From f33342aef96825b844d59bd176fa757b2e45b5e5 Mon Sep 17 00:00:00 2001 From: bella-kwon Date: Mon, 30 Aug 2021 10:59:33 +0900 Subject: [PATCH] Prowler execution script added --- .../src/run-prowler-reports.sh | 119 ++++++++++++++++++ .../src/run-prowler-reports.sh.zip | Bin 0 -> 1740 bytes 2 files changed, 119 insertions(+) create mode 100644 util/org-multi-account/serverless_codebuild/src/run-prowler-reports.sh create mode 100644 util/org-multi-account/serverless_codebuild/src/run-prowler-reports.sh.zip diff --git a/util/org-multi-account/serverless_codebuild/src/run-prowler-reports.sh b/util/org-multi-account/serverless_codebuild/src/run-prowler-reports.sh new file mode 100644 index 00000000..2b7350cc --- /dev/null +++ b/util/org-multi-account/serverless_codebuild/src/run-prowler-reports.sh @@ -0,0 +1,119 @@ +#!/bin/bash -e +# +# Run Prowler against All AWS Accounts in an AWS Organization + +# Change Directory (rest of the script, assumes your in the ec2-user home directory) +# cd /home/ec2-user || exit + +# Show Prowler Version, and Download Prowler, if it doesn't already exist +if ! ./prowler/prowler -V 2>/dev/null; then + git clone https://github.com/toniblyx/prowler.git + ./prowler/prowler -V +fi + +# Source .awsvariables (to read in Environment Variables from CloudFormation Data) +# shellcheck disable=SC1091 +# source .awsvariables + +# Get Values from Environment Variables Created on EC2 Instance from CloudFormation Data +echo "S3: $S3" +echo "S3ACCOUNT: $S3ACCOUNT" +echo "ROLE: $ROLE" +echo "FORMAT: $FORMAT" + +# CleanUp Last Ran Prowler Reports, as they are already stored in S3. +rm -rf prowler/output/*.html + +# Function to unset AWS Profile Variables +unset_aws() { + unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN +} +unset_aws + +# Find THIS Account AWS Number +CALLER_ARN=$(aws sts get-caller-identity --output text --query "Arn") +PARTITION=$(echo "$CALLER_ARN" | cut -d: -f2) +THISACCOUNT=$(echo "$CALLER_ARN" | cut -d: -f5) +echo "THISACCOUNT: $THISACCOUNT" +echo "PARTITION: $PARTITION" + +# Function to Assume Role to THIS Account & Create Session +this_account_session() { + unset_aws + role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$THISACCOUNT":role/"$ROLE" --role-session-name ProwlerRun --output json) + AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId) + AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey) + AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken) + echo "this_account_session done..." + export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN +} + +# Find AWS Master Account +this_account_session +AWSMASTER=$(aws organizations describe-organization --query Organization.MasterAccountId --output text) +echo "AWSMASTER: $AWSMASTER" + +# Function to Assume Role to Master Account & Create Session +master_account_session() { + unset_aws + role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$AWSMASTER":role/"$ROLE" --role-session-name ProwlerRun --output json) + AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId) + AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey) + AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken) + echo "master_account_session done..." + export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN +} + +# Lookup All Accounts in AWS Organization +master_account_session +ACCOUNTS_IN_ORGS=$(aws organizations list-accounts --query Accounts[*].Id --output text) + +# Function to Assume Role to S3 Account & Create Session +s3_account_session() { + unset_aws + role_credentials=$(aws sts assume-role --role-arn arn:"$PARTITION":iam::"$S3ACCOUNT":role/"$ROLE" --role-session-name ProwlerRun --output json) + AWS_ACCESS_KEY_ID=$(echo "$role_credentials" | jq -r .Credentials.AccessKeyId) + AWS_SECRET_ACCESS_KEY=$(echo "$role_credentials" | jq -r .Credentials.SecretAccessKey) + AWS_SESSION_TOKEN=$(echo "$role_credentials" | jq -r .Credentials.SessionToken) + echo "s3_account_session done..." + export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN +} + +# Run Prowler against Accounts in AWS Organization +echo "AWS Accounts in Organization" +echo "$ACCOUNTS_IN_ORGS" +PARALLEL_ACCOUNTS="1" +for accountId in $ACCOUNTS_IN_ORGS; do + # shellcheck disable=SC2015 + test "$(jobs | wc -l)" -ge $PARALLEL_ACCOUNTS && wait || true + { + START_TIME=$SECONDS + # Unset AWS Profile Variables + unset_aws + # Run Prowler + echo -e "Assessing AWS Account: $accountId, using Role: $ROLE on $(date)" + # remove -g cislevel for a full report and add other formats if needed + ./prowler/prowler -R "$ROLE" -A "$accountId" -g cislevel1 -M $FORMAT + echo "Report stored locally at: prowler/output/ directory" + TOTAL_SEC=$((SECONDS - START_TIME)) + echo -e "Completed AWS Account: $accountId, using Role: $ROLE on $(date)" + printf "Completed AWS Account: $accountId in %02dh:%02dm:%02ds" $((TOTAL_SEC / 3600)) $((TOTAL_SEC % 3600 / 60)) $((TOTAL_SEC % 60)) + echo "" + } & +done + +# Wait for All Prowler Processes to finish +wait +echo "Prowler Assessments Completed against All Accounts in the AWS Organization. Starting S3 copy operations..." + +# Upload Prowler Report to S3 +s3_account_session +aws s3 cp prowler/output/ "$S3/reports/" --recursive --include "*.html" --acl bucket-owner-full-control +echo "Assessment reports successfully copied to S3 bucket" + +# Final Wait for All Prowler Processes to finish +wait +echo "Prowler Assessments Completed" + +# Unset AWS Profile Variables +unset_aws diff --git a/util/org-multi-account/serverless_codebuild/src/run-prowler-reports.sh.zip b/util/org-multi-account/serverless_codebuild/src/run-prowler-reports.sh.zip new file mode 100644 index 0000000000000000000000000000000000000000..e73fdaba5289bdd606af69bc384ba9d5a53e3de0 GIT binary patch literal 1740 zcmbW2eLT~P9>;%}q2Vmc9M5GfgiMJ!9y=~I^PI;kJDy_1wzk+1&9FQq46!oo=4rRW z35yldR3}Vxk%!J$9!lq?=rA3TTlaO(>)yZb=kxl$zTfZb`}%zUefwe+K>GmYua5B7 zJ`MawE-(Oq1N#ATGQomGCQ=j6k}b$*NksAm$`J}aFhC7Z%DIk={Iim25I_#}Ne%$M z{sMrNkR+mx9rR0YUzC7r*DOfHjeDG|D1&kx1LQTaf8}@^$E2twwoi@An54-sn>W^a z+dy07$x0v5WoYa>_S&)EuQ=MJNqwSU`LJ>HryRr^Wp^Gu*rNs3LKlUacVwloTt0gN zE2wfFN+(LrGi20P#LnA|J#_6+{|ZMDMp3W)d7fLEppg7{lu?}(N)mGmf?r#q?u;QP z+e&#x(e(?j*p&(Ef)cE{Uu0dDyHNQeYisHH=7+4g$4mz>r27aWQ&jQflsG$2>fhpK z6dHgxbalv{ayi%y@B2O?f8Kni1ev5a?nrO!8+-w;mG&^(=eG0awv4=3ar^#G0xrGA zn|jtu+fcC$VZFsHw;z(22Op!6ogn5$DGR;3K(uwF$%EN zF!A`2XGVxdK4w7_T8A``AuGk07#+vTgm{=->?a=# z^`U<58l!CEpoOQQY^J|XwHV+e+sBE8M8g_)g9s&#xZSgZ2~!b8`DD#}8xd4F{3`JDKxBCvy{{ekZ@<5pkZFGsK? zd<}vyb;6)1J^Bhz6tg_ZXNJ?hJ3v_f8=ThO&UF2Gk-fdWWnAP?TM=%<>ny1IB~|;R z-_eGLJ+&zY*|Y1$5r|F3X*@|IiUTE>k7|ar zA9^#o2UOzZ(AakV@F>}=lpn=Uiv|A1Msb*P0 zJY;)^uJYyHhc-TUdfMYgo|+*2nQagL9Jy6zw|$zvpmSQM^?FPB`Y!4mS9?ge22rx& zTz)EXmtlLu%QlR9QeS#&DwuQ?pOUK&{_KGZRf0V0PYzy*_*H+Y)5t8inVC0+v|GXj zp3!Jalh_=K>u$w$3{5jmHr!(%8l)7xX~!Wa?6sg>Vd~wYU1Myo8dlx-WBO{n<&u|R zaJH=C-r}t5N77%sXAQD3M3nYb97su}TpB$Rox8z6=iYZV+?n{bX|O3DT79V+w6%R1 z7V-JW7KToArSBZfES`5phh`Kgo>iC&4GQ;n$Vu2_zxs!6QBBAWhASZXgvT8krKU#K zb@p(cuP)2PhHQfoZ|~ZW9&Y!@or$?Yo_p8i0UAc(7PP5vriOxcVjdUft0>vt^e0%v zSaWM5t^_)1Z?*`ujt@}KU8)|Ey=N}X+lAkrL5A^L}B7Xma|Rl(sVAcT(a<|sz=_2We&mG&_Y#X_wku|ZdSP)8uhB0d#YGi z+L#qUG8Z>nQzKmTPGHt-zJ$6j2Zh%#sDY}E_nVU2O`EFXG%&;rz2w!7%|`ahc#q>O z4NchO{Zg8=;b1EbJo*CvF8gKaP~f9@r)>{X@L_nYOcBhxW>{10RtVq0&CE@KQLjG& zQsEzCWo7Qs!CPVvzdzRL1u>iAVa8|RsrrVpkxch+;viabPEoj4CeXS%NXs6M+WXI3 zS5*`D%8Q{vOzSfXp5X@MH-?s)@5gpA@9*Uw0x?Zp@$+t)gA?Gzf?MxwIxJLOAK(Ia z_p+Y%OiNOvdnoTjIZuMpHGiBeuC3^ht#E|GfVWk@%@w*;)$e`ntXqf?Jpwhx)3Onb zXCT$6d>GCox4$O*LYGE%wfV9`XHPAhxa?`gU`YnpR<@Ut+ZSKntd)}?5f6U1^u;PE zr*O6W-YWvYH*WZ1<>dD%{Ff>Jd;7+eKUJUgZTkNR