From 9b772a70a1c519157d309d1a18378cad35b5f4cb Mon Sep 17 00:00:00 2001 From: Leonardo Azize Martins Date: Wed, 9 Feb 2022 12:01:01 -0300 Subject: [PATCH] Fix(extra7141): Error handling and include missing policy (#1024) * Fix AccessDenied issue when get document Add check to validate access denied when get document from SSM. Add missing action permission to allow ssm:GetDocument. * Double quote variables to prevent globbing and word splitting --- checks/check_extra7141 | 44 ++++++++++--------- iam/create_role_to_assume_cfn.yaml | 11 ++--- iam/prowler-additions-policy.json | 11 ++--- .../codebuild-prowler-audit-account-cfn.yaml | 13 +++--- util/terraform-kickstarter/main.tf | 11 ++--- 5 files changed, 49 insertions(+), 41 deletions(-) diff --git a/checks/check_extra7141 b/checks/check_extra7141 index 1768b4fc..0bc54843 100644 --- a/checks/check_extra7141 +++ b/checks/check_extra7141 @@ -24,36 +24,40 @@ CHECK_DOC_extra7141='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGu CHECK_CAF_EPIC_extra7141='IAM' extra7141(){ - SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" - if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then + SECRETS_TEMP_FOLDER="${PROWLER_DIR}/secrets-${ACCOUNT_NUM}" + if [[ ! -d "${SECRETS_TEMP_FOLDER}" ]]; then # this folder is deleted once this check is finished - mkdir $SECRETS_TEMP_FOLDER + mkdir "${SECRETS_TEMP_FOLDER}" fi - for regx in $REGIONS; do - SSM_DOCS=$($AWSCLI $PROFILE_OPT --region $regx ssm list-documents --filters Key=Owner,Values=Self --query DocumentIdentifiers[].Name --output text 2>&1) - if [[ $(echo "$SSM_DOCS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then - textInfo "$regx: Access Denied trying to list documents" "$regx" + for regx in ${REGIONS}; do + SSM_DOCS=$("${AWSCLI}" ${PROFILE_OPT} --region "${regx}" ssm list-documents --filters 'Key=Owner,Values=Self' --query 'DocumentIdentifiers[].Name' --output text 2>&1) + if [[ $(echo "${SSM_DOCS}" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then + textInfo "${regx}: Access Denied trying to list documents" "${regx}" continue - fi - if [[ $SSM_DOCS ]];then - for ssmdoc in $SSM_DOCS; do - SSM_DOC_FILE="$SECRETS_TEMP_FOLDER/extra7141-$ssmdoc-$regx-content.txt" - $AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE - FINDINGS=$(secretsDetector file $SSM_DOC_FILE) - if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: No secrets found in SSM Document $ssmdoc" "$regx" "$ssmdoc" + fi + if [[ ${SSM_DOCS} ]];then + for ssmdoc in ${SSM_DOCS}; do + SSM_DOC_FILE="${SECRETS_TEMP_FOLDER}/extra7141-${ssmdoc}-${regx}-content.txt" + "${AWSCLI}" ${PROFILE_OPT} --region "${regx}" ssm get-document --name "${ssmdoc}" --output text --document-format JSON > "${SSM_DOC_FILE}" 2>&1 + if [[ $(grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' "${SSM_DOC_FILE}") ]]; then + textInfo "${regx}: Access Denied trying to get document" "${regx}" + continue + fi + FINDINGS=$(secretsDetector file "${SSM_DOC_FILE}") + if [[ "${FINDINGS}" -eq 0 ]]; then + textPass "${regx}: No secrets found in SSM Document ${ssmdoc}" "${regx}" "${ssmdoc}" # delete file if nothing interesting is there - rm -f $SSM_DOC_FILE + rm -f "${SSM_DOC_FILE}" else - textFail "$regx: Potential secret found SSM Document $ssmdoc" "$regx" "$ssmdoc" + textFail "${regx}: Potential secret found SSM Document ${ssmdoc}" "${regx}" "${ssmdoc}" # delete file to not leave trace, user must look at the CFN Stack - rm -f $SSM_DOC_FILE + rm -f "${SSM_DOC_FILE}" fi done else - textInfo "$regx: No SSM Document found." "$regx" + textInfo "${regx}: No SSM Document found." "${regx}" fi done - rm -rf $SECRETS_TEMP_FOLDER + rm -rf "${SECRETS_TEMP_FOLDER}" } diff --git a/iam/create_role_to_assume_cfn.yaml b/iam/create_role_to_assume_cfn.yaml index 0f1c04ff..ee09ad3b 100644 --- a/iam/create_role_to_assume_cfn.yaml +++ b/iam/create_role_to_assume_cfn.yaml @@ -58,14 +58,15 @@ Resources: - 'ds:ListAuthorizedApplications' - 'ec2:GetEbsEncryptionByDefault' - 'ecr:Describe*' - - 'support:Describe*' - - 'tag:GetTagKeys' - - 'lambda:GetFunction' + - 'elasticfilesystem:DescribeBackupPolicy' - 'glue:GetConnections' - 'glue:GetSecurityConfiguration' - 'glue:SearchTables' + - 'lambda:GetFunction' - 's3:GetAccountPublicAccessBlock' - - 'shield:GetSubscriptionState' - 'shield:DescribeProtection' - - 'elasticfilesystem:DescribeBackupPolicy' + - 'shield:GetSubscriptionState' + - 'ssm:GetDocument' + - 'support:Describe*' + - 'tag:GetTagKeys' Resource: '*' diff --git a/iam/prowler-additions-policy.json b/iam/prowler-additions-policy.json index 454c8078..b2f02eab 100644 --- a/iam/prowler-additions-policy.json +++ b/iam/prowler-additions-policy.json @@ -6,16 +6,17 @@ "ds:ListAuthorizedApplications", "ec2:GetEbsEncryptionByDefault", "ecr:Describe*", - "support:Describe*", - "tag:GetTagKeys", - "lambda:GetFunction", + "elasticfilesystem:DescribeBackupPolicy", "glue:GetConnections", "glue:GetSecurityConfiguration", "glue:SearchTables", + "lambda:GetFunction", "s3:GetAccountPublicAccessBlock", - "shield:GetSubscriptionState", "shield:DescribeProtection", - "elasticfilesystem:DescribeBackupPolicy" + "shield:GetSubscriptionState", + "ssm:GetDocument", + "support:Describe*", + "tag:GetTagKeys" ], "Resource": "*", "Effect": "Allow", diff --git a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml index cd89aeff..feea69f9 100644 --- a/util/codebuild/codebuild-prowler-audit-account-cfn.yaml +++ b/util/codebuild/codebuild-prowler-audit-account-cfn.yaml @@ -141,7 +141,7 @@ Resources: - id: W28 reason: "Explicit name is required for this resource to avoid circular dependencies." Properties: - RoleName: !Sub 'prowler-codebuild-role' + RoleName: 'prowler-codebuild-role' Path: '/service-role/' ManagedPolicyArns: - 'arn:aws:iam::aws:policy/job-function/SupportUser' @@ -187,16 +187,17 @@ Resources: - ds:ListAuthorizedApplications - ec2:GetEbsEncryptionByDefault - ecr:Describe* - - support:Describe* - - tag:GetTagKeys - - lambda:GetFunction + - elasticfilesystem:DescribeBackupPolicy - glue:GetConnections - glue:GetSecurityConfiguration - glue:SearchTables + - lambda:GetFunction - s3:GetAccountPublicAccessBlock - - shield:GetSubscriptionState - shield:DescribeProtection - - elasticfilesystem:DescribeBackupPolicy + - shield:GetSubscriptionState + - ssm:GetDocument + - support:Describe* + - tag:GetTagKeys Effect: Allow Resource: '*' - PolicyName: CodeBuild diff --git a/util/terraform-kickstarter/main.tf b/util/terraform-kickstarter/main.tf index a6e53f47..c63fe911 100644 --- a/util/terraform-kickstarter/main.tf +++ b/util/terraform-kickstarter/main.tf @@ -314,16 +314,17 @@ resource "aws_iam_policy" "prowler_kickstarter_iam_policy" { "ds:ListAuthorizedApplications", "ec2:GetEbsEncryptionByDefault", "ecr:Describe*", - "support:Describe*", - "tag:GetTagKeys", - "lambda:GetFunction", + "elasticfilesystem:DescribeBackupPolicy", "glue:GetConnections", "glue:GetSecurityConfiguration", "glue:SearchTables", + "lambda:GetFunction", "s3:GetAccountPublicAccessBlock", - "shield:GetSubscriptionState", "shield:DescribeProtection", - "elasticfilesystem:DescribeBackupPolicy" + "shield:GetSubscriptionState", + "ssm:GetDocument", + "support:Describe*", + "tag:GetTagKeys" ] Effect = "Allow" Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"