ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix extra764 - handle us-east-1 & check validity of policy @nimrodkor

Browse Source 
Fix extra764 - handle us-east-1 & check validity of policy
This commit is contained in:
Toni de la Fuente
2020-06-05 10:48:28 +02:00
committed by GitHub
parent 99d1de8c15 4dae0718c1
commit 94378726bc
1 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
checks/check_extra764
View File

@@ -23,6 +23,12 @@ extra764(){
for bucket in $LIST_OF_BUCKETS;do for bucket in $LIST_OF_BUCKETS;do
TEMP_STP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX) TEMP_STP_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX)
BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text) BUCKET_LOCATION=$($AWSCLI s3api get-bucket-location $PROFILE_OPT --region $REGION --bucket $bucket --output text)
if [[ "None" == $BUCKET_LOCATION ]]; then
BUCKET_LOCATION="us-east-1"
fi
if [[ "EU" == $BUCKET_LOCATION ]]; then
BUCKET_LOCATION="eu-west-1"
fi
# get bucket policy # get bucket policy
$AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy --region $BUCKET_LOCATION > $TEMP_STP_POLICY_FILE 2>&1 $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy --region $BUCKET_LOCATION > $TEMP_STP_POLICY_FILE 2>&1
if [[ $(grep AccessDenied $TEMP_STP_POLICY_FILE) ]]; then if [[ $(grep AccessDenied $TEMP_STP_POLICY_FILE) ]]; then
@@ -37,11 +43,17 @@ extra764(){
fi fi
# https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/ # https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:${AWS_PARTITION}:s3:::${bucket}" '.Statement[]|select((((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Action=="s3:*" and (.Resource|type == "array") and (.Resource|map({(.):0})[]|has($arn)) and (.Resource|map({(.):0})[]|has($arn+"/*")) and .Condition.Bool."aws:SecureTransport" == "false")') # checking if $TEMP_STP_POLICY_FILE is a valid json before converting it to json with jq
if [[ $CHECK_BUCKET_STP_POLICY_PRESENT ]]; then policy_str=$(cat "$TEMP_STP_POLICY_FILE")
textPass "Bucket $bucket has S3 bucket policy to deny requests over insecure transport" if jq -e . >/dev/null 2>&1 <<< "$policy_str"; then
CHECK_BUCKET_STP_POLICY_PRESENT=$(cat $TEMP_STP_POLICY_FILE | jq --arg arn "arn:${AWS_PARTITION}:s3:::${bucket}" '.Statement[]|select((((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*")) and .Action=="s3:*" and (.Resource|type == "array") and (.Resource|map({(.):0})[]|has($arn)) and (.Resource|map({(.):0})[]|has($arn+"/*")) and .Condition.Bool."aws:SecureTransport" == "false")')
if [[ $CHECK_BUCKET_STP_POLICY_PRESENT ]]; then
textPass "Bucket $bucket has S3 bucket policy to deny requests over insecure transport"
else
textFail "Bucket $bucket allows requests over insecure transport"
fi
else else
textFail "Bucket $bucket allows requests over insecure transport" textInfo "Unknown Error occurred: $policy_str"
fi fi
rm -fr $TEMP_STP_POLICY_FILE rm -fr $TEMP_STP_POLICY_FILE
done done