ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(dynamodb_allowlist): Support DynamoDB tables ARN for allowlist input (#1118)

Browse Source 
* feat(dynamodb_allowlist): Support dynamodb tables arn for allowlist input.

* feat(allowlist): Include logging messages for input file

* fix(allowlist): Modify DynamoDB key name

Co-authored-by: sergargar <sergio@verica.io>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
This commit is contained in:
Sergio Garcia
2022-04-28 17:04:44 +02:00
committed by GitHub
parent 432632d981
commit aa16bf4084
2 changed files with 73 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@@ -33,7 +33,7 @@
- [Advanced Usage](#advanced-usage) - [Advanced Usage](#advanced-usage)
- [Security Hub integration](#security-hub-integration) - [Security Hub integration](#security-hub-integration)
- [CodeBuild deployment](#codebuild-deployment) - [CodeBuild deployment](#codebuild-deployment)
- [Allowlist or remove FAIL from resources](#allowlist-or-allowlist-or-remove-a-fail-from-resources) - [Allowlist](#allowlist-or-remove-a-fail-from-resources)
- [Fix](#how-to-fix-every-fail) - [Fix](#how-to-fix-every-fail)
- [Troubleshooting](#troubleshooting) - [Troubleshooting](#troubleshooting)
- [Extras](#extras) - [Extras](#extras)
@@ -495,6 +495,15 @@ Sometimes you may find resources that are intentionally configured in a certain
S3 URIs are also supported as allowlist file, e.g. `s3://bucket/prefix/allowlist_sample.txt` S3 URIs are also supported as allowlist file, e.g. `s3://bucket/prefix/allowlist_sample.txt`
>Make sure that the used credentials have s3:GetObject permissions in the S3 path where the allowlist file is located. >Make sure that the used credentials have s3:GetObject permissions in the S3 path where the allowlist file is located.
DynamoDB table ARNs are also supported as allowlist file, e.g. `arn:aws:dynamodb:us-east-1:111111222222:table/allowlist`
>Make sure that the table has `account_id` as partition key and `rule` as sort key, and that the used credentials have dynamodb:Scan permissions in the table.
><p align="left"><img src="https://user-images.githubusercontent.com/38561120/165769502-296f9075-7cc8-445e-8158-4b21804bfe7e.png" alt="image" width="397" height="252" /></p>
>The field `account_id` can contains either an account ID or an `*` (which applies to all the accounts that use this table as a whitelist). As in the traditional allowlist file, the `rule` field must contain `checkID:resourcename` pattern.
><p><img src="https://user-images.githubusercontent.com/38561120/165770610-ed5c2764-7538-44c2-9195-bcfdecc4ef9b.png" alt="image" width="394" /></p>
Allowlist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`. Allowlist option works along with other options and adds a `WARNING` instead of `INFO`, `PASS` or `FAIL` to any output format except for `json-asff`.
## How to fix every FAIL ## How to fix every FAIL

87
include/allowlist
View File

@@ -12,32 +12,71 @@
# specific language governing permissions and limitations under the License. # specific language governing permissions and limitations under the License.
allowlist(){ allowlist(){
# check if the file is an S3 URI # Check if the file is an S3 URI
if grep -q -E "^s3://([^/]+)/(.*?([^/]+))$" <<< "$ALLOWLIST_FILE"; then if grep -q -E "^s3://([^/]+)/(.*?([^/]+))$" <<< "${ALLOWLIST_FILE}"; then
# download s3 object allowlist_S3
local S3_ALLOWLIST_FILE=allowlist_s3_file.txt # Check if the file is a DynamoDB ARN
echo -e "$NOTICE Downloading allowlist from S3 URI $ALLOWLIST_FILE ..." elif grep -q -E "^arn:aws:dynamodb:\w+(?:-\w+)+:\d{12}:table\/[A-Za-z0-9]+$" <<< "${ALLOWLIST_FILE}"; then
if ! $AWSCLI s3 cp $ALLOWLIST_FILE $S3_ALLOWLIST_FILE $PROFILE_OPT > /dev/null 2>&1; then allowlist_DynamoDB
echo "$BAD FAIL! Access Denied trying to download allowlist from the S3 URI, please make sure it is correct and/or you have permissions to get the S3 object.$NORMAL"
EXITCODE=1
exit $EXITCODE
fi
echo -e "$OK Success! Allowlist was downloaded, starting Prowler...$NORMAL"
# ignore lines starting with # (comments)
# ignore inline comments: check1:foo # inline comment
ALLOWLIST=$(awk '!/^[[:space:]]*#/{print }' <(cat "$S3_ALLOWLIST_FILE") | sed 's/[[:space:]]*#.*$//g')
# remove temporary file
rm -f "$S3_ALLOWLIST_FILE"
else else
# Check if input allowlist file exists # Check if the file is a DynamoDB ARN
if [[ -f "$ALLOWLIST_FILE" ]]; then allowlist_Textfile
# ignore lines starting with # (comments) fi
# ignore inline comments: check1:foo # inline comment }
ALLOWLIST=$(awk '!/^[[:space:]]*#/{print }' <(cat "$ALLOWLIST_FILE") | sed 's/[[:space:]]*#.*$//g')
else allowlist_S3() {
echo "$BAD FAIL! $ALLOWLIST_FILE does not exist, please input a valid allowlist file.$NORMAL" # download s3 object
local S3_ALLOWLIST_FILE=allowlist_s3_file.txt
echo -e "${NOTICE} Downloading allowlist from S3 URI ${ALLOWLIST_FILE} ...${NORMAL}"
if ! "${AWSCLI}" s3 cp "${ALLOWLIST_FILE}" "${S3_ALLOWLIST_FILE}" ${PROFILE_OPT} > /dev/null 2>&1; then
echo "${BAD} FAIL! Access Denied trying to download allowlist from the S3 URI, please make sure it is correct and/or you have permissions to get the S3 object.${NORMAL}"
EXITCODE=1
exit "${EXITCODE}"
fi
echo -e "${OK} Success! Allowlist was downloaded, starting Prowler...${NORMAL}"
# ignore lines starting with # (comments)
# ignore inline comments: check1:foo # inline comment
ALLOWLIST=$(awk '!/^[[:space:]]*#/{print }' <(cat "${S3_ALLOWLIST_FILE}") | sed 's/[[:space:]]*#.*$//g')
# remove temporary file
rm -f "${S3_ALLOWLIST_FILE}"
}
allowlist_DynamoDB() {
echo -e "${NOTICE} Getting allowlist from DynamoDB table ${ALLOWLIST_FILE} ...${NORMAL}"
DYNAMO_REGION=$(cut -d ":" -f 4 <<< "${ALLOWLIST_FILE}")
DYNAMO_TABLE=$(cut -d "/" -f 2 <<< "${ALLOWLIST_FILE}")
DYNAMO_ITEMS=$(${AWSCLI} dynamodb execute-statement --statement "SELECT rule FROM ${DYNAMO_TABLE} WHERE account_id=""'""${ACCOUNT_NUM}""'"" or account_id='*'" ${PROFILE_OPT} --region ${DYNAMO_REGION} --output json 2>&1 )
if grep -q -E 'AccessDenied|UnauthorizedOperation|ResourceNotFoundException' <<< "${DYNAMO_ITEMS}"; then
echo "${BAD} FAIL! Access Denied trying to get allowlist from the DynamoDB, please make sure it is correct and/or you have permissions to scan the table ${DYNAMO_TABLE}.${NORMAL}"
EXITCODE=1
exit ${EXITCODE}
fi
if [[ $(jq '."Items" | length' <<< "${DYNAMO_ITEMS}") -eq 0 ]]; then
echo "${NOTICE} No allowed resources were found for account ${ACCOUNT_NUM}, starting Prowler...${NORMAL}"
else
# Convert elements to allowlist file
ALLOWLIST=$(jq -r '.Items[].rule.S' <<< "${DYNAMO_ITEMS}")
if grep -q "null" <<< "${ALLOWLIST}"; then
echo "${BAD} FAIL! No rule key found in DynamoDB table, please make sure the table has rule as a sort key and account_id as the partition key...${NORMAL}"
EXITCODE=1 EXITCODE=1
exit $EXITCODE exit ${EXITCODE}
else
echo "${OK} Success! Allowed resources were added for account ${ACCOUNT_NUM}, starting Prowler...${NORMAL}"
fi fi
fi fi
} }
allowlist_Textfile() {
echo -e "${NOTICE} Getting allowlist from input file ${ALLOWLIST_FILE} ...${NORMAL}"
# Check if input allowlist file exists
if [[ -f "${ALLOWLIST_FILE}" ]]; then
# ignore lines starting with # (comments)
# ignore inline comments: check1:foo # inline comment
ALLOWLIST=$(awk '!/^[[:space:]]*#/{print }' <(cat "${ALLOWLIST_FILE}") | sed 's/[[:space:]]*#.*$//g')
echo -e "${OK} Success! Allowlist was downloaded, starting Prowler...${NORMAL}"
else
echo "${BAD} FAIL! ${ALLOWLIST_FILE} does not exist, please input a valid allowlist file.${NORMAL}"
EXITCODE=1
exit ${EXITCODE}
fi
}