Added new check extra7141 to detect secrets in SSM Documents

2026-02-10 06:45:08 +00:00 · 2021-05-18 18:28:15 +02:00
parent 1655bdb902
commit 78e5dc5dba
3 changed files with 57 additions and 7 deletions
--- a/checks/check_extra7141
+++ b/checks/check_extra7141
@@ -0,0 +1,55 @@
 #!/usr/bin/env bash
 # Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
 #
 # Licensed under the Apache License, Version 2.0 (the "License"); you may not
 # use this file except in compliance with the License. You may obtain a copy
 # of the License at http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software distributed
 # under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 CHECK_ID_extra7141="7.7141"
 CHECK_TITLE_extra7141="[extra7141] Find secrets in SSM Documents"
 CHECK_SCORED_extra7141="NOT_SCORED"
 CHECK_TYPE_extra7141="EXTRA"
 CHECK_SEVERITY_extra7141="Critical"
 CHECK_ASFF_RESOURCE_TYPE_extra7141="AwsSsmDocument"
 CHECK_ALTERNATE_check7141="extra7141"
 CHECK_SERVICENAME_extra7141="ssm"
 CHECK_RISK_extra7141='Secrets hardcoded into SSM Documents by malware and bad actors to gain lateral access to other services.'
 CHECK_REMEDIATION_extra7141='Implement automated detective control (e.g. using tools like Prowler) to scan accounts for passwords and secrets. Use Secrets Manager service to store and retrieve passwords and secrets.'
 CHECK_DOC_extra7141='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html'
 CHECK_CAF_EPIC_extra7141='IAM'
 extra7141(){
  SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM"
  if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then
    # this folder is deleted once this check is finished
    mkdir $SECRETS_TEMP_FOLDER
  fi
  for regx in $REGIONS; do
    SSM_DOCS=$($AWSCLI $PROFILE_OPT --region $regx ssm list-documents --filters Key=Owner,Values=Self --query DocumentIdentifiers[].Name --output text) 
    if [[ $SSM_DOCS ]];then
      for ssmdoc in $SSM_DOCS; do 
        SSM_DOC_FILE="$SECRETS_TEMP_FOLDER/extra7141-$ssmdoc-$regx-content.txt"
        $AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE
        FINDINGS=$(secretsDetector file $SSM_DOC_FILE)
        if [[ $FINDINGS -eq 0 ]]; then
          textPass "$regx: No secrets found in SSM Document $ssmdoc" "$regx" "$ssmdoc"
          # delete file if nothing interesting is there
          rm -f $SSM_DOC_FILE
        else
          textFail "$regx: Potential secret found SSM Document $ssmdoc" "$regx" "$ssmdoc"
          # delete file to not leave trace, user must look at the CFN Stack
          rm -f $SSM_DOC_FILE
        fi
      done
    else
      textInfo "$regx: No SSM Document found." "$regx"
    fi
  done
  rm -rf $SECRETS_TEMP_FOLDER
 }
--- a/groups/group11_secrets
+++ b/groups/group11_secrets
@@ -15,13 +15,8 @@ GROUP_ID[11]='secrets'
 GROUP_NUMBER[11]='11.0'
 GROUP_TITLE[11]='Look for keys secrets or passwords around resources - [secrets]'
 GROUP_RUN_BY_DEFAULT[11]='N' # but it runs when execute_all is called (default)
-GROUP_CHECKS[11]='extra741,extra742,extra759,extra760,extra768,extra775'
+GROUP_CHECKS[11]='extra741,extra742,extra759,extra760,extra768,extra775,extra7141'
 # requires https://github.com/Yelp/detect-secrets
 # `pip install detect-secrets` 
 # Initially:
 # - EC2 UserData
 # - CloudFormation Outputs
 # - Lambda variables
 # - Lambda code
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -15,7 +15,7 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141'
 # Extras 759 and 760 (lambda variables and code secrets finder are not included)
 # to run detect-secrets use `./prowler -g secrets`