ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(IllegalLocationConstraintException): Recover bucket policy using the right region endpoint (#1155)

Browse Source
This commit is contained in:
Pepe Fagoaga
2022-05-23 09:37:46 +02:00
committed by GitHub
parent f4bae78730
commit e2c7bc2d6d
1 changed files with 31 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
checks/check_extra771
View File

@@ -24,35 +24,45 @@ CHECK_DOC_extra771='https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_p
CHECK_CAF_EPIC_extra771='IAM' CHECK_CAF_EPIC_extra771='IAM'
extra771(){ extra771(){
LIST_OF_BUCKETS=$("${AWSCLI}" s3api list-buckets $PROFILE_OPT --region "${REGION}" --query "sort_by(Buckets, &Name)[].Name" --output text 2>&1) LIST_OF_BUCKETS=$("${AWSCLI}" s3api list-buckets ${PROFILE_OPT} --region "${REGION}" --query "sort_by(Buckets, &Name)[].Name" --output text 2>&1)
if [[ $(echo "${LIST_OF_BUCKETS}" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${LIST_OF_BUCKETS}"; then
textInfo "${REGION}: Access Denied trying to list buckets" "${REGION}" textInfo "${REGION}: Access Denied trying to list buckets" "${REGION}"
return return
fi fi
if [[ "${LIST_OF_BUCKETS}" ]]; then if [[ "${LIST_OF_BUCKETS}" ]]; then
for bucket in ${LIST_OF_BUCKETS};do for bucket in ${LIST_OF_BUCKETS};do
BUCKET_POLICY_STATEMENTS=$("${AWSCLI}" s3api $PROFILE_OPT get-bucket-policy --region "${REGION}" --bucket "${bucket}" --output json --query Policy 2>&1) # Recover Bucket region
if [[ $(echo "${BUCKET_POLICY_STATEMENTS}" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then BUCKET_REGION=$("${AWSCLI}" ${PROFILE_OPT} s3api get-bucket-location --bucket "${bucket}" --query LocationConstraint --output text)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${BUCKET_POLICY_STATEMENTS}"; then
textInfo "${REGION}: Access Denied trying to get bucket policy for ${bucket}" "${REGION}"
fi
# If None use default region
if [[ "${BUCKET_REGION}" == "None" ]]; then
BUCKET_REGION="${REGION}"
fi
# Recover Bucket policy statements
BUCKET_POLICY_STATEMENTS=$("${AWSCLI}" s3api ${PROFILE_OPT} get-bucket-policy --region "${BUCKET_REGION}" --bucket "${bucket}" --output json --query Policy 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${BUCKET_POLICY_STATEMENTS}"; then
textInfo "${REGION}: Access Denied trying to get bucket policy for ${bucket}" "${REGION}" textInfo "${REGION}: Access Denied trying to get bucket policy for ${bucket}" "${REGION}"
continue continue
fi fi
if [[ $(echo "${BUCKET_POLICY_STATEMENTS}" | grep 'NoSuchBucketPolicy') ]]; then if grep -q -E 'NoSuchBucketPolicy'<<< "${BUCKET_POLICY_STATEMENTS}"; then
textInfo "$REGION: Bucket policy does not exist for bucket $bucket" "$REGION" textInfo "${REGION}: Bucket policy does not exist for bucket ${bucket}" "${REGION}"
else else
BUCKET_POLICY_BAD_STATEMENTS=$(echo "${BUCKET_POLICY_STATEMENTS}" | jq --compact-output --arg arn "arn:${AWS_PARTITION}:s3:::$bucket" 'fromjson | .Statement[]|select( BUCKET_POLICY_BAD_STATEMENTS=$(jq --compact-output --arg arn "arn:${AWS_PARTITION}:s3:::$bucket" 'fromjson | .Statement[]|select(
.Effect=="Allow" and .Effect=="Allow" and
( (
( (.Principal|type == "object") and (.Principal.AWS == "*") ) or ( (.Principal|type == "object") and (.Principal.AWS == "*") ) or
( (.Principal|type == "string") and (.Principal == "*") ) ( (.Principal|type == "string") and (.Principal == "*") )
) and ) and
( (
( (.Action|type == "string") and (.Action|startswith("s3:Put")) ) or ( (.Action|type == "string") and (.Action|startswith("s3:Put")) ) or
( (.Action|type == "string") and (.Action|startswith("s3:*")) ) or ( (.Action|type == "string") and (.Action|startswith("s3:*")) ) or
( (.Action|type == "array") and (.Action[]|startswith("s3:Put")) ) or ( (.Action|type == "array") and (.Action[]|startswith("s3:Put")) ) or
( (.Action|type == "array") and (.Action[]|startswith("s3:*")) ) ( (.Action|type == "array") and (.Action[]|startswith("s3:*")) )
) and ) and
.Condition == null .Condition == null
)' | tr '\n' ' ') )' <<< "${BUCKET_POLICY_STATEMENTS}" | tr '\n' ' ')
# Make sure JSON comma characted will not break CSV output. Replace "," by word "[comma]" # Make sure JSON comma characted will not break CSV output. Replace "," by word "[comma]"
BUCKET_POLICY_BAD_STATEMENTS="${BUCKET_POLICY_BAD_STATEMENTS//,/[comma]}" BUCKET_POLICY_BAD_STATEMENTS="${BUCKET_POLICY_BAD_STATEMENTS//,/[comma]}"
if [[ "${BUCKET_POLICY_BAD_STATEMENTS}" != "" ]]; then if [[ "${BUCKET_POLICY_BAD_STATEMENTS}" != "" ]]; then
@@ -63,6 +73,6 @@ extra771(){
fi fi
done done
else else
textInfo "${REGION}: No S3 Buckets found" textInfo "${REGION}: No S3 Buckets found" "${REGION}"
fi fi
} }