mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-10 14:55:00 +00:00
Fixed issue with govcloud on extra764 #536
This commit is contained in:
Toni de la Fuente
@@ -18,13 +18,13 @@ CHECK_ASFF_RESOURCE_TYPE_extra764="AwsS3Bucket"
|
||||
CHECK_ALTERNATE_check764="extra764"
|
||||
|
||||
extra764(){
|
||||
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1)
|
||||
LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text --region $REGION|xargs -n1)
|
||||
if [[ $LIST_OF_BUCKETS ]]; then
|
||||
for bucket in $LIST_OF_BUCKETS;do
|
||||
TEMP_STP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX)
|
||||
|
||||
# get bucket policy
|
||||
$AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_STP_POLICY_FILE 2>&1
|
||||
$AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy --region $REGION > $TEMP_STP_POLICY_FILE 2>&1
|
||||
if [[ $(grep AccessDenied $TEMP_STP_POLICY_FILE) ]]; then
|
||||
textFail "Access Denied Trying to Get Bucket Policy for $bucket"
|
||||
rm -f $TEMP_STP_POLICY_FILE
|
||||
@@ -37,7 +37,7 @@ extra764(){
|
||||
fi
|
||||
|
||||
# https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
|
||||
CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}" '.Statement[]|select((((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Action=="s3:*" and (.Resource|type == "array") and (.Resource|map({(.):0})[]|has($arn)) and (.Resource|map({(.):0})[]|has($arn+"/*")) and .Condition.Bool."aws:SecureTransport" == "false")')
|
||||
CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:$AWS_PARTITION:s3:::${bucket}"'.Statement[]|select((((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Action=="s3:*" and (.Resource|type == "array") and (.Resource|map({(.):0})[]|has($arn)) and (.Resource|map({(.):0})[]|has($arn+"/*")) and .Condition.Bool."aws:SecureTransport" == "true")')
|
||||
if [[ $CHECK_BUCKET_STP_POLICY_PRESENT ]]; then
|
||||
textPass "Bucket $bucket has S3 bucket policy to deny requests over insecure transport"
|
||||
else
|
||||
|
||||
@@ -25,6 +25,7 @@ fi
|
||||
|
||||
CALLER_ARN=$($AWSCLI sts get-caller-identity --output text $PROFILE_OPT --region $REGION --query "Arn")
|
||||
USER_ID=$($AWSCLI sts get-caller-identity --output text $PROFILE_OPT --region $REGION --query "UserId")
|
||||
AWS_PARTITION=$(echo $CALLER_ARN| cut -d: -f2)
|
||||
|
||||
if [[ $ACCOUNT_TO_ASSUME ]]; then
|
||||
ACCOUNT_NUM=$ACCOUNT_TO_ASSUME
|
||||
|
||||
Reference in New Issue
Block a user