Improved extra734 for GovCloud

2026-02-10 14:55:00 +00:00 · 2020-04-22 22:19:21 +02:00
parent 1beb483be3
commit dbb3ed9663
1 changed files with 4 additions and 4 deletions
--- a/checks/check_extra734
+++ b/checks/check_extra734
@@ -18,7 +18,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket"
 CHECK_ALTERNATE_check734="extra734"

 extra734(){
-  LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1)
+  LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1)
  if [[ $LIST_OF_BUCKETS ]]; then
    for bucket in $LIST_OF_BUCKETS;do

@@ -28,7 +28,7 @@ extra734(){
      # - Have bucket policy denying s3:PutObject when s3:x-amz-server-side-encryption is absent

      # query to get if has encryption enabled or not
-      RESULT=$($AWSCLI s3api get-bucket-encryption $PROFILE_OPT --bucket $bucket --query ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault[].SSEAlgorithm --output text 2>&1)
+      RESULT=$($AWSCLI s3api get-bucket-encryption $PROFILE_OPT --region $REGION --bucket $bucket --query ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault[].SSEAlgorithm --output text 2>&1)
      if [[ $(echo "$RESULT" | grep AccessDenied) ]]; then
        textFail "Access Denied Trying to Get Encryption for $bucket"
        continue
@@ -43,7 +43,7 @@ extra734(){
      TEMP_SSE_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX)

      # get bucket policy
-      $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_SSE_POLICY_FILE 2>&1
+      $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --region $REGION --output text --query Policy > $TEMP_SSE_POLICY_FILE 2>&1
      if [[ $(grep AccessDenied $TEMP_SSE_POLICY_FILE) ]]; then
        textFail "Access Denied Trying to Get Bucket Policy for $bucket"
        rm -f $TEMP_SSE_POLICY_FILE
@@ -56,7 +56,7 @@ extra734(){
      fi

      # check if the S3 policy forces SSE s3:x-amz-server-side-encryption:true
-      CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and ((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*") and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringEquals."s3:x-amz-server-side-encryption" != null)')
+      CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:${AWS_PARTITION}:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and ((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*") and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringEquals."s3:x-amz-server-side-encryption" != null)')
      if [[ $CHECK_BUCKET_SSE_POLICY_PRESENT == "" ]]; then
        textFail "Bucket $bucket does not enforce encryption!"
        rm -f $TEMP_SSE_POLICY_FILE