ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(extra7147): Handle unsupported AWS regions for Glacier (#1101)

Browse Source
This commit is contained in:
Pepe Fagoaga
2022-04-11 16:10:23 +02:00
committed by GitHub
parent 819b52687c
commit fc7c932169
1 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
checks/check_extra7147
View File

@@ -25,27 +25,32 @@ CHECK_CAF_EPIC_extra7147='Data Protection'
extra7147(){ extra7147(){
for regx in $REGIONS; do for regx in $REGIONS; do
LIST_OF_VAULTS=$($AWSCLI glacier list-vaults $PROFILE_OPT --region $regx --account-id $ACCOUNT_NUM --query VaultList[*].VaultName --output text 2>&1|xargs -n1) LIST_OF_VAULTS=$($AWSCLI glacier list-vaults ${PROFILE_OPT} --region "${regx}" --account-id "${ACCOUNT_NUM}" --query VaultList[*].VaultName --output text 2>&1|xargs -n1)
if [[ $(echo "$LIST_OF_VAULTS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "$LIST_OF_VAULTS"; then
textInfo "$regx: Access Denied trying to list vaults" "$regx" textInfo "$regx: Access Denied trying to list vaults" "${regx}"
continue
fi
# Check for unsupported regions
if grep -q -E 'error' <<< "${LIST_OF_VAULTS}"; then
textInfo "$regx: An error occurred when calling the ListVaults operation - check if this region is supported" "${regx}"
continue continue
fi fi
if [[ $LIST_OF_VAULTS ]]; then if [[ $LIST_OF_VAULTS ]]; then
for vault in $LIST_OF_VAULTS;do for vault in $LIST_OF_VAULTS;do
VAULT_POLICY_STATEMENTS=$($AWSCLI glacier $PROFILE_OPT get-vault-access-policy --region $regx --account-id $ACCOUNT_NUM --vault-name $vault --output json --query policy.Policy 2>&1) VAULT_POLICY_STATEMENTS=$($AWSCLI glacier ${PROFILE_OPT} get-vault-access-policy --region "${regx}" --account-id "${ACCOUNT_NUM}" --vault-name "${vault}" --output json --query policy.Policy 2>&1)
if [[ $VAULT_POLICY_STATEMENTS == *GetVaultAccessPolicy* ]]; then if [[ $VAULT_POLICY_STATEMENTS == *GetVaultAccessPolicy* ]]; then
textInfo "$regx: Vault $vault doesn't have any policy" "$regx" "$vault" textInfo "${regx}: Vault $vault doesn't have any policy" "${regx}" "$vault"
else else
VAULT_POLICY_BAD_STATEMENTS=$(echo $VAULT_POLICY_STATEMENTS | jq '. | fromjson' | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")') VAULT_POLICY_BAD_STATEMENTS=$(jq '. | fromjson' <<< "${VAULT_POLICY_STATEMENTS}" | jq '.Statement[] | select(.Effect=="Allow") | select(.Principal=="*" or .Principal.AWS=="*" or .Principal.CanonicalUser=="*")')
if [[ $VAULT_POLICY_BAD_STATEMENTS != "" ]]; then if [[ $VAULT_POLICY_BAD_STATEMENTS != "" ]]; then
textFail "$regx: Vault $vault has policy which allows access to everyone" "$regx" "$vault" textFail "${regx}: Vault $vault has policy which allows access to everyone" "${regx}" "$vault"
else else
textPass "$regx: Vault $vault has policy which does not allow access to everyone" "$regx" "$vault" textPass "${regx}: Vault $vault has policy which does not allow access to everyone" "${regx}" "$vault"
fi fi
fi fi
done done
else else
textInfo "$regx: No Glacier vaults found" "$regx" textInfo "${regx}: No Glacier vaults found" "${regx}"
fi fi
done done
} }