Container Support AWS

[johnkoehn]

Is your feature request related to a problem? Please describe.

When running scoutsuite for aws, the report shows a containers tab. However no information ever populates it, even in accounts using ECS, EKS and ECR.

Describe the solution you'd like

To have security rules ran against those services.

Describe alternatives you've considered

N/A

Additional context

N/A

[kedar1704]

How can I add ECS, EKS service in this project?

[CaseyLabs]

Just ran into this issue as well. We use AWS Fargate, and yet Scout's dashboard for Containers/ECS shows up empty.

Is there a setting we are missing here? cc @fernando-gallego

[liyun-li]

Hi folks, I am the guy who added a Kubernetes provider to Scout Suite. Can you let us know which branch you are using? Bug fixes might have already been introduced into the develop branch.

[krupalb]

it's not working from Develop branch either....?

[liyun-li]

it's not working from Develop branch either....?

Can you perhaps share screenshots?

[ashu-pattanayak]

@liyun-li

I tried from the develop branch and below is the error.

[liyun-li]

Ah that's probably because the open source version doesn't have any findings for EKS...Feel free to pull request!

[michaels0184]

Has this been updated? I am also unable to pull any information on ECS when using both the 'master' or 'develop' branches.

[kedar1704]

Hi folks,I am the guy who added a AWS Container services to Scout Suite. Please check this repo https://github.com/kedar1704/ScoutSuite.git. Your feedback on the introduced features, code changes, and the overall impact on ScoutSuite's capabilities in AWS environments is highly appreciated. Feel free to reach out with any questions or concerns.

[crahan]

I was confused about this initially as well, but support for a number of AWS services is considered proprietary in ScoutSuite, as shown in:

ScoutSuite/ScoutSuite/providers/aws/services.py

Lines 31 to 59 in 967ec54

	# Try to import proprietary services
	try:
	from ScoutSuite.providers.aws.resources.private_cognito.base import Cognito
	except ImportError:
	pass
	try:
	from ScoutSuite.providers.aws.resources.private_docdb.base import DocDB
	except ImportError:
	pass
	try:
	from ScoutSuite.providers.aws.resources.private_ecr.base import ECR
	except ImportError:
	pass
	try:
	from ScoutSuite.providers.aws.resources.private_ecs.base import ECS
	except ImportError:
	pass
	try:
	from ScoutSuite.providers.aws.resources.private_eks.base import EKS
	except ImportError:
	pass
	try:
	from ScoutSuite.providers.aws.resources.private_guardduty.base import GuardDuty
	except ImportError:
	pass
	try:
	from ScoutSuite.providers.aws.resources.private_ssm.base import SSM
	except ImportError:
	pass

As a result, support for things like ECS, EKS and ECR (and Cognito, DocDB, GuardDuty, and SSM) isn't included in the Open Source ScoutSuite version and thus no resource information for these services will be retrieved or rules run.

The pull request created by @kedar1704 adds the missing capabilities for the AWS ECS, EKS and ECR services. It would be awesome if someone could review this PR and merge, if possible.