Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys

Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys

README.md

@@ -297,9 +297,9 @@ or with a given External ID:
 
 If you want to run Prowler or just a check or a group across all accounts of AWS Organizations you can do this:
 
-First get a list of accounts:
+First get a list of accounts that are not suspended:
 ```
-ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text)
+ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[?Status==`ACTIVE`].Id --output text)
 ```
 Then run Prowler to assume a role (same in all members) per each account, in this example it is just running one particular check:
 ```

include/assume_role

@@ -64,6 +64,7 @@ assume_role(){
     export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId')
     export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
     export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
+    export AWS_SESSION_EXPIRATION=$(convert_date_to_timestamp "$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration')")
     rm -fr $TEMP_STS_ASSUMED_FILE
 }
 

include/os_detector

@@ -108,6 +108,14 @@ bsd_get_iso8601_timestamp() {
   "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ"
 }
 
+gnu_convert_date_to_timestamp() {
+  date -d "$1" +%s
+}
+
+bsd_convert_date_to_timestamp() {
+  date -j -f "%Y-%m-%dT%H:%M:%SZ" "$1" "+%s"
+}
+
 gnu_test_tcp_connectivity() {
   HOST=$1
   PORT=$2
@@ -154,6 +162,9 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then
   test_tcp_connectivity() {
     gnu_test_tcp_connectivity "$1" "$2" "$3"
   }
+  convert_date_to_timestamp() {
+    gnu_convert_date_to_timestamp "$1"
+  }
 elif [[ "$OSTYPE" == "darwin"* ]]; then
   # BSD/OSX commands compatibility
   TEMP_REPORT_FILE=$(mktemp -t prowler.cred_report-XXXXXX)
@@ -189,6 +200,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
     get_iso8601_timestamp() {
       gnu_get_iso8601_timestamp
     }
+    convert_date_to_timestamp() {
+      gnu_convert_date_to_timestamp "$1"
+    }
   else
     how_older_from_today() {
       bsd_how_older_from_today "$1"
@@ -208,6 +222,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
     get_iso8601_timestamp() {
       bsd_get_iso8601_timestamp
     }
+    convert_date_to_timestamp() {
+      bsd_convert_date_to_timestamp "$1"
+    }
   fi
   if "$BASE64_CMD" --version >/dev/null 2>&1 ; then
     decode_report() {
@@ -248,6 +265,9 @@ elif [[ "$OSTYPE" == "cygwin" ]]; then
   test_tcp_connectivity() {
     gnu_test_tcp_connectivity "$1" "$2" "$3"
   }
+  convert_date_to_timestamp() {
+    gnu_convert_date_to_timestamp "$1"
+  }
 else
   echo "Unknown Operating System! Valid \$OSTYPE: linux-gnu, linux-musl, darwin* or cygwin"
   echo "Found: $OSTYPE"

prowler

@@ -320,6 +320,18 @@ show_group_title() {
 
 # Function to execute the check
 execute_check() {
+  if [[ $ACCOUNT_TO_ASSUME ]]; then
+    MINIMUM_REMAINING_TIME_ALLOWED=$(( SESSION_DURATION_TO_ASSUME / 10 ))
+    CURRENT_TIMESTAMP=$(date -u "+%s")
+    SESSION_CUTOFF=$(( CURRENT_TIMESTAMP + MINIMUM_REMAINING_TIME_ALLOWED ))
+    if (( AWS_SESSION_EXPIRATION < SESSION_CUTOFF )); then
+      unset AWS_ACCESS_KEY_ID
+      unset AWS_SECRET_ACCESS_KEY
+      unset AWS_SESSION_TOKEN
+      assume_role
+    fi
+  fi
+
   # See if this is an alternate name for a check
   # for example, we might have been passed 1.01 which is another name for 1.1
   local alternate_name_var=CHECK_ALTERNATE_$1