From a2b40caedaeedc6603c644b4cdd3763393a749eb Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Thu, 23 Jun 2022 17:28:01 +0200 Subject: [PATCH] feat(default_regions): Set profile region as default for global regions. (#1228) Co-authored-by: sergargar --- providers/aws/aws_provider.py | 11 ++++++++++- providers/aws/models.py | 1 + providers/aws/services/ec2/ec2_service.py | 4 +++- .../iam_disable_30_days_credentials.py | 8 ++++---- .../iam_disable_90_days_credentials.py | 8 ++++---- providers/aws/services/iam/iam_service.py | 13 +++++++------ 6 files changed, 29 insertions(+), 16 deletions(-) diff --git a/providers/aws/aws_provider.py b/providers/aws/aws_provider.py index c2165c8b..5d46fe6f 100644 --- a/providers/aws/aws_provider.py +++ b/providers/aws/aws_provider.py @@ -39,7 +39,9 @@ class AWS_Provider: # Here we need the botocore session since it needs to use refreshable credentials assumed_botocore_session = get_session() assumed_botocore_session._credentials = assumed_refreshable_credentials - assumed_botocore_session.set_config_variable("region", "us-east-1") + assumed_botocore_session.set_config_variable( + "region", audit_info.profile_region + ) return session.Session( profile_name=audit_info.profile, @@ -89,6 +91,7 @@ def provider_set_session( audited_account=None, audited_partition=None, profile=input_profile, + profile_region=None, credentials=None, assumed_role_info=AWS_Assume_Role( role_arn=input_role, @@ -150,6 +153,12 @@ def provider_set_session( logger.info("Audit session is the original one") current_audit_info.audit_session = current_audit_info.original_session + # Setting default region of session + if current_audit_info.audit_session.region_name: + current_audit_info.profile_region = current_audit_info.audit_session.region_name + else: + current_audit_info.profile_region = "us-east-1" + def validate_credentials(validate_session): try: diff --git a/providers/aws/models.py b/providers/aws/models.py index 49fb8a8c..d2a1a066 100644 --- a/providers/aws/models.py +++ b/providers/aws/models.py @@ -26,6 +26,7 @@ class AWS_Audit_Info: audited_account: int audited_partition: str profile: str + profile_region: str credentials: AWS_Credentials assumed_role_info: AWS_Assume_Role audited_regions: list diff --git a/providers/aws/services/ec2/ec2_service.py b/providers/aws/services/ec2/ec2_service.py index 4955dab4..ea938931 100644 --- a/providers/aws/services/ec2/ec2_service.py +++ b/providers/aws/services/ec2/ec2_service.py @@ -69,7 +69,9 @@ class EC2: for snapshot in page["Snapshots"]: snapshots.append(snapshot) except Exception as error: - logger.error(f"{error.__class__.__name__} -- {error}") + logger.error( + f"{regional_client.region} -- {error.__class__.__name__}: {error}" + ) else: regional_client.snapshots = snapshots diff --git a/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py b/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py index c2c9516a..8a5e5cf8 100644 --- a/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py +++ b/providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py @@ -23,17 +23,17 @@ class iam_disable_30_days_credentials(Check): if time_since_insertion.days > maximum_expiration_days: report.status = "FAIL" report.result_extended = f"User {user['UserName']} has not logged into the console in the past 30 days" - report.region = "us-east-1" + report.region = iam_client.region else: report.status = "PASS" report.result_extended = f"User {user['UserName']} has logged into the console in the past 30 days" - report.region = "us-east-1" + report.region = iam_client.region except KeyError: pass else: report.status = "PASS" report.result_extended = f"User {user['UserName']} has not a console password or is unused." - report.region = "us-east-1" + report.region = iam_client.region # Append report findings.append(report) @@ -41,7 +41,7 @@ class iam_disable_30_days_credentials(Check): report = Check_Report() report.status = "PASS" report.result_extended = "There is no IAM users" - report.region = "us-east-1" + report.region = iam_client.region findings.append(report) return findings diff --git a/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py b/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py index d0dff782..8d565d13 100644 --- a/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py +++ b/providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py @@ -23,17 +23,17 @@ class iam_disable_90_days_credentials(Check): if time_since_insertion.days > maximum_expiration_days: report.status = "FAIL" report.result_extended = f"User {user['UserName']} has not logged into the console in the past 90 days" - report.region = "us-east-1" + report.region = iam_client.region else: report.status = "PASS" report.result_extended = f"User {user['UserName']} has logged into the console in the past 90 days" - report.region = "us-east-1" + report.region = iam_client.region except KeyError: pass else: report.status = "PASS" report.result_extended = f"User {user['UserName']} has not a console password or is unused." - report.region = "us-east-1" + report.region = iam_client.region # Append report findings.append(report) @@ -41,6 +41,6 @@ class iam_disable_90_days_credentials(Check): report = Check_Report() report.status = "PASS" report.result_extended = "There is no IAM users" - report.region = "us-east-1" + report.region = iam_client.region return findings diff --git a/providers/aws/services/iam/iam_service.py b/providers/aws/services/iam/iam_service.py index 07f2de5b..f5fef8d1 100644 --- a/providers/aws/services/iam/iam_service.py +++ b/providers/aws/services/iam/iam_service.py @@ -10,6 +10,7 @@ class IAM: self.service = "iam" self.session = audit_info.audit_session self.client = self.session.client(self.service) + self.region = audit_info.profile_region self.users = self.__get_users__() self.roles = self.__get_roles__() self.customer_managed_policies = self.__get_customer_managed_policies__() @@ -26,7 +27,7 @@ class IAM: try: get_roles_paginator = self.client.get_paginator("list_roles") except Exception as error: - logger.error(f"{error.__class__.__name__} -- {error}") + logger.error(f"{self.region} -- {error.__class__.__name__}: {error}") else: roles = [] for page in get_roles_paginator.paginate(): @@ -41,7 +42,7 @@ class IAM: try: report_status = self.client.generate_credential_report() except Exception as error: - logger.error(f"{error.__class__.__name__} -- {error}") + logger.error(f"{self.region} -- {error.__class__.__name__}: {error}") else: if report_status["State"] == "COMPLETE": report_is_completed = True @@ -52,7 +53,7 @@ class IAM: try: get_groups_paginator = self.client.get_paginator("list_groups") except Exception as error: - logger.error(f"{error.__class__.__name__} -- {error}") + logger.error(f"{self.region} -- {error.__class__.__name__}: {error}") else: groups = [] for page in get_groups_paginator.paginate(): @@ -67,7 +68,7 @@ class IAM: "list_policies" ) except Exception as error: - logger.error(f"{error.__class__.__name__} -- {error}") + logger.error(f"{self.region} -- {error.__class__.__name__}: {error}") else: customer_managed_policies = [] for page in get_customer_managed_policies_paginator.paginate(Scope="Local"): @@ -80,7 +81,7 @@ class IAM: try: get_users_paginator = self.client.get_paginator("list_users") except Exception as error: - logger.error(f"{error.__class__.__name__} -- {error}") + logger.error(f"{self.region} -- {error.__class__.__name__}: {error}") else: users = [] for page in get_users_paginator.paginate(): @@ -93,5 +94,5 @@ class IAM: try: iam_client = IAM(current_audit_info) except Exception as error: - logger.critical(f"{error.__class__.__name__} -- {error}") + logger.critical(f"{error.__class__.__name__} -- {error}") sys.exit()