From 2bc3575de8286f64d008c67896e0ee5948faad35 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 4 Mar 2019 22:25:04 -0500 Subject: [PATCH 1/2] Improved extra714 to find secrets --- checks/check_extra741 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/checks/check_extra741 b/checks/check_extra741 index dbd66930..0618276e 100644 --- a/checks/check_extra741 +++ b/checks/check_extra741 @@ -17,7 +17,7 @@ CHECK_TYPE_extra741="EXTRA" CHECK_ALTERNATE_check741="extra741" extra741(){ - textInfo "Looking for keys in EC2 User Data all regions... (max 100 instances per region, use -m to increase it) " + textInfo "Looking for keys in EC2 User Data in instances across all regions... (max 100 instances per region, use -m to increase it) " for regx in $REGIONS; do LIST_OF_EC2_INSTANCES=$($AWSCLI ec2 describe-instances $PROFILE_OPT --region $regx --query Reservations[*].Instances[*].InstanceId --output text --max-items $MAXITEMS | grep -v None) if [[ $LIST_OF_EC2_INSTANCES ]];then @@ -26,7 +26,8 @@ extra741(){ USERDATA=$($AWSCLI ec2 describe-instance-attribute --attribute userData --query UserData.Value $PROFILE_OPT --region $regx --instance-id $instance --output text | decode_report > $USERDATA_FILE) if [ -s $USERDATA_FILE ];then FILE_FORMAT_ASCII=$(file -b $USERDATA_FILE|grep ASCII) - FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE|wc -l|tr -d '\ ') + #FINDINGS=$(grep '[A-Za-z0-9]\{20,40\}' $USERDATA_FILE | grep -i -e key -e secret -e token -e pass - |wc -l|tr -d '\ ') + FINDINGS=$(grep -i -e key -e secret -e token -e pass $USERDATA_FILE |wc -l|tr -d '\ ') if [[ $FILE_FORMAT_ASCII ]]; then if [[ $FINDINGS -eq 0 ]]; then textPass "$regx: Nothing found in $instance" "$regx" From bc1271788c3943d8009cb7ea8d1213c994a9db81 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 4 Mar 2019 22:45:15 -0500 Subject: [PATCH 2/2] Added MFA help to README issue #294 --- README.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 86302955..74d57078 100644 --- a/README.md +++ b/README.md @@ -228,7 +228,25 @@ If you are using an STS token for AWS-CLI and your session is expired you probab A client error (ExpiredToken) occurred when calling the GenerateCredentialReport operation: The security token included in the request is expired ``` -To fix it, please renew your token by authenticating again to the AWS API. +To fix it, please renew your token by authenticating again to the AWS API, see next section below if you use MFA. + +### Run Prowler with MFA protected credentials + +To run Prowler using a profile that requires MFA you just need to get the session token before hand. Just make sure you use this command: + +``` +aws --profile sts get-session-token --duration 129600 --serial-number --token-code --output text + ``` +Once you get your token you can export it as environment variable: +``` +export AWS_PROFILE=YOUR_AWS_PROFILE +export AWS_SESSION_TOKEN=YOUR_NEW_TOKEN +AWS_SECRET_ACCESS_KEY=YOUR_SECRET +export AWS_ACCESS_KEY_ID=YOUR_KEY +``` +or set manually up your `~/.aws/credentials` file properly. + +There are some helpfull tools to save time in this process like [aws-mfa-script](https://github.com/asagage/aws-mfa-script) or [aws-cli-mfa](https://github.com/sweharris/aws-cli-mfa). ### Custom IAM Policy