Skip to content

Added -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option @sectoramen#974

Merged
toniblyx merged 5 commits into
prowler-cloud:2.7from
sectoramen:fabio-dev
Dec 21, 2021
Merged

Added -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option @sectoramen#974
toniblyx merged 5 commits into
prowler-cloud:2.7from
sectoramen:fabio-dev

Conversation

@sectoramen
Copy link
Copy Markdown
Contributor

@sectoramen sectoramen commented Dec 19, 2021
edited
Loading

Toni,

Does it make sense to save the original AWS credentials and then restore them before doing a copy to S3? I don't see a reason to keep the assumed credentials before the copy. The credentials of the individual/process that launched prowler are most likely to be the one used to perform other tasks, such as copy to S3. Optionally, we could add a new option, i.e.,
-Bn Custom output bucket used with original prowler role, requires -M and it can work also with -o flag.
(i.e.: -M csv -B my-bucket or -M csv -B my-bucket/folder/)

j2clerck
j2clerck reviewed Dec 20, 2021
View reviewed changes
Copy link
Copy Markdown

@j2clerck j2clerck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe there are more cases to cover here, depending on how Prowler is initially getting credentials:

  • Instance Profile
  • Named Profile
  • Environment Variables
  • AWS Config / Credentials file
    It might be worth reviewing the existing options and test how it behave. Setting environment variable to '' does not seem to bother aws cli. But you need to be able to revert the profile too at least. Happy to do some testing.

@toniblyx
Copy link
Copy Markdown
Member

toniblyx commented Dec 21, 2021

I always have tried to keep Prowler consistent with the way that the cli works in terms of configuration settings and precedence

  1. Command line options – Overrides settings in any other location. You can specify --region, --output, and --profile as parameters on the command line.
  2. Environment variables – You can store values in your system's environment variables.
  3. CLI credentials file – ~/.aws/credentials on Linux or macOS, or at C:\Users\USERNAME.aws\credentials on Windows
  4. CLI configuration file – The credentials and config file are updated when you run the command aws configure. The config file is located at ~/.aws/config on Linux or macOS, or at C:\Users\USERNAME.aws\config on Windows.
  5. Container credentials
  6. Instance profile credentials

Additionally, Prowler handles:

  1. With credentials gotten from any of the previous 6 steps, Prowler can assume a role that the previous user or role has permission to assume in the same account or another one.

@sectoramen
Copy link
Copy Markdown
Contributor Author

sectoramen commented Dec 21, 2021

This is ready to go. It was tested and it appears to work fine.

@toniblyx toniblyx changed the title Backup AWS Credentials are restore them before CopyToS3 Added -D option to copy to S3 with the initial AWS credentials instead of the assumed as with -B option @sectoramen Dec 21, 2021
@toniblyx toniblyx merged commit 8b415ec into prowler-cloud:2.7 Dec 21, 2021
@toniblyx
Copy link
Copy Markdown
Member

toniblyx commented Dec 21, 2021

Awesome, thanks @sectoramen!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@j2clerck j2clerck j2clerck left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sectoramen @toniblyx @j2clerck