mirror of
https://github.com/ghndrx/prowler.git
synced 2026-02-11 15:25:10 +00:00
365b396f9a
* Add support for organizations accounts metadata part 1 * Add support for organizations accounts metadata part 2 * Add gathering account metadata from org * chore(prowler): get accounts metadata Use assume_role backing up normal assumed credentials to assume management account and then restore it to old ones * fix(orgs metadata): deleted assume_role_orgs * refactor(organization_metadata) Reformulate to extract AWS Organizations metadata * doc(org_metadata): include required -R in usage * docs(org-metadata): Update README Co-authored-by: n4ch04 <nachor1992@gmail.com> Co-authored-by: Pepe Fagoaga <pepe@verica.io>
42 lines
2.8 KiB
Bash
42 lines
2.8 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
# use this file except in compliance with the License. You may obtain a copy
|
|
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software distributed
|
|
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
|
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations under the License.
|
|
|
|
# Gets account details with a given ACCOUNT_ID.
|
|
# Prowler requires organizations:ListAccounts* and organizations:ListTagsForResource
|
|
# in the management account in order to get that data. SecurityAudit managed policy includes them.
|
|
|
|
# Account Tags are in json format with comma, however they are converted to Base64
|
|
# in order to avoid breaking the CSV or JSON. To use them a post-processor is needed.
|
|
|
|
get_orgs_account_details(){
|
|
echo " Prowler is getting details from the AWS Organizations Management Account: ${MANAGEMENT_ACCOUNT_ID}..."
|
|
# Assume role to recover AWS Organizations metadata
|
|
assume_role
|
|
|
|
# The following code requires organizations:ListTagsForResource
|
|
ACCOUNTS_DETAILS=$($AWSCLI $PROFILE_OPT --region "${REGION}" organizations list-accounts --output json 2>&1)
|
|
if ! grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "${ACCOUNTS_DETAILS}"
|
|
then
|
|
# Prowler gets only ACTIVE accounts details
|
|
ACCOUNT_DETAILS_EMAIL=$(jq -r --arg ACCOUNT_ID "${ACCOUNT_NUM}" '.Accounts[] | select(.Status == "ACTIVE") | select(.Id == $ACCOUNT_ID) | "\(.Email)"' <<< "${ACCOUNTS_DETAILS}")
|
|
ACCOUNT_DETAILS_NAME=$(jq -r --arg ACCOUNT_ID "${ACCOUNT_NUM}" '.Accounts[] | select(.Status == "ACTIVE") | select(.Id == $ACCOUNT_ID) | "\(.Name)"' <<< "${ACCOUNTS_DETAILS}")
|
|
ACCOUNT_DETAILS_ARN=$(jq -r --arg ACCOUNT_ID "${ACCOUNT_NUM}" '.Accounts[] | select(.Status == "ACTIVE") | select(.Id == $ACCOUNT_ID) | "\(.Arn)"' <<< "${ACCOUNTS_DETAILS}")
|
|
ACCOUNT_DETAILS_ORG=$(jq -r --arg ACCOUNT_ID "${ACCOUNT_NUM}" '.Accounts[] | select(.Status == "ACTIVE") | select(.Id == $ACCOUNT_ID) | "\(.Arn)"' <<< "${ACCOUNTS_DETAILS}" | awk -F/ '{ print $2 }')
|
|
ACCOUNT_DETAILS_TAGS=$($AWSCLI $PROFILE_OPT --region "${REGION}" organizations list-tags-for-resource --resource-id "${MANAGEMENT_ACCOUNT_ID}" --output json | jq -c '. | @base64' 2>&1)
|
|
else
|
|
# textFail "${regx}: Access Denied trying to list AWS Organization accounts. Prowler requires organizations:List*" "$regx"
|
|
textInfo "Access Denied trying to list AWS Organization accounts. Prowler requires organizations:List*"
|
|
exit 1
|
|
fi
|
|
}
|