From c0f326575493237f19399e097bf1b19d1b483dcd Mon Sep 17 00:00:00 2001 From: Toni de la Fuente Date: Wed, 24 Mar 2021 15:41:51 +0100 Subject: [PATCH] Better handle permissions and errors --- include/whoami | 11 +++++------ prowler | 11 ++++++++--- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/include/whoami b/include/whoami index e7c237ca..b9fa3e1b 100644 --- a/include/whoami +++ b/include/whoami @@ -29,9 +29,8 @@ case "$REGION" in ;; esac -GETCALLER=$($AWSCLI sts get-caller-identity $PROFILE_OPT --region $REGION_FOR_STS) -RESULT_CALL=$? -if [[ $RESULT_CALL == 254 ]]; then +GETCALLER=$($AWSCLI sts get-caller-identity $PROFILE_OPT --region $REGION_FOR_STS 2>&1) +if [[ $(echo "$GETCALLER" | grep 'Unable') ]]; then if [[ $PRINTCHECKSONLY || $PRINTGROUPSONLY ]]; then echo Listing... else @@ -45,11 +44,11 @@ fi if [[ $ACCOUNT_TO_ASSUME ]]; then ACCOUNT_NUM=$ACCOUNT_TO_ASSUME else - ACCOUNT_NUM=$(echo $GETCALLER | jq -r '.Account') + ACCOUNT_NUM=$(echo $GETCALLER | jq -r '.Account' 2>&1) fi -CALLER_ARN=$(echo $GETCALLER | jq -r '.Arn') -USER_ID=$(echo $GETCALLER | jq -r '.UserId') +CALLER_ARN=$(echo $GETCALLER | jq -r '.Arn' 2>&1) +USER_ID=$(echo $GETCALLER | jq -r '.UserId' 2>&1) AWS_PARTITION=$(echo $CALLER_ARN| cut -d: -f2) getWhoami(){ diff --git a/prowler b/prowler index 4b0784d8..f30a0ab1 100755 --- a/prowler +++ b/prowler @@ -261,9 +261,14 @@ fi # Get list of regions based on include/whoami REGIONS=$($AWSCLI ec2 describe-regions --query 'Regions[].RegionName' --output text $PROFILE_OPT --region $REGION_FOR_STS --region-names $FILTERREGION 2>&1) if [[ $(echo "$REGIONS" | grep 'AccessDenied\|UnauthorizedOperation') ]]; then - echo "Access Denied trying to describe regions" - EXITCODE=1 - exit $EXITCODE + if [[ $PRINTCHECKSONLY || $PRINTGROUPSONLY ]]; then + echo Listing... + else + # Failed to get own identity ... exit + echo "Access Denied trying to describe regions" + EXITCODE=1 + exit $EXITCODE + fi fi # Pre-process whitelist file if supplied