626543+michael-dickinson-sainsburys@users.noreply.github.com> Date: Fri, 20 Nov 2020 08:41:49 +0000 Subject: [PATCH 3/3] docs: Update Organizations command to only incude active accounts --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ff7c40d7..dcce9f50 100644 --- a/README.md +++ b/README.md @@ -296,9 +296,9 @@ or with a given External ID: If you want to run Prowler or just a check or a group across all accounts of AWS Organizations you can do this: -First get a list of accounts: +First get a list of accounts that are not suspended: ``` -ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text) +ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[?Status==`ACTIVE`].Id --output text) ``` Then run Prowler to assume a role (same in all members) per each account, in this example it is just running one particular check: ``` @@ -647,4 +647,4 @@ Prowler is licensed as Apache License 2.0 as specified in each file. You may obt **I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.** -If you want to contact me visit or follow me on Twitter my DMs are open. \ No newline at end of file +If you want to contact me visit or follow me on Twitter my DMs are open.