New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix(extra7141): Error handling and include missing policy #1024
Conversation
Add check to validate access denied when get document from SSM. Add missing action permission to allow ssm:GetDocument.
$ ./prowler -p default -f sa-east-1 -c extra7141
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v2.7.0-24January2022
|_| the handy cloud security tool
Date: Wed Feb 2 22:05:13 -03 2022
Color code for results:
- INFO (Information)
- PASS (Recommended value)
- WARNING (Ignored by whitelist)
- FAIL (Fix required)
This report is being generated using credentials below:
AWS-CLI Profile: [default] AWS API Region: [sa-east-1] AWS Filter Region: [sa-east-1]
AWS Account: [xxxx5262] UserId: [AROAxxxx:xxxxxx]
Caller Identity ARN: [arn:aws:sts::xxxx5262:assumed-role/xxxxx/xxxxxx]
7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
INFO! sa-east-1: Access Denied trying to get document $ ./prowler -p default -f sa-east-1 -c extra7141
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v2.7.0-24January2022
|_| the handy cloud security tool
Date: Wed Feb 2 22:05:46 -03 2022
Color code for results:
- INFO (Information)
- PASS (Recommended value)
- WARNING (Ignored by whitelist)
- FAIL (Fix required)
This report is being generated using credentials below:
AWS-CLI Profile: [default] AWS API Region: [sa-east-1] AWS Filter Region: [sa-east-1]
AWS Account: [xxxx5262] UserId: [AROAxxxx:xxxxx]
Caller Identity ARN: [arn:aws:sts::xxxx5262:assumed-role/xxxx/xxxxx]
7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
PASS! sa-east-1: No secrets found in SSM Document test-prowler-leo |
I couldn't make it FAIL. How it check for secret? My test document is the one below {
"schemaVersion": "2.2",
"description": "Command Document Example JSON Template",
"parameters": {
"Message": {
"type": "String",
"description": "Example",
"default": "Hello World"
},
"dbpass": {
"type": "String",
"description": "Example",
"default": "temp123"
}
},
"mainSteps": [
{
"action": "aws:runPowerShellScript",
"name": "example",
"inputs": {
"runCommand": [
"Write-Output {{Message}}"
]
}
}
]
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR needs to be updated since we already added some new actions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @lazize, please check above comments in order to merge this PR.
checks/check_extra7141
Outdated
if [[ $SSM_DOCS ]];then | ||
for ssmdoc in $SSM_DOCS; do | ||
SSM_DOC_FILE="$SECRETS_TEMP_FOLDER/extra7141-$ssmdoc-$regx-content.txt" | ||
$AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE | ||
$AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE 2>&1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE 2>&1 | |
"${AWSCLI}" $PROFILE_OPT --region "${regx ssm}" get-document --name "${ssmdoc}" --output text --document-format JSON > "${SSM_DOC_FILE}" 2>&1 |
checks/check_extra7141
Outdated
if [[ $SSM_DOCS ]];then | ||
for ssmdoc in $SSM_DOCS; do | ||
SSM_DOC_FILE="$SECRETS_TEMP_FOLDER/extra7141-$ssmdoc-$regx-content.txt" | ||
$AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE | ||
$AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE 2>&1 | ||
if [[ $(grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' "$SSM_DOC_FILE") ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if [[ $(grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' "$SSM_DOC_FILE") ]]; then | |
if [[ $(grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' "${SSM_DOC_FILE}") ]]; then |
checks/check_extra7141
Outdated
$AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE | ||
$AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE 2>&1 | ||
if [[ $(grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' "$SSM_DOC_FILE") ]]; then | ||
textInfo "$regx: Access Denied trying to get document" "$regx" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
textInfo "$regx: Access Denied trying to get document" "$regx" | |
textInfo "${regx}: Access Denied trying to get document" "${regx}" |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @lazize !!
Context
Missing permission was exposing AccessDenied error message.
Also missing check was generating false positive.
Description
Add check to validate access denied when get document from SSM.
Add missing action permission to allow
ssm:GetDocument
.Policy actions sorted to keep them in alphabetical order.
Issue #1016
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.