From dbb3ed96633875182971d3fcde5c39fbff23f6a4 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Wed, 22 Apr 2020 22:19:21 +0200
Subject: [PATCH] Improved extra734 for GovCloud

---
 checks/check_extra734 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/checks/check_extra734 b/checks/check_extra734
index 02d7f4ec..35930bd0 100644
--- a/checks/check_extra734
+++ b/checks/check_extra734
@@ -18,7 +18,7 @@ CHECK_ASFF_RESOURCE_TYPE_extra734="AwsS3Bucket"
 CHECK_ALTERNATE_check734="extra734"
 
 extra734(){
-  LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --query Buckets[*].Name --output text|xargs -n1)
+  LIST_OF_BUCKETS=$($AWSCLI s3api list-buckets $PROFILE_OPT --region $REGION --query Buckets[*].Name --output text|xargs -n1)
   if [[ $LIST_OF_BUCKETS ]]; then
     for bucket in $LIST_OF_BUCKETS;do
 
@@ -28,7 +28,7 @@ extra734(){
       # - Have bucket policy denying s3:PutObject when s3:x-amz-server-side-encryption is absent
 
       # query to get if has encryption enabled or not
-      RESULT=$($AWSCLI s3api get-bucket-encryption $PROFILE_OPT --bucket $bucket --query ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault[].SSEAlgorithm --output text 2>&1)
+      RESULT=$($AWSCLI s3api get-bucket-encryption $PROFILE_OPT --region $REGION --bucket $bucket --query ServerSideEncryptionConfiguration.Rules[].ApplyServerSideEncryptionByDefault[].SSEAlgorithm --output text 2>&1)
       if [[ $(echo "$RESULT" | grep AccessDenied) ]]; then
         textFail "Access Denied Trying to Get Encryption for $bucket"
         continue
@@ -43,7 +43,7 @@ extra734(){
       TEMP_SSE_POLICY_FILE=$(mktemp -t prowler-${ACCOUNT_NUM}-${bucket}.policy.XXXXXXXXXX)
 
       # get bucket policy
-      $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --output text --query Policy > $TEMP_SSE_POLICY_FILE 2>&1
+      $AWSCLI s3api get-bucket-policy $PROFILE_OPT --bucket $bucket --region $REGION --output text --query Policy > $TEMP_SSE_POLICY_FILE 2>&1
       if [[ $(grep AccessDenied $TEMP_SSE_POLICY_FILE) ]]; then
         textFail "Access Denied Trying to Get Bucket Policy for $bucket"
         rm -f $TEMP_SSE_POLICY_FILE
@@ -56,7 +56,7 @@ extra734(){
       fi
 
       # check if the S3 policy forces SSE s3:x-amz-server-side-encryption:true
-      CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:aws:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and ((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*") and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringEquals."s3:x-amz-server-side-encryption" != null)')
+      CHECK_BUCKET_SSE_POLICY_PRESENT=$(cat $TEMP_SSE_POLICY_FILE | jq --arg arn "arn:${AWS_PARTITION}:s3:::${bucket}/*" '.Statement[]|select(.Effect=="Deny" and ((.Principal|type == "object") and .Principal.AWS == "*") or ((.Principal|type == "string") and .Principal == "*") and .Action=="s3:PutObject" and .Resource==$arn and .Condition.StringEquals."s3:x-amz-server-side-encryption" != null)')
       if [[ $CHECK_BUCKET_SSE_POLICY_PRESENT == "" ]]; then
         textFail "Bucket $bucket does not enforce encryption!"
         rm -f $TEMP_SSE_POLICY_FILE