Fix(extra7141): Error handling and include missing policy

[lazize]

Context

Missing permission was exposing AccessDenied error message.
Also missing check was generating false positive.

Description

Add check to validate access denied when get document from SSM.
Add missing action permission to allow ssm:GetDocument.

Policy actions sorted to keep them in alphabetical order.

Issue #1016

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[lazize]

$ ./prowler -p default -f sa-east-1 -c extra7141
                          _
  _ __  _ __ _____      _| | ___ _ __
 | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
 | |_) | | | (_) \ V  V /| |  __/ |
 | .__/|_|  \___/ \_/\_/ |_|\___|_|v2.7.0-24January2022
 |_| the handy cloud security tool

 Date: Wed Feb  2 22:05:13 -03 2022

 Color code for results:
 -  INFO (Information)
 -  PASS (Recommended value)
 -  WARNING (Ignored by whitelist)
 -  FAIL (Fix required)

 This report is being generated using credentials below:

 AWS-CLI Profile: [default] AWS API Region: [sa-east-1] AWS Filter Region: [sa-east-1]
 AWS Account: [xxxx5262] UserId: [AROAxxxx:xxxxxx]
 Caller Identity ARN: [arn:aws:sts::xxxx5262:assumed-role/xxxxx/xxxxxx]

7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
       INFO! sa-east-1: Access Denied trying to get document

$ ./prowler -p default -f sa-east-1 -c extra7141
                          _
  _ __  _ __ _____      _| | ___ _ __
 | '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
 | |_) | | | (_) \ V  V /| |  __/ |
 | .__/|_|  \___/ \_/\_/ |_|\___|_|v2.7.0-24January2022
 |_| the handy cloud security tool

 Date: Wed Feb  2 22:05:46 -03 2022

 Color code for results:
 -  INFO (Information)
 -  PASS (Recommended value)
 -  WARNING (Ignored by whitelist)
 -  FAIL (Fix required)

 This report is being generated using credentials below:

 AWS-CLI Profile: [default] AWS API Region: [sa-east-1] AWS Filter Region: [sa-east-1]
 AWS Account: [xxxx5262] UserId: [AROAxxxx:xxxxx]
 Caller Identity ARN: [arn:aws:sts::xxxx5262:assumed-role/xxxx/xxxxx]

7.141 [extra7141] Find secrets in SSM Documents - ssm [Critical]
       PASS! sa-east-1: No secrets found in SSM Document test-prowler-leo

[lazize]

I couldn't make it FAIL. How it check for secret?

My test document is the one below

{
  "schemaVersion": "2.2",
  "description": "Command Document Example JSON Template",
  "parameters": {
    "Message": {
      "type": "String",
      "description": "Example",
      "default": "Hello World"
    },
    "dbpass": {
      "type": "String",
      "description": "Example",
      "default": "temp123"
    }
  },
  "mainSteps": [
    {
      "action": "aws:runPowerShellScript",
      "name": "example",
      "inputs": {
        "runCommand": [
          "Write-Output {{Message}}"
        ]
      }
    }
  ]
}

[toniblyx]

This PR needs to be updated since we already added some new actions.

[toniblyx]

LGTM

[jfagoagas]

Thanks @lazize, please check above comments in order to merge this PR.

[jfagoagas]

Suggested change

	$AWSCLI $PROFILE_OPT --region $regx ssm get-document --name $ssmdoc --output text --document-format JSON > $SSM_DOC_FILE 2>&1
	"${AWSCLI}" $PROFILE_OPT --region "${regx ssm}" get-document --name "${ssmdoc}" --output text --document-format JSON > "${SSM_DOC_FILE}" 2>&1

[jfagoagas]

Suggested change

	if [[ $(grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' "$SSM_DOC_FILE") ]]; then
	if [[ $(grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' "${SSM_DOC_FILE}") ]]; then

[jfagoagas]

Suggested change

	textInfo "$regx: Access Denied trying to get document" "$regx"
	textInfo "${regx}: Access Denied trying to get document" "${regx}"

[jfagoagas]

$PROFILE_OPT shouldn't be enclosed within "${}" because it contains spaces and we need to extract both values.

[jfagoagas]

Thank you @lazize !!