ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys

Browse Source 
Refresh assumed role credentials to avoid role chaining limitations @michael-dickinson-sainsburys
This commit is contained in:
Toni de la Fuente
2020-12-15 17:29:11 +01:00
committed by Michael Dickinson
parent e047dc8764 30eb447919
commit 5e38c61286
4 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -297,9 +297,9 @@ or with a given External ID:
If you want to run Prowler or just a check or a group across all accounts of AWS Organizations you can do this: If you want to run Prowler or just a check or a group across all accounts of AWS Organizations you can do this:
First get a list of accounts: First get a list of accounts that are not suspended:
``` ```
ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text) ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[?Status==`ACTIVE`].Id --output text)
``` ```
Then run Prowler to assume a role (same in all members) per each account, in this example it is just running one particular check: Then run Prowler to assume a role (same in all members) per each account, in this example it is just running one particular check:
``` ```
@@ -648,4 +648,4 @@ Prowler is licensed as Apache License 2.0 as specified in each file. You may obt
**I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.** **I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**
If you want to contact me visit <https://blyx.com/contact> or follow me on Twitter <https://twitter.com/toniblyx> my DMs are open. If you want to contact me visit <https://blyx.com/contact> or follow me on Twitter <https://twitter.com/toniblyx> my DMs are open.

1
include/assume_role
View File

@@ -64,6 +64,7 @@ assume_role(){
export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId') export AWS_ACCESS_KEY_ID=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey') export AWS_SECRET_ACCESS_KEY=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken') export AWS_SESSION_TOKEN=$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.SessionToken')
export AWS_SESSION_EXPIRATION=$(convert_date_to_timestamp "$(cat $TEMP_STS_ASSUMED_FILE | jq -r '.Credentials.Expiration')")
rm -fr $TEMP_STS_ASSUMED_FILE rm -fr $TEMP_STS_ASSUMED_FILE
} }

20
include/os_detector
View File

@@ -108,6 +108,14 @@ bsd_get_iso8601_timestamp() {
"$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ" "$DATE_CMD" -u +"%Y-%m-%dT%H:%M:%SZ"
} }
gnu_convert_date_to_timestamp() {
date -d "$1" +%s
}
bsd_convert_date_to_timestamp() {
date -j -f "%Y-%m-%dT%H:%M:%SZ" "$1" "+%s"
}
gnu_test_tcp_connectivity() { gnu_test_tcp_connectivity() {
HOST=$1 HOST=$1
PORT=$2 PORT=$2
@@ -154,6 +162,9 @@ if [ "$OSTYPE" == "linux-gnu" ] || [ "$OSTYPE" == "linux-musl" ]; then
test_tcp_connectivity() { test_tcp_connectivity() {
gnu_test_tcp_connectivity "$1" "$2" "$3" gnu_test_tcp_connectivity "$1" "$2" "$3"
} }
convert_date_to_timestamp() {
gnu_convert_date_to_timestamp "$1"
}
elif [[ "$OSTYPE" == "darwin"* ]]; then elif [[ "$OSTYPE" == "darwin"* ]]; then
# BSD/OSX commands compatibility # BSD/OSX commands compatibility
TEMP_REPORT_FILE=$(mktemp -t prowler.cred_report-XXXXXX) TEMP_REPORT_FILE=$(mktemp -t prowler.cred_report-XXXXXX)
@@ -189,6 +200,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
get_iso8601_timestamp() { get_iso8601_timestamp() {
gnu_get_iso8601_timestamp gnu_get_iso8601_timestamp
} }
convert_date_to_timestamp() {
gnu_convert_date_to_timestamp "$1"
}
else else
how_older_from_today() { how_older_from_today() {
bsd_how_older_from_today "$1" bsd_how_older_from_today "$1"
@@ -208,6 +222,9 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
get_iso8601_timestamp() { get_iso8601_timestamp() {
bsd_get_iso8601_timestamp bsd_get_iso8601_timestamp
} }
convert_date_to_timestamp() {
bsd_convert_date_to_timestamp "$1"
}
fi fi
if "$BASE64_CMD" --version >/dev/null 2>&1 ; then if "$BASE64_CMD" --version >/dev/null 2>&1 ; then
decode_report() { decode_report() {
@@ -248,6 +265,9 @@ elif [[ "$OSTYPE" == "cygwin" ]]; then
test_tcp_connectivity() { test_tcp_connectivity() {
gnu_test_tcp_connectivity "$1" "$2" "$3" gnu_test_tcp_connectivity "$1" "$2" "$3"
} }
convert_date_to_timestamp() {
gnu_convert_date_to_timestamp "$1"
}
else else
echo "Unknown Operating System! Valid \$OSTYPE: linux-gnu, linux-musl, darwin* or cygwin" echo "Unknown Operating System! Valid \$OSTYPE: linux-gnu, linux-musl, darwin* or cygwin"
echo "Found: $OSTYPE" echo "Found: $OSTYPE"

12
prowler
View File

@@ -320,6 +320,18 @@ show_group_title() {
# Function to execute the check # Function to execute the check
execute_check() { execute_check() {
if [[ $ACCOUNT_TO_ASSUME ]]; then
MINIMUM_REMAINING_TIME_ALLOWED=$(( SESSION_DURATION_TO_ASSUME / 10 ))
CURRENT_TIMESTAMP=$(date -u "+%s")
SESSION_CUTOFF=$(( CURRENT_TIMESTAMP + MINIMUM_REMAINING_TIME_ALLOWED ))
if (( AWS_SESSION_EXPIRATION < SESSION_CUTOFF )); then
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_SESSION_TOKEN
assume_role
fi
fi
# See if this is an alternate name for a check # See if this is an alternate name for a check
# for example, we might have been passed 1.01 which is another name for 1.1 # for example, we might have been passed 1.01 which is another name for 1.1
local alternate_name_var=CHECK_ALTERNATE_$1 local alternate_name_var=CHECK_ALTERNATE_$1