From f411223fa848dbee3c112871dfda33b39a354d7d Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 19 Mar 2018 10:55:35 -0400 Subject: [PATCH 1/9] added extra723 and clean up --- README.md | 4 ++-- prowler | 52 ++++++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 44 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index f33dad90..8f301b57 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ It covers hardening and security best practices for all AWS regions related to: - Logging (8 checks) - Monitoring (15 checks) - Networking (5 checks) -- Extras (22 checks) *see Extras section* +- Extras (23 checks) *see Extras section* - Forensics related group of checks For a comprehesive list and resolution look at the guide on the link above. @@ -354,7 +354,7 @@ At this moment we have 22 extra checks: - 7.20 (`extra720`) Check if Lambda functions are being recorded by CloudTrail (Not Scored) (Not part of CIS benchmark) - 7.21 (`extra721`) Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark) - 7.22 (`extra722`) Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark) - +- 7.23 (`extra723`) Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark) To check all extras in one command: ``` diff --git a/prowler b/prowler index fffc0d8c..a29a89ec 100755 --- a/prowler +++ b/prowler @@ -9,7 +9,7 @@ # International Public License. The link to the license terms can be found at # https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode # -# Author: Toni de la Fuente - @ToniBlyx / Alfresco Software Inc. +# Author: Toni de la Fuente - @ToniBlyx - https://blyx.com/contact # Prowler - Iron Maiden # @@ -19,13 +19,6 @@ # All there legs and lashes # I've just got to find my way... -# Exit if a pipeline results in an error. -# set -ue -# set -o pipefail -# set -vx -# Exits if any error is found -# set -e - OPTRED="" OPTNORMAL="" @@ -521,6 +514,8 @@ ID721="7.21,7.21" TITLE721="Check if Redshift cluster has audit logging enabled (Not Scored) (Not part of CIS benchmark)" ID722="7.22,7.22" TITLE722="Check if API Gateway has logging enabled (Not Scored) (Not part of CIS benchmark)" +ID723="7.23,7.23" +TITLE723="Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" printCsvHeader() { >&2 echo "" @@ -2152,6 +2147,41 @@ extra722(){ done } +extra723(){ + # "Check if RDS Snapshots are public (Not Scored) (Not part of CIS benchmark)" + textTitle "$ID723" "$TITLE723" "NOT_SCORED" "EXTRA" + for regx in $REGIONS; do + # RDS snapshots + LIST_OF_RDS_SNAPSHOTS=$($AWSCLI rds describe-db-snapshots $PROFILE_OPT --region $regx --query DBSnapshots[*].DBSnapshotIdentifier --output text) + if [[ $LIST_OF_RDS_SNAPSHOTS ]]; then + for rdssnapshot in $LIST_OF_RDS_SNAPSHOTS;do + SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-snapshot-attributes $PROFILE_OPT --region $regx --db-snapshot-identifier $rdssnapshot --query DBSnapshotAttributesResult.DBSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all) + if [[ $SNAPSHOT_IS_PUBLIC ]];then + textWarn "$regx: RDS Snapshot $rdssnapshot is public!" "$regx" + else + textOK "$regx: RDS Snapshot $rdssnapshot is not shared" "$regx" + fi + done + else + textNotice "$regx: No RDS Snapshots found" "$regx" + fi + # RDS cluster snapshots + LIST_OF_RDS_CLUSTER_SNAPSHOTS=$($AWSCLI rds describe-db-cluster-snapshots $PROFILE_OPT --region $regx --query DBClusterSnapshots[*].DBClusterSnapshotIdentifier --output text) + if [[ $LIST_OF_RDS_CLUSTER_SNAPSHOTS ]]; then + for rdsclustersnapshot in $LIST_OF_RDS_CLUSTER_SNAPSHOTS;do + CLUSTER_SNAPSHOT_IS_PUBLIC=$($AWSCLI rds describe-db-cluster-snapshot-attributes $PROFILE_OPT --region $regx --db-cluster-snapshot-identifier $rdsclustersnapshot --query DBClusterSnapshotAttributesResult.DBClusterSnapshotAttributes[*] --output text|grep ^ATTRIBUTEVALUES|cut -f2|grep all) + if [[ $CLUSTER_SNAPSHOT_IS_PUBLIC ]];then + textWarn "$regx: RDS Cluster Snapshot $rdsclustersnapshot is public!" "$regx" + else + textOK "$regx: RDS Cluster Snapshot $rdsclustersnapshot is not shared" "$regx" + fi + done + else + textNotice "$regx: No RDS Cluster Snapshots found" "$regx" + fi + done +} + callCheck(){ if [[ $CHECKNUMBER ]];then case "$CHECKNUMBER" in @@ -2229,7 +2259,7 @@ callCheck(){ extra720 ) extra720;; extra721 ) extra721;; extra722 ) extra722;; - + extra723 ) extra723;; ## Groups of Checks check1 ) @@ -2267,7 +2297,7 @@ callCheck(){ extras ) extra71;extra72;extra73;extra74;extra75;extra76;extra77;extra78; extra79;extra710;extra711;extra712;extra713;extra714;extra715;extra716; - extra717;extra718;extra719;extra720;extra721;extra722 + extra717;extra718;extra719;extra720;extra721;extra722;extra723 ;; forensics-ready ) check21;check22;check23;check24;check25;check26;check27; @@ -2366,6 +2396,7 @@ if [[ $PRINTCHECKSONLY == "1" ]]; then textTitle "$ID720" "$TITLE720" "NOT_SCORED" "EXTRA" textTitle "$ID721" "$TITLE721" "NOT_SCORED" "EXTRA" textTitle "$ID722" "$TITLE722" "NOT_SCORED" "EXTRA" + textTitle "$ID723" "$TITLE723" "NOT_SCORED" "EXTRA" exit $EXITCODE fi @@ -2465,6 +2496,7 @@ if [[ ! $EXTRAS ]]; then extra720 extra721 extra722 + extra723 fi cleanTemp From a67071662579a9f100e59bc1b69b35a6adb95967 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 19 Mar 2018 11:10:10 -0400 Subject: [PATCH 2/9] preparing new structure --- Dockerfile => util/Dockerfile | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Dockerfile => util/Dockerfile (100%) diff --git a/Dockerfile b/util/Dockerfile similarity index 100% rename from Dockerfile rename to util/Dockerfile From 0e43a05d167d2bc569db08e668a6bf27fc82e90d Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 19 Mar 2018 11:11:45 -0400 Subject: [PATCH 3/9] fix issue #184 --- prowler | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prowler b/prowler index a29a89ec..c7cc6c30 100755 --- a/prowler +++ b/prowler @@ -1249,7 +1249,7 @@ check33(){ CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $4 }') METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent') if [[ $METRICFILTER_SET ]];then - HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | awk 'BEGIN {IGNORECASE=1}; /userIdentity/ || /Root/ || /AwsServiceEvent/;') + HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | tr '[:upper:]' '[:lower:]'| grep -Ei 'userIdentity|Root|AwsServiceEvent') if [[ $HAS_ALARM_ASSOCIATED ]];then textOK "CloudWatch group $group found with metric filters and alarms set for usage of root account" else From 01a88e6c89828c45e763f10b2caea154503db90f Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 19 Mar 2018 11:23:13 -0400 Subject: [PATCH 4/9] move prowler-policy to iam folder --- README.md | 2 +- .../prowler-policy-additions.json | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename prowler-policy-additions.json => iam/prowler-policy-additions.json (100%) diff --git a/README.md b/README.md index 8f301b57..bae51fb5 100644 --- a/README.md +++ b/README.md @@ -314,7 +314,7 @@ Quick bash script to set up a "prowler" IAM user and "SecurityAudit" group with export AWS_DEFAULT_PROFILE=default export ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' | tr -d '"') aws iam create-group --group-name SecurityAudit -aws iam create-policy --policy-name ProwlerAuditAdditions --policy-document file://$(pwd)/prowler-policy-additions.json +aws iam create-policy --policy-name ProwlerAuditAdditions --policy-document file://$(pwd)/iam/prowler-policy-additions.json aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::aws:policy/SecurityAudit aws iam attach-group-policy --group-name SecurityAudit --policy-arn arn:aws:iam::${ACCOUNT_ID}:policy/ProwlerAuditAdditions aws iam create-user --user-name prowler diff --git a/prowler-policy-additions.json b/iam/prowler-policy-additions.json similarity index 100% rename from prowler-policy-additions.json rename to iam/prowler-policy-additions.json From 68d12ae72fcd4c89d9fe47105129298e58d213b8 Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Mon, 19 Mar 2018 12:24:59 -0400 Subject: [PATCH 5/9] fix issue #193 --- prowler | 73 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 34 deletions(-) diff --git a/prowler b/prowler index c7cc6c30..0611d079 100755 --- a/prowler +++ b/prowler @@ -1693,44 +1693,49 @@ extra72(){ } extra73(){ - # "Ensure there are no S3 buckets open to the Everyone or Any AWS user (Not Scored) (Not part of CIS benchmark)" textTitle "$ID73" "$TITLE73" "NOT_SCORED" "EXTRA" textNotice "Looking for open S3 Buckets (ACLs and Policies) in all regions... " - ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' $PROFILE_OPT --region $REGION --output text) + ALL_BUCKETS_LIST=$($AWSCLI s3api list-buckets --query 'Buckets[*].{Name:Name}' --profile $PROFILE --region $REGION --output text) for bucket in $ALL_BUCKETS_LIST; do - BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket $PROFILE_OPT --region $REGION --output text) - if [[ "None" == $BUCKET_LOCATION ]]; then - BUCKET_LOCATION="us-east-1" - fi - if [[ "EU" == $BUCKET_LOCATION ]]; then - BUCKET_LOCATION="eu-west-1" - fi - # check if AllUsers is in the ACL as Grantee - CHECK_BUCKET_ALLUSERS_ACL=$($AWSCLI s3api get-bucket-acl $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AllUsers']" --output text |grep -v GRANTEE) - CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_ALLUSERS_ACL) - # check if AuthenticatedUsers is in the ACL as Grantee, they will have access with sigened URL only - CHECK_BUCKET_AUTHUSERS_ACL=$($AWSCLI s3api get-bucket-acl $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers']" --output text |grep -v GRANTEE) - CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_AUTHUSERS_ACL) - # to prevent error NoSuchBucketPolicy first clean the output controlling stderr - TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX) - $AWSCLI s3api get-bucket-policy $PROFILE_OPT --region $BUCKET_LOCATION --bucket $bucket --output text --query Policy > $TEMP_POLICY_FILE 2> /dev/null - # check if the S3 policy has Principal as * - CHECK_BUCKET_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}'|awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep ^\"Principal|grep \*) - if [[ $CHECK_BUCKET_ALLUSERS_ACL || $CHECK_BUCKET_AUTHUSERS_ACL || $CHECK_BUCKET_ALLUSERS_POLICY ]];then - if [[ $CHECK_BUCKET_ALLUSERS_ACL ]];then - textWarn "$BUCKET_LOCATION: $bucket bucket is open to the Internet (Everyone) with permissions: $CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE" "$regx" - fi - if [[ $CHECK_BUCKET_AUTHUSERS_ACL ]];then - textWarn "$BUCKET_LOCATION: $bucket bucket is open to Authenticated users (Any AWS user) with permissions: $CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE" "$regx" - fi - if [[ $CHECK_BUCKET_ALLUSERS_POLICY ]];then - textWarn "$BUCKET_LOCATION: $bucket bucket policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx" - fi - else - textOK "$BUCKET_LOCATION: $bucket bucket is not open" "$regx" - fi - rm -fr $TEMP_POLICY_FILE + extra73Thread $bucket & done + wait +} + +extra73Thread(){ + bucket=$1 + BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location --bucket $bucket --profile $PROFILE --region $REGION --output text) + if [[ "None" == $BUCKET_LOCATION ]]; then + BUCKET_LOCATION="us-east-1" + fi + if [[ "EU" == $BUCKET_LOCATION ]]; then + BUCKET_LOCATION="eu-west-1" + fi + # check if AllUsers is in the ACL as Grantee + CHECK_BUCKET_ALLUSERS_ACL=$($AWSCLI s3api get-bucket-acl --profile $PROFILE --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AllUsers']" --output text |grep -v GRANTEE) + CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_ALLUSERS_ACL) + # check if AuthenticatedUsers is in the ACL as Grantee, they will have access with sigened URL only + CHECK_BUCKET_AUTHUSERS_ACL=$($AWSCLI s3api get-bucket-acl --profile $PROFILE --region $BUCKET_LOCATION --bucket $bucket --query "Grants[?Grantee.URI == 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers']" --output text |grep -v GRANTEE) + CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE=$(echo -ne $CHECK_BUCKET_AUTHUSERS_ACL) + # to prevent error NoSuchBucketPolicy first clean the output controlling stderr + TEMP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX) + $AWSCLI s3api get-bucket-policy --profile $PROFILE --region $BUCKET_LOCATION --bucket $bucket --output text --query Policy > $TEMP_POLICY_FILE 2> /dev/null + # check if the S3 policy has Principal as * + CHECK_BUCKET_ALLUSERS_POLICY=$(cat $TEMP_POLICY_FILE | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a[i]}'|awk '/Principal/ && !skip { print } { skip = /Deny/} '|grep ^\"Principal|grep \*) + if [[ $CHECK_BUCKET_ALLUSERS_ACL || $CHECK_BUCKET_AUTHUSERS_ACL || $CHECK_BUCKET_ALLUSERS_POLICY ]];then + if [[ $CHECK_BUCKET_ALLUSERS_ACL ]];then + textWarn "$BUCKET_LOCATION: $bucket bucket is open to the Internet (Everyone) with permissions: $CHECK_BUCKET_ALLUSERS_ACL_SINGLE_LINE" "$regx" + fi + if [[ $CHECK_BUCKET_AUTHUSERS_ACL ]];then + textWarn "$BUCKET_LOCATION: $bucket bucket is open to Authenticated users (Any AWS user) with permissions: $CHECK_BUCKET_AUTHUSERS_ACL_SINGLE_LINE" "$regx" + fi + if [[ $CHECK_BUCKET_ALLUSERS_POLICY ]];then + textWarn "$BUCKET_LOCATION: $bucket bucket policy \"may\" allow Anonymous users to perform actions (Principal: \"*\")" "$regx" + fi + else + textOK "$BUCKET_LOCATION: $bucket bucket is not open" "$regx" + fi + rm -fr $TEMP_POLICY_FILE } extra74(){ From 2172f60a1836baade4fcfb4560d45f90f6e8e76f Mon Sep 17 00:00:00 2001 From: Maximilian Bode Date: Tue, 20 Mar 2018 16:46:57 +0100 Subject: [PATCH 6/9] Reintroduce lost $-sign in check 3.3 --- prowler | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prowler b/prowler index 0611d079..3f2d558d 100755 --- a/prowler +++ b/prowler @@ -1249,7 +1249,7 @@ check33(){ CLOUDWATCH_LOGGROUP_REGION=$($AWSCLI cloudtrail describe-trails $PROFILE_OPT --region $REGION --query 'trailList[*].CloudWatchLogsLogGroupArn' --output text | awk -F: '{ print $4 }') METRICFILTER_SET=$($AWSCLI logs describe-metric-filters --log-group-name $group $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION |grep -E 'userIdentity.*Root.*AwsServiceEvent') if [[ $METRICFILTER_SET ]];then - HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | tr '[:upper:]' '[:lower:]'| grep -Ei 'userIdentity|Root|AwsServiceEvent') + HAS_ALARM_ASSOCIATED=$($AWSCLI cloudwatch describe-alarms $PROFILE_OPT --region $CLOUDWATCH_LOGGROUP_REGION --query 'MetricAlarms[].MetricName' --output text | tr '[:upper:]' '[:lower:]'| grep -Ei 'userIdentity|Root|AwsServiceEvent') if [[ $HAS_ALARM_ASSOCIATED ]];then textOK "CloudWatch group $group found with metric filters and alarms set for usage of root account" else From d8687bfab0bb1ab270c23b68eaac7d917ad52246 Mon Sep 17 00:00:00 2001 From: Alex Romanov Date: Mon, 16 Apr 2018 17:58:39 +0000 Subject: [PATCH 7/9] Fixes #200 --- prowler | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/prowler b/prowler index 3f2d558d..ada565ed 100755 --- a/prowler +++ b/prowler @@ -249,23 +249,21 @@ fi # check environment variables and if not, it checks and loads credentials from # instance profile (metadata server) if runs in an EC2 instance +INSTANCE_PROFILE=$(curl -s -m 1 http://169.254.169.254/latest/meta-data/iam/security-credentials/) + if [[ $PROFILE ]]; then PROFILE_OPT="--profile $PROFILE" -else - # if Prowler runs insinde an AWS instance with IAM instance profile attached - INSTANCE_PROFILE=$(curl -s -m 1 http://169.254.169.254/latest/meta-data/iam/security-credentials/) - if [[ $INSTANCE_PROFILE ]]; then +elif [[ $AWS_ACCESS_KEY_ID && $AWS_SECRET_ACCESS_KEY || $AWS_SESSION_TOKEN ]];then + PROFILE="ENV" + PROFILE_OPT="" +elif [[ $INSTANCE_PROFILE ]];then + PROFILE="INSTANCE-PROFILE" AWS_ACCESS_KEY_ID=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g') AWS_SECRET_ACCESS_KEY_ID=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g') AWS_SESSION_TOKEN=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} grep Token| cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g') - fi - if [[ $AWS_ACCESS_KEY_ID && $AWS_SECRET_ACCESS_KEY || $AWS_SESSION_TOKEN ]];then - PROFILE="ENV" - PROFILE_OPT="" - else +else PROFILE="default" PROFILE_OPT="--profile $PROFILE" - fi fi # AWS-CLI variables From 2f166e2ba3b6b32c3a7beccb684de55ad1e1c418 Mon Sep 17 00:00:00 2001 From: Jason Chen Date: Thu, 19 Apr 2018 14:00:28 +0800 Subject: [PATCH 8/9] prowler: Set default region by aws config, fall back to us-east-1 --- prowler | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/prowler b/prowler index ada565ed..c0ccb372 100755 --- a/prowler +++ b/prowler @@ -23,7 +23,7 @@ OPTRED="" OPTNORMAL="" # Set the defaults for these getopts variables -REGION="us-east-1" +REGION="" FILTERREGION="" MAXITEMS=100 MONOCHROME=0 @@ -76,7 +76,7 @@ while getopts ":hlkp:r:c:f:m:M:en" OPTION; do PROFILE=$OPTARG ;; r ) - REGION=$OPTARG + REGION_OPT=$OPTARG ;; c ) CHECKNUMBER=$OPTARG @@ -274,6 +274,16 @@ if [ -z "${AWSCLI}" ]; then exit $EXITCODE fi +# Set default region by aws config, fall back to us-east-1 +REGION_CONFIG=$(aws configure get region) +if [[ $REGION_OPT ]]; then + REGION="$REGION_OPT" +elif [[ $REGION_CONFIG ]]; then + REGION="$REGION_CONFIG" +else + REGION="us-east-1" +fi + TITLE_ID="" TITLE_TEXT="CALLER ERROR - UNSET TITLE" ## Output formatting functions @@ -1697,7 +1707,7 @@ extra73(){ for bucket in $ALL_BUCKETS_LIST; do extra73Thread $bucket & done - wait + wait } extra73Thread(){ From 775d28f9c4f2e231be328ec9d63a0f6aba56ac33 Mon Sep 17 00:00:00 2001 From: Jason Chen Date: Thu, 19 Apr 2018 14:02:54 +0800 Subject: [PATCH 9/9] prowler: fix IAM role detection and curl error Related to https://github.com/toniblyx/prowler/pull/200 If the ec2 instance is not attached to an IAM role, the `curl -s -m 1 http://169.254.169.254/latest/meta-data/iam/security-credentials` will return a 404 page instead of null, INSTANCE_PROFILE will always be true and result to curl error when trying to use default cli profile: curl: option -: is unknown curl: try 'curl --help' or 'curl --manual' for more information --- prowler | 3 +++ 1 file changed, 3 insertions(+) diff --git a/prowler b/prowler index c0ccb372..51b32d8c 100755 --- a/prowler +++ b/prowler @@ -250,6 +250,9 @@ fi # instance profile (metadata server) if runs in an EC2 instance INSTANCE_PROFILE=$(curl -s -m 1 http://169.254.169.254/latest/meta-data/iam/security-credentials/) +if echo "$INSTANCE_PROFILE" | grep -q '404 - Not Found'; then + INSTANCE_PROFILE= +fi if [[ $PROFILE ]]; then PROFILE_OPT="--profile $PROFILE"