ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix(extra7141): Error handling and include missing policy (#1024)

Browse Source 
* Fix AccessDenied issue when get document

Add check to validate access denied when get document from SSM.
Add missing action permission to allow ssm:GetDocument.

* Double quote variables to prevent globbing and word splitting
This commit is contained in:
Leonardo Azize Martins
2022-02-09 12:01:01 -03:00
committed by GitHub
parent 6c12a3e1e0
commit 9b772a70a1
5 changed files with 49 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
checks/check_extra7141
View File

@@ -24,36 +24,40 @@ CHECK_DOC_extra7141='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGu
CHECK_CAF_EPIC_extra7141='IAM' CHECK_CAF_EPIC_extra7141='IAM'
extra7141(){ extra7141(){
SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" SECRETS_TEMP_FOLDER="${PROWLER_DIR}/secrets-${ACCOUNT_NUM}"
if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then if [[ ! -d "${SECRETS_TEMP_FOLDER}" ]]; then
# this folder is deleted once this check is finished # this folder is deleted once this check is finished
mkdir $SECRETS_TEMP_FOLDER mkdir "${SECRETS_TEMP_FOLDER}"
fi fi
for regx in $REGIONS; do for regx in ${REGIONS}; do
SSM_DOCS=$($AWSCLI $PROFILE_OPT --region $regx ssm list-documents --filters Key=Owner,Values=Self --query DocumentIdentifiers[].Name --output text 2>&1) SSM_DOCS=$("${AWSCLI}" ${PROFILE_OPT} --region "${regx}" ssm list-documents --filters 'Key=Owner,Values=Self' --query 'DocumentIdentifiers[].Name' --output text 2>&1)
if [[ $(echo "$SSM_DOCS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then if [[ $(echo "${SSM_DOCS}" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
textInfo "$regx: Access Denied trying to list documents" "$regx" textInfo "${regx}: Access Denied trying to list documents" "${regx}"
continue continue
fi fi
if [[ $SSM_DOCS ]];then if [[ ${SSM_DOCS} ]];then
for ssmdoc in $SSM_DOCS; do for ssmdoc in ${SSM_DOCS}; do
SSM_DOC_FILE="$SECRETS_TEMP_FOLDER/extra7141-$ssmdoc-$regx-content.txt" SSM_DOC_FILE="${SECRETS_TEMP_FOLDER}/extra7141-${ssmdoc}-${regx}-content.txt"
$AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE "${AWSCLI}" ${PROFILE_OPT} --region "${regx}" ssm get-document --name "${ssmdoc}" --output text --document-format JSON > "${SSM_DOC_FILE}" 2>&1
FINDINGS=$(secretsDetector file $SSM_DOC_FILE) if [[ $(grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' "${SSM_DOC_FILE}") ]]; then
if [[ $FINDINGS -eq 0 ]]; then textInfo "${regx}: Access Denied trying to get document" "${regx}"
textPass "$regx: No secrets found in SSM Document $ssmdoc" "$regx" "$ssmdoc" continue
fi
FINDINGS=$(secretsDetector file "${SSM_DOC_FILE}")
if [[ "${FINDINGS}" -eq 0 ]]; then
textPass "${regx}: No secrets found in SSM Document ${ssmdoc}" "${regx}" "${ssmdoc}"
# delete file if nothing interesting is there # delete file if nothing interesting is there
rm -f $SSM_DOC_FILE rm -f "${SSM_DOC_FILE}"
else else
textFail "$regx: Potential secret found SSM Document $ssmdoc" "$regx" "$ssmdoc" textFail "${regx}: Potential secret found SSM Document ${ssmdoc}" "${regx}" "${ssmdoc}"
# delete file to not leave trace, user must look at the CFN Stack # delete file to not leave trace, user must look at the CFN Stack
rm -f $SSM_DOC_FILE rm -f "${SSM_DOC_FILE}"
fi fi
done done
else else
textInfo "$regx: No SSM Document found." "$regx" textInfo "${regx}: No SSM Document found." "${regx}"
fi fi
done done
rm -rf $SECRETS_TEMP_FOLDER rm -rf "${SECRETS_TEMP_FOLDER}"
} }

11
iam/create_role_to_assume_cfn.yaml
View File

@@ -58,14 +58,15 @@ Resources:
- 'ds:ListAuthorizedApplications' - 'ds:ListAuthorizedApplications'
- 'ec2:GetEbsEncryptionByDefault' - 'ec2:GetEbsEncryptionByDefault'
- 'ecr:Describe*' - 'ecr:Describe*'
- 'support:Describe*' - 'elasticfilesystem:DescribeBackupPolicy'
- 'tag:GetTagKeys'
- 'lambda:GetFunction'
- 'glue:GetConnections' - 'glue:GetConnections'
- 'glue:GetSecurityConfiguration' - 'glue:GetSecurityConfiguration'
- 'glue:SearchTables' - 'glue:SearchTables'
- 'lambda:GetFunction'
- 's3:GetAccountPublicAccessBlock' - 's3:GetAccountPublicAccessBlock'
- 'shield:GetSubscriptionState'
- 'shield:DescribeProtection' - 'shield:DescribeProtection'
- 'elasticfilesystem:DescribeBackupPolicy' - 'shield:GetSubscriptionState'
- 'ssm:GetDocument'
- 'support:Describe*'
- 'tag:GetTagKeys'
Resource: '*' Resource: '*'

11
iam/prowler-additions-policy.json
View File

@@ -6,16 +6,17 @@
"ds:ListAuthorizedApplications", "ds:ListAuthorizedApplications",
"ec2:GetEbsEncryptionByDefault", "ec2:GetEbsEncryptionByDefault",
"ecr:Describe*", "ecr:Describe*",
"support:Describe*", "elasticfilesystem:DescribeBackupPolicy",
"tag:GetTagKeys",
"lambda:GetFunction",
"glue:GetConnections", "glue:GetConnections",
"glue:GetSecurityConfiguration", "glue:GetSecurityConfiguration",
"glue:SearchTables", "glue:SearchTables",
"lambda:GetFunction",
"s3:GetAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock",
"shield:GetSubscriptionState",
"shield:DescribeProtection", "shield:DescribeProtection",
"elasticfilesystem:DescribeBackupPolicy" "shield:GetSubscriptionState",
"ssm:GetDocument",
"support:Describe*",
"tag:GetTagKeys"
], ],
"Resource": "*", "Resource": "*",
"Effect": "Allow", "Effect": "Allow",

13
util/codebuild/codebuild-prowler-audit-account-cfn.yaml
View File

@@ -141,7 +141,7 @@ Resources:
- id: W28 - id: W28
reason: "Explicit name is required for this resource to avoid circular dependencies." reason: "Explicit name is required for this resource to avoid circular dependencies."
Properties: Properties:
RoleName: !Sub 'prowler-codebuild-role' RoleName: 'prowler-codebuild-role'
Path: '/service-role/' Path: '/service-role/'
ManagedPolicyArns: ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/job-function/SupportUser' - 'arn:aws:iam::aws:policy/job-function/SupportUser'
@@ -187,16 +187,17 @@ Resources:
- ds:ListAuthorizedApplications - ds:ListAuthorizedApplications
- ec2:GetEbsEncryptionByDefault - ec2:GetEbsEncryptionByDefault
- ecr:Describe* - ecr:Describe*
- support:Describe* - elasticfilesystem:DescribeBackupPolicy
- tag:GetTagKeys
- lambda:GetFunction
- glue:GetConnections - glue:GetConnections
- glue:GetSecurityConfiguration - glue:GetSecurityConfiguration
- glue:SearchTables - glue:SearchTables
- lambda:GetFunction
- s3:GetAccountPublicAccessBlock - s3:GetAccountPublicAccessBlock
- shield:GetSubscriptionState
- shield:DescribeProtection - shield:DescribeProtection
- elasticfilesystem:DescribeBackupPolicy - shield:GetSubscriptionState
- ssm:GetDocument
- support:Describe*
- tag:GetTagKeys
Effect: Allow Effect: Allow
Resource: '*' Resource: '*'
- PolicyName: CodeBuild - PolicyName: CodeBuild

11
util/terraform-kickstarter/main.tf
View File

@@ -314,16 +314,17 @@ resource "aws_iam_policy" "prowler_kickstarter_iam_policy" {
"ds:ListAuthorizedApplications", "ds:ListAuthorizedApplications",
"ec2:GetEbsEncryptionByDefault", "ec2:GetEbsEncryptionByDefault",
"ecr:Describe*", "ecr:Describe*",
"support:Describe*", "elasticfilesystem:DescribeBackupPolicy",
"tag:GetTagKeys",
"lambda:GetFunction",
"glue:GetConnections", "glue:GetConnections",
"glue:GetSecurityConfiguration", "glue:GetSecurityConfiguration",
"glue:SearchTables", "glue:SearchTables",
"lambda:GetFunction",
"s3:GetAccountPublicAccessBlock", "s3:GetAccountPublicAccessBlock",
"shield:GetSubscriptionState",
"shield:DescribeProtection", "shield:DescribeProtection",
"elasticfilesystem:DescribeBackupPolicy" "shield:GetSubscriptionState",
"ssm:GetDocument",
"support:Describe*",
"tag:GetTagKeys"
] ]
Effect = "Allow" Effect = "Allow"
Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog" Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"