From f3664b56ecf96249dc218a53de55019735e571c5 Mon Sep 17 00:00:00 2001
From: Toni de la Fuente <toni@blyx.com>
Date: Tue, 14 Apr 2020 22:46:44 +0200
Subject: [PATCH]  Open

---
 README.md           | 10 ++++++++++
 include/assume_role | 19 ++++++++++++++++---
 prowler             | 15 ++++++++++-----
 3 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 3ec882c9..139a93b5 100644
--- a/README.md
+++ b/README.md
@@ -251,6 +251,7 @@ This script has been written in bash using AWS-CLI and it works in Linux and OSX
                               (i.e.: ProwlerRole)
         -T                  session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
                               (i.e.: 43200)
+        -I                 External ID to be used when assuming roles (no mandatory)
         -h                  this help
     ```
 
@@ -264,6 +265,10 @@ Prowler uses the AWS CLI underneath so it uses the same authentication methods.
 ./prowler -A 123456789012 -R ProwlerRole
 ```
 
+```
+./prowler -A 123456789012 -R ProwlerRole -I 123456
+```
+
 > *NOTE 1 about Session Duration*: By default it gets credentials valid for 1 hour (3600 seconds). Depending on the mount of checks you run and the size of your infrastructure, Prowler may require more than 1 hour to finish. Use option `-T <seconds>`  to allow up to 12h (43200 seconds). To allow more than 1h you need to modify *"Maximum CLI/API session duration"* for that particular role, read more [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session).
 
 > *NOTE 2 about Session Duration*: Bear in mind that if you are using roles assumed by role chaining there is a hard limit of 1 hour so consider not using role chaining if possible, read more about that, in foot note 1 below the table [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html).
@@ -274,6 +279,10 @@ For example, if you want to get only the fails in CSV format from all checks reg
 ./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -b -M cvs -q -g rds
 ```
 
+```
+./prowler -A 123456789012 -R RemoteRoleToAssume -T 3600 -I 123456 -b -M cvs -q -g rds
+```
+
 ### Custom folder for custom checks
 
 Flag `-x /my/own/checks` will include any check in that particular directory. To see how to write checks see [Add Custom Checks](#add-custom-checks) section.
@@ -552,3 +561,4 @@ NOTE: If you are interested in using Prowler for commercial purposes remember th
 **I'm not related anyhow with CIS organization, I just write and maintain Prowler to help companies over the world to make their cloud infrastructure more secure.**
 
 If you want to contact me visit <https://blyx.com/contact>
+
diff --git a/include/assume_role b/include/assume_role
index 4fedfb3d..58b21399 100644
--- a/include/assume_role
+++ b/include/assume_role
@@ -25,11 +25,24 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then
 
     # temporary file where to store credentials
     TEMP_STS_ASSUMED_FILE=$(mktemp -t prowler.sts_assumed-XXXXXX)
+    
+    #Check if external ID has bee provided if so execute with external ID if not ignore
+    if [[ -z $ROLE_EXTERNAL_ID ]]; then
+        # assume role command
+        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+            --role-session-name ProwlerAssessmentSession \
+            --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 
+    else 
+        $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+            --role-session-name ProwlerAssessmentSession \
+            --duration-seconds $SESSION_DURATION_TO_ASSUME \
+            --external-id $ROLE_EXTERNAL_ID > $TEMP_STS_ASSUMED_FILE 
+    fi 
 
     # assume role command
-    $AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
-        --role-session-name ProwlerAssessmentSession \
-        --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 
+    #$AWSCLI $PROFILE_OPT sts assume-role --role-arn arn:aws:iam::$ACCOUNT_TO_ASSUME:role/$ROLE_TO_ASSUME \
+    #    --role-session-name ProwlerAssessmentSession \
+    #    --duration-seconds $SESSION_DURATION_TO_ASSUME > $TEMP_STS_ASSUMED_FILE 
 
     # if previous command fails exit with the given error from aws-cli
     # this is likely to be due to session duration limit of 1h in case 
diff --git a/prowler b/prowler
index 022d1b33..1af355db 100755
--- a/prowler
+++ b/prowler
@@ -85,13 +85,14 @@ USAGE:
       -R                  role name to assume in the account, requires -A and -T
                             (i.e.: ProwlerRole)
       -T                  session durantion given to that role credentials in seconds, default 1h (3600) recommended 12h, requires -R and -T
-                            (i.e.: 43200)
+                            (i.e.: 43200) 
+      -I                  External ID to be used when assuming roles (no mandatory), requires -A and -R.
       -h                  this help
   "
   exit
 }
 
-while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSx:A:R:T:" OPTION; do
+while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSxI:A:R:T:" OPTION; do
    case $OPTION in
      h )
         usage
@@ -163,6 +164,9 @@ while getopts ":hlLkqp:r:c:g:f:m:M:E:enbVsSx:A:R:T:" OPTION; do
      R )
         ROLE_TO_ASSUME=$OPTARG
         ;;
+     I )
+        ROLE_EXTERNAL_ID=$OPTARG
+        ;;
      T )
         SESSION_DURATION_TO_ASSUME=$OPTARG
         ;;
@@ -457,6 +461,10 @@ if [[ $CHECK_ID ]];then
   exit $EXITCODE
 fi
 
+execute_all
+scoring
+cleanTemp
+
 if [[ $ACCOUNT_TO_ASSUME ]]; then
   # unset env variables with assumed role credentials
   unset AWS_ACCESS_KEY_ID
@@ -465,7 +473,4 @@ if [[ $ACCOUNT_TO_ASSUME ]]; then
 fi
 
 
-execute_all
-scoring
-cleanTemp
 exit $EXITCODE