Fix(extra7141): Error handling and include missing policy (#1024)

* Fix AccessDenied issue when get document

Add check to validate access denied when get document from SSM.
Add missing action permission to allow ssm:GetDocument.

* Double quote variables to prevent globbing and word splitting

checks/check_extra7141

@@ -24,36 +24,40 @@ CHECK_DOC_extra7141='https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGu
 CHECK_CAF_EPIC_extra7141='IAM'
 
 extra7141(){
-  SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM"
-  if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then
+  SECRETS_TEMP_FOLDER="${PROWLER_DIR}/secrets-${ACCOUNT_NUM}"
+  if [[ ! -d "${SECRETS_TEMP_FOLDER}" ]]; then
     # this folder is deleted once this check is finished
-    mkdir $SECRETS_TEMP_FOLDER
+    mkdir "${SECRETS_TEMP_FOLDER}"
   fi
 
-  for regx in $REGIONS; do
-    SSM_DOCS=$($AWSCLI $PROFILE_OPT --region $regx ssm list-documents --filters Key=Owner,Values=Self --query DocumentIdentifiers[].Name --output text 2>&1)
-    if [[ $(echo "$SSM_DOCS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
-        textInfo "$regx: Access Denied trying to list documents" "$regx"
+  for regx in ${REGIONS}; do
+    SSM_DOCS=$("${AWSCLI}" ${PROFILE_OPT} --region "${regx}" ssm list-documents --filters 'Key=Owner,Values=Self' --query 'DocumentIdentifiers[].Name' --output text 2>&1)
+    if [[ $(echo "${SSM_DOCS}" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
+        textInfo "${regx}: Access Denied trying to list documents" "${regx}"
         continue
-    fi  
-    if [[ $SSM_DOCS ]];then
-      for ssmdoc in $SSM_DOCS; do 
-        SSM_DOC_FILE="$SECRETS_TEMP_FOLDER/extra7141-$ssmdoc-$regx-content.txt"
-        $AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE
-        FINDINGS=$(secretsDetector file $SSM_DOC_FILE)
-        if [[ $FINDINGS -eq 0 ]]; then
-          textPass "$regx: No secrets found in SSM Document $ssmdoc" "$regx" "$ssmdoc"
+    fi
+    if [[ ${SSM_DOCS} ]];then
+      for ssmdoc in ${SSM_DOCS}; do 
+        SSM_DOC_FILE="${SECRETS_TEMP_FOLDER}/extra7141-${ssmdoc}-${regx}-content.txt"
+        "${AWSCLI}" ${PROFILE_OPT} --region "${regx}" ssm get-document --name "${ssmdoc}" --output text --document-format JSON > "${SSM_DOC_FILE}" 2>&1
+        if [[ $(grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' "${SSM_DOC_FILE}") ]]; then
+            textInfo "${regx}: Access Denied trying to get document" "${regx}"
+            continue
+        fi
+        FINDINGS=$(secretsDetector file "${SSM_DOC_FILE}")
+        if [[ "${FINDINGS}" -eq 0 ]]; then
+          textPass "${regx}: No secrets found in SSM Document ${ssmdoc}" "${regx}" "${ssmdoc}"
           # delete file if nothing interesting is there
-          rm -f $SSM_DOC_FILE
+          rm -f "${SSM_DOC_FILE}"
         else
-          textFail "$regx: Potential secret found SSM Document $ssmdoc" "$regx" "$ssmdoc"
+          textFail "${regx}: Potential secret found SSM Document ${ssmdoc}" "${regx}" "${ssmdoc}"
           # delete file to not leave trace, user must look at the CFN Stack
-          rm -f $SSM_DOC_FILE
+          rm -f "${SSM_DOC_FILE}"
         fi
       done
     else
-      textInfo "$regx: No SSM Document found." "$regx"
+      textInfo "${regx}: No SSM Document found." "${regx}"
     fi
   done
-  rm -rf $SECRETS_TEMP_FOLDER
+  rm -rf "${SECRETS_TEMP_FOLDER}"
 }

iam/create_role_to_assume_cfn.yaml

@@ -58,14 +58,15 @@ Resources:
                 - 'ds:ListAuthorizedApplications'
                 - 'ec2:GetEbsEncryptionByDefault'
                 - 'ecr:Describe*'
-                - 'support:Describe*'
-                - 'tag:GetTagKeys'
-                - 'lambda:GetFunction'
+                - 'elasticfilesystem:DescribeBackupPolicy'
                 - 'glue:GetConnections'
                 - 'glue:GetSecurityConfiguration'
                 - 'glue:SearchTables'
+                - 'lambda:GetFunction'
                 - 's3:GetAccountPublicAccessBlock'
-                - 'shield:GetSubscriptionState'
                 - 'shield:DescribeProtection'
-                - 'elasticfilesystem:DescribeBackupPolicy'
+                - 'shield:GetSubscriptionState'
+                - 'ssm:GetDocument'
+                - 'support:Describe*'
+                - 'tag:GetTagKeys'
               Resource: '*'

iam/prowler-additions-policy.json

@@ -6,16 +6,17 @@
                 "ds:ListAuthorizedApplications",
                 "ec2:GetEbsEncryptionByDefault",
                 "ecr:Describe*",
-                "support:Describe*",
-                "tag:GetTagKeys",
-                "lambda:GetFunction",
+                "elasticfilesystem:DescribeBackupPolicy",
                 "glue:GetConnections",
                 "glue:GetSecurityConfiguration",
                 "glue:SearchTables",
+                "lambda:GetFunction",
                 "s3:GetAccountPublicAccessBlock",
-                "shield:GetSubscriptionState",
                 "shield:DescribeProtection",
-                "elasticfilesystem:DescribeBackupPolicy"
+                "shield:GetSubscriptionState",
+                "ssm:GetDocument",
+                "support:Describe*",
+                "tag:GetTagKeys"
             ],
             "Resource": "*",
             "Effect": "Allow",

util/codebuild/codebuild-prowler-audit-account-cfn.yaml

@@ -141,7 +141,7 @@ Resources:
           - id: W28
             reason: "Explicit name is required for this resource to avoid circular dependencies."
     Properties:
-      RoleName: !Sub 'prowler-codebuild-role'
+      RoleName: 'prowler-codebuild-role'
       Path: '/service-role/'
       ManagedPolicyArns:
         - 'arn:aws:iam::aws:policy/job-function/SupportUser'
@@ -187,16 +187,17 @@ Resources:
                   - ds:ListAuthorizedApplications
                   - ec2:GetEbsEncryptionByDefault
                   - ecr:Describe*
-                  - support:Describe*
-                  - tag:GetTagKeys
-                  - lambda:GetFunction
+                  - elasticfilesystem:DescribeBackupPolicy
                   - glue:GetConnections
                   - glue:GetSecurityConfiguration
                   - glue:SearchTables
+                  - lambda:GetFunction
                   - s3:GetAccountPublicAccessBlock
-                  - shield:GetSubscriptionState
                   - shield:DescribeProtection
-                  - elasticfilesystem:DescribeBackupPolicy
+                  - shield:GetSubscriptionState
+                  - ssm:GetDocument
+                  - support:Describe*
+                  - tag:GetTagKeys
                 Effect: Allow
                 Resource: '*'
         - PolicyName: CodeBuild

util/terraform-kickstarter/main.tf

@@ -314,16 +314,17 @@ resource "aws_iam_policy" "prowler_kickstarter_iam_policy" {
                   "ds:ListAuthorizedApplications",
                   "ec2:GetEbsEncryptionByDefault",
                   "ecr:Describe*",
-                  "support:Describe*",
-                  "tag:GetTagKeys",
-                  "lambda:GetFunction",
+                  "elasticfilesystem:DescribeBackupPolicy",
                   "glue:GetConnections",
                   "glue:GetSecurityConfiguration",
                   "glue:SearchTables",
+                  "lambda:GetFunction",
                   "s3:GetAccountPublicAccessBlock",
-                  "shield:GetSubscriptionState",
                   "shield:DescribeProtection",
-                  "elasticfilesystem:DescribeBackupPolicy"
+                  "shield:GetSubscriptionState",
+                  "ssm:GetDocument",
+                  "support:Describe*",
+                  "tag:GetTagKeys"
                   ]
         Effect   = "Allow"
         Resource = "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog"