ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(default_regions): Set profile region as default for global regions. (#1228)

Browse Source 
Co-authored-by: sergargar <sergio@verica.io>
This commit is contained in:
Sergio Garcia
2022-06-23 17:28:01 +02:00
committed by GitHub
parent 66d57a3d36
commit a2b40caeda
6 changed files with 29 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
providers/aws/aws_provider.py
View File

@@ -39,7 +39,9 @@ class AWS_Provider:
# Here we need the botocore session since it needs to use refreshable credentials # Here we need the botocore session since it needs to use refreshable credentials
assumed_botocore_session = get_session() assumed_botocore_session = get_session()
assumed_botocore_session._credentials = assumed_refreshable_credentials assumed_botocore_session._credentials = assumed_refreshable_credentials
assumed_botocore_session.set_config_variable("region", "us-east-1") assumed_botocore_session.set_config_variable(
"region", audit_info.profile_region
)
return session.Session( return session.Session(
profile_name=audit_info.profile, profile_name=audit_info.profile,
@@ -89,6 +91,7 @@ def provider_set_session(
audited_account=None, audited_account=None,
audited_partition=None, audited_partition=None,
profile=input_profile, profile=input_profile,
profile_region=None,
credentials=None, credentials=None,
assumed_role_info=AWS_Assume_Role( assumed_role_info=AWS_Assume_Role(
role_arn=input_role, role_arn=input_role,
@@ -150,6 +153,12 @@ def provider_set_session(
logger.info("Audit session is the original one") logger.info("Audit session is the original one")
current_audit_info.audit_session = current_audit_info.original_session current_audit_info.audit_session = current_audit_info.original_session
# Setting default region of session
if current_audit_info.audit_session.region_name:
current_audit_info.profile_region = current_audit_info.audit_session.region_name
else:
current_audit_info.profile_region = "us-east-1"
def validate_credentials(validate_session): def validate_credentials(validate_session):
try: try:

1
providers/aws/models.py
View File

@@ -26,6 +26,7 @@ class AWS_Audit_Info:
audited_account: int audited_account: int
audited_partition: str audited_partition: str
profile: str profile: str
profile_region: str
credentials: AWS_Credentials credentials: AWS_Credentials
assumed_role_info: AWS_Assume_Role assumed_role_info: AWS_Assume_Role
audited_regions: list audited_regions: list

4
providers/aws/services/ec2/ec2_service.py
View File

@@ -69,7 +69,9 @@ class EC2:
for snapshot in page["Snapshots"]: for snapshot in page["Snapshots"]:
snapshots.append(snapshot) snapshots.append(snapshot)
except Exception as error: except Exception as error:
logger.error(f"{error.__class__.__name__} -- {error}") logger.error(
f"{regional_client.region} -- {error.__class__.__name__}: {error}"
)
else: else:
regional_client.snapshots = snapshots regional_client.snapshots = snapshots

8
providers/aws/services/iam/iam_disable_30_days_credentials/iam_disable_30_days_credentials.py
View File

@@ -23,17 +23,17 @@ class iam_disable_30_days_credentials(Check):
if time_since_insertion.days > maximum_expiration_days: if time_since_insertion.days > maximum_expiration_days:
report.status = "FAIL" report.status = "FAIL"
report.result_extended = f"User {user['UserName']} has not logged into the console in the past 30 days" report.result_extended = f"User {user['UserName']} has not logged into the console in the past 30 days"
report.region = "us-east-1" report.region = iam_client.region
else: else:
report.status = "PASS" report.status = "PASS"
report.result_extended = f"User {user['UserName']} has logged into the console in the past 30 days" report.result_extended = f"User {user['UserName']} has logged into the console in the past 30 days"
report.region = "us-east-1" report.region = iam_client.region
except KeyError: except KeyError:
pass pass
else: else:
report.status = "PASS" report.status = "PASS"
report.result_extended = f"User {user['UserName']} has not a console password or is unused." report.result_extended = f"User {user['UserName']} has not a console password or is unused."
report.region = "us-east-1" report.region = iam_client.region
# Append report # Append report
findings.append(report) findings.append(report)
@@ -41,7 +41,7 @@ class iam_disable_30_days_credentials(Check):
report = Check_Report() report = Check_Report()
report.status = "PASS" report.status = "PASS"
report.result_extended = "There is no IAM users" report.result_extended = "There is no IAM users"
report.region = "us-east-1" report.region = iam_client.region
findings.append(report) findings.append(report)
return findings return findings

8
providers/aws/services/iam/iam_disable_90_days_credentials/iam_disable_90_days_credentials.py
View File

@@ -23,17 +23,17 @@ class iam_disable_90_days_credentials(Check):
if time_since_insertion.days > maximum_expiration_days: if time_since_insertion.days > maximum_expiration_days:
report.status = "FAIL" report.status = "FAIL"
report.result_extended = f"User {user['UserName']} has not logged into the console in the past 90 days" report.result_extended = f"User {user['UserName']} has not logged into the console in the past 90 days"
report.region = "us-east-1" report.region = iam_client.region
else: else:
report.status = "PASS" report.status = "PASS"
report.result_extended = f"User {user['UserName']} has logged into the console in the past 90 days" report.result_extended = f"User {user['UserName']} has logged into the console in the past 90 days"
report.region = "us-east-1" report.region = iam_client.region
except KeyError: except KeyError:
pass pass
else: else:
report.status = "PASS" report.status = "PASS"
report.result_extended = f"User {user['UserName']} has not a console password or is unused." report.result_extended = f"User {user['UserName']} has not a console password or is unused."
report.region = "us-east-1" report.region = iam_client.region
# Append report # Append report
findings.append(report) findings.append(report)
@@ -41,6 +41,6 @@ class iam_disable_90_days_credentials(Check):
report = Check_Report() report = Check_Report()
report.status = "PASS" report.status = "PASS"
report.result_extended = "There is no IAM users" report.result_extended = "There is no IAM users"
report.region = "us-east-1" report.region = iam_client.region
return findings return findings

13
providers/aws/services/iam/iam_service.py
View File

@@ -10,6 +10,7 @@ class IAM:
self.service = "iam" self.service = "iam"
self.session = audit_info.audit_session self.session = audit_info.audit_session
self.client = self.session.client(self.service) self.client = self.session.client(self.service)
self.region = audit_info.profile_region
self.users = self.__get_users__() self.users = self.__get_users__()
self.roles = self.__get_roles__() self.roles = self.__get_roles__()
self.customer_managed_policies = self.__get_customer_managed_policies__() self.customer_managed_policies = self.__get_customer_managed_policies__()
@@ -26,7 +27,7 @@ class IAM:
try: try:
get_roles_paginator = self.client.get_paginator("list_roles") get_roles_paginator = self.client.get_paginator("list_roles")
except Exception as error: except Exception as error:
logger.error(f"{error.__class__.__name__} -- {error}") logger.error(f"{self.region} -- {error.__class__.__name__}: {error}")
else: else:
roles = [] roles = []
for page in get_roles_paginator.paginate(): for page in get_roles_paginator.paginate():
@@ -41,7 +42,7 @@ class IAM:
try: try:
report_status = self.client.generate_credential_report() report_status = self.client.generate_credential_report()
except Exception as error: except Exception as error:
logger.error(f"{error.__class__.__name__} -- {error}") logger.error(f"{self.region} -- {error.__class__.__name__}: {error}")
else: else:
if report_status["State"] == "COMPLETE": if report_status["State"] == "COMPLETE":
report_is_completed = True report_is_completed = True
@@ -52,7 +53,7 @@ class IAM:
try: try:
get_groups_paginator = self.client.get_paginator("list_groups") get_groups_paginator = self.client.get_paginator("list_groups")
except Exception as error: except Exception as error:
logger.error(f"{error.__class__.__name__} -- {error}") logger.error(f"{self.region} -- {error.__class__.__name__}: {error}")
else: else:
groups = [] groups = []
for page in get_groups_paginator.paginate(): for page in get_groups_paginator.paginate():
@@ -67,7 +68,7 @@ class IAM:
"list_policies" "list_policies"
) )
except Exception as error: except Exception as error:
logger.error(f"{error.__class__.__name__} -- {error}") logger.error(f"{self.region} -- {error.__class__.__name__}: {error}")
else: else:
customer_managed_policies = [] customer_managed_policies = []
for page in get_customer_managed_policies_paginator.paginate(Scope="Local"): for page in get_customer_managed_policies_paginator.paginate(Scope="Local"):
@@ -80,7 +81,7 @@ class IAM:
try: try:
get_users_paginator = self.client.get_paginator("list_users") get_users_paginator = self.client.get_paginator("list_users")
except Exception as error: except Exception as error:
logger.error(f"{error.__class__.__name__} -- {error}") logger.error(f"{self.region} -- {error.__class__.__name__}: {error}")
else: else:
users = [] users = []
for page in get_users_paginator.paginate(): for page in get_users_paginator.paginate():
@@ -93,5 +94,5 @@ class IAM:
try: try:
iam_client = IAM(current_audit_info) iam_client = IAM(current_audit_info)
except Exception as error: except Exception as error:
logger.critical(f"{error.__class__.__name__} -- {error}") logger.critical(f"{error.__class__.__name__} -- {error}")
sys.exit() sys.exit()