From bb397baa8acbc94172a989bec1acdf182943f00e Mon Sep 17 00:00:00 2001 From: HG00 Date: Tue, 30 Mar 2021 11:53:24 +0000 Subject: [PATCH] Add get_regions function in order to call after assume_role --- prowler | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/prowler b/prowler index b31a8d2f..34b587a8 100755 --- a/prowler +++ b/prowler @@ -254,14 +254,6 @@ unset AWS_DEFAULT_OUTPUT . $PROWLER_DIR/include/securityhub_integration . $PROWLER_DIR/include/junit_integration -# Get list of regions based on include/whoami -REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1) -if [[ $(echo "$REGIONS" | grep AccessDenied) ]]; then - echo "Access Denied trying to describe regions" - EXITCODE=1 - exit $EXITCODE -fi - # Pre-process whitelist file if supplied if [[ -n "$WHITELIST_FILE" ]]; then # ignore lines starting with # (comments) @@ -299,6 +291,17 @@ done # 6th character is the section number, 7th character onwards is the individual ID (e.g. check110 = check 1 10) TOTAL_CHECKS=($(echo "${TOTAL_CHECKS[*]}" | tr ' ' '\n' | awk '!seen[$0]++' | sort -k 1.6,1.6n -k 1.7n)) +# Function to get all regions +get_regions() { + # Get list of regions based on include/whoami + REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1) + if [[ $(echo "$REGIONS" | grep 'AccessDenied\|UnauthorizedOperation') ]]; then + echo "Access Denied trying to describe regions" + EXITCODE=1 + exit $EXITCODE + fi +} + # Function to show the title of the check, and optionally which group(s) it belongs to # using this way instead of arrays to keep bash3 (osx) and bash4(linux) compatibility show_check_title() { @@ -577,6 +580,9 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then assume_role fi +# List regions +get_regions + # Execute group of checks if called with -g if [[ $GROUP_ID_READ ]];then if [[ " ${GROUP_ID[@]} " =~ " ${GROUP_ID_READ} " ]]; then