[dev] [tofikwest] tofik/aws-integration-fix #2071

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

tofikwest merged 4 commits into main from tofik/aws-integration-fix

Jan 29, 2026

apps/api/src/cloud-security/providers/aws-security.service.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -32,93 +32,127 @@ export class AWSSecurityService { @@
           );
         }
-        const region =
-          (credentials.region as string) ||
-          (variables.region as string) ||
-          'us-east-1';
+        // Get all configured regions, or default to us-east-1
+        const configuredRegions = this.getConfiguredRegions(credentials, variables);
+        this.logger.log(
+          `Scanning ${configuredRegions.length} region(s): ${configuredRegions.join(', ')}`,
+        );
+        // Assume role ONCE before scanning all regions (IAM is global, not regional)
+        // This avoids N×2 STS API calls when scanning N regions
         let awsCredentials: AwsCredentials;
+        // Note: configuredRegions is guaranteed to have at least one element (defaults to ['us-east-1'])
+        const primaryRegion = configuredRegions[0];
         if (isRoleAuth) {
-          const customerRoleArn = credentials.roleArn as string;
-          const externalId = credentials.externalId as string;
-          const roleAssumerArn = process.env.SECURITY_HUB_ROLE_ASSUMER_ARN;
-          if (!roleAssumerArn) {
-            throw new Error(
-              'Missing SECURITY_HUB_ROLE_ASSUMER_ARN (our roleAssumer ARN).',
-            );
-          }
+          awsCredentials = await this.assumeRole(credentials, primaryRegion);
+        } else {
+          awsCredentials = {
+            accessKeyId: credentials.access_key_id as string,
+            secretAccessKey: credentials.secret_access_key as string,
+          };
+        }
-          // Hop 1: task role -> roleAssumer
-          const baseSts = new STSClient({ region });
-          const roleAssumerResp = await baseSts.send(
-            new AssumeRoleCommand({
-              RoleArn: roleAssumerArn,
-              RoleSessionName: 'CompRoleAssumer',
-              DurationSeconds: 3600,
-            }),
-          );
+        const allFindings: SecurityFinding[] = [];
+        const successfulRegions: string[] = [];
+        const failedRegions: string[] = [];
-          const roleAssumerCreds = roleAssumerResp.Credentials;
-          if (!roleAssumerCreds?.AccessKeyId || !roleAssumerCreds.SecretAccessKey) {
-            throw new Error(
-              'Failed to assume roleAssumer - no credentials returned',
+        // Scan each region using the same credentials
+        for (const region of configuredRegions) {
+          try {
+            const regionFindings = await this.scanRegionWithCredentials(
+              awsCredentials,
+              region,
             );
+            allFindings.push(...regionFindings);
+            successfulRegions.push(region);
+          } catch (error) {
+            const errorMessage =
+              error instanceof Error ? error.message : String(error);
+            // Use warn - per-region failures are expected (e.g., Security Hub not enabled)
+            this.logger.warn(`Error scanning region ${region}: ${errorMessage}`);
+            failedRegions.push(region);
+            // Continue with other regions
           }
+        }
-          const roleAssumerAwsCreds: AwsCredentials = {
-            accessKeyId: roleAssumerCreds.AccessKeyId,
-            secretAccessKey: roleAssumerCreds.SecretAccessKey,
-            sessionToken: roleAssumerCreds.SessionToken,
-          };
-          // Hop 2: roleAssumer -> customer role (ExternalId enforced by customer trust policy)
-          const roleAssumerSts = new STSClient({
-            region,
-            credentials: roleAssumerAwsCreds,
-          });
+        // Log summary
+        this.logger.log(
+          `Scan complete: ${allFindings.length} findings from ${successfulRegions.length} regions`,
+        );
-          this.logger.log(
-            `Assuming customer role ${customerRoleArn} in region ${region}`,
+        // If ALL regions failed, throw an error so the caller knows the scan failed
+        if (successfulRegions.length === 0 && failedRegions.length > 0) {
+          throw new Error(
+            `All ${failedRegions.length} region(s) failed to scan: ${failedRegions.join(', ')}`,
           );
+        }
-          const customerResp = await roleAssumerSts.send(
-            new AssumeRoleCommand({
-              RoleArn: customerRoleArn,
-              ExternalId: externalId,
-              RoleSessionName: 'CompSecurityAudit',
-              DurationSeconds: 3600,
-            }),
+        return allFindings;
+      }
+      /**
+       * Get the list of regions to scan from credentials or variables.
+       * Always returns at least one region (defaults to us-east-1).
+       */
+      private getConfiguredRegions(
+        credentials: Record<string, unknown>,
+        variables: Record<string, unknown>,
+      ): string[] {
+        // Check credentials.regions (array from multi-select)
+        if (Array.isArray(credentials.regions) && credentials.regions.length > 0) {
+          const filtered = credentials.regions.filter(
+            (r): r is string => typeof r === 'string' && r.trim().length > 0,
           );
+          // Only use filtered result if it has valid strings
+          if (filtered.length > 0) {
+            return filtered;
+          }
+        }
-          const customerCreds = customerResp.Credentials;
-          if (!customerCreds?.AccessKeyId || !customerCreds.SecretAccessKey) {
-            throw new Error(
-              'Failed to assume customer role - no credentials returned',
-            );
+        // Check variables.regions (array)
+        if (Array.isArray(variables.regions) && variables.regions.length > 0) {
+          const filtered = variables.regions.filter(
+            (r): r is string => typeof r === 'string' && r.trim().length > 0,
+          );
+          // Only use filtered result if it has valid strings
+          if (filtered.length > 0) {
+            return filtered;
           }
+        }
-          awsCredentials = {
-            accessKeyId: customerCreds.AccessKeyId,
-            secretAccessKey: customerCreds.SecretAccessKey,
-            sessionToken: customerCreds.SessionToken,
-          };
-        } else {
-          awsCredentials = {
-            accessKeyId: credentials.access_key_id as string,
-            secretAccessKey: credentials.secret_access_key as string,
-          };
+        // Check single region in credentials or variables
+        const singleRegion =
+          (credentials.region as string) || (variables.region as string);
+        if (
+          singleRegion &&
+          typeof singleRegion === 'string' &&
+          singleRegion.trim()
+        ) {
+          return [singleRegion.trim()];
         }
+        // Default to us-east-1
+        return ['us-east-1'];
+      }
+      /**
+       * Scan a single AWS region using pre-obtained credentials.
+       * Credentials are reused across regions since IAM is global.
+       */
+      private async scanRegionWithCredentials(
+        awsCredentials: AwsCredentials,
+        region: string,
+      ): Promise<SecurityFinding[]> {
         const securityHub = new SecurityHubClient({
           region,
           credentials: awsCredentials,
         });
         try {
-          const findings = await this.fetchSecurityHubFindings(securityHub);
-          this.logger.log(`Found ${findings.length} AWS security findings`);
+          const findings = await this.fetchSecurityHubFindings(securityHub, region);
+          this.logger.log(`Found ${findings.length} findings in region ${region}`);
           return findings;
         } catch (error) {
           const errorMessage =
@@ Expand All / @@ -128,16 +162,88 @@ export class AWSSecurityService { @@
             errorMessage.includes('not subscribed') ||
             errorMessage.includes('AccessDenied')
           ) {
-            this.logger.warn('Security Hub not enabled in this region');
+            this.logger.warn(`Security Hub not enabled in region ${region}`);
             return [];
           }
           throw error;
         }
       }
+      /**
+       * Assume IAM role for cross-account access
+       */
+      private async assumeRole(
+        credentials: Record<string, unknown>,
+        region: string,
+      ): Promise<AwsCredentials> {
+        const customerRoleArn = credentials.roleArn as string;
+        const externalId = credentials.externalId as string;
+        const roleAssumerArn = process.env.SECURITY_HUB_ROLE_ASSUMER_ARN;
+        if (!roleAssumerArn) {
+          throw new Error(
+            'Missing SECURITY_HUB_ROLE_ASSUMER_ARN (our roleAssumer ARN).',
+          );
+        }
+        // Hop 1: task role -> roleAssumer
+        const baseSts = new STSClient({ region });
+        const roleAssumerResp = await baseSts.send(
+          new AssumeRoleCommand({
+            RoleArn: roleAssumerArn,
+            RoleSessionName: 'CompRoleAssumer',
+            DurationSeconds: 3600,
+          }),
+        );
+        const roleAssumerCreds = roleAssumerResp.Credentials;
+        if (!roleAssumerCreds?.AccessKeyId || !roleAssumerCreds.SecretAccessKey) {
+          throw new Error('Failed to assume roleAssumer - no credentials returned');
+        }
+        const roleAssumerAwsCreds: AwsCredentials = {
+          accessKeyId: roleAssumerCreds.AccessKeyId,
+          secretAccessKey: roleAssumerCreds.SecretAccessKey,
+          sessionToken: roleAssumerCreds.SessionToken,
+        };
+        // Hop 2: roleAssumer -> customer role (ExternalId enforced by customer trust policy)
+        const roleAssumerSts = new STSClient({
+          region,
+          credentials: roleAssumerAwsCreds,
+        });
+        this.logger.log(
+          `Assuming customer role ${customerRoleArn} in region ${region}`,
+        );
+        const customerResp = await roleAssumerSts.send(
+          new AssumeRoleCommand({
+            RoleArn: customerRoleArn,
+            ExternalId: externalId,
+            RoleSessionName: 'CompSecurityAudit',
+            DurationSeconds: 3600,
+          }),
+        );
+        const customerCreds = customerResp.Credentials;
+        if (!customerCreds?.AccessKeyId || !customerCreds.SecretAccessKey) {
+          throw new Error(
+            'Failed to assume customer role - no credentials returned',
+          );
+        }
+        return {
+          accessKeyId: customerCreds.AccessKeyId,
+          secretAccessKey: customerCreds.SecretAccessKey,
+          sessionToken: customerCreds.SessionToken,
+        };
+      }
       private async fetchSecurityHubFindings(
         securityHub: SecurityHubClient,
+        region: string,
       ): Promise<SecurityFinding[]> {
         const allFindings: SecurityFinding[] = [];
@@ Expand All / @@ -156,7 +262,7 @@ export class AWSSecurityService { @@
         if (response.Findings) {
           for (const finding of response.Findings) {
-            allFindings.push(this.mapFinding(finding));
+            allFindings.push(this.mapFinding(finding, region));
           }
         }
@@ Expand All / @@ -173,7 +279,7 @@ export class AWSSecurityService { @@
           if (response.Findings) {
             for (const finding of response.Findings) {
               if (allFindings.length >= 500) break;
-              allFindings.push(this.mapFinding(finding));
+              allFindings.push(this.mapFinding(finding, region));
             }
           }
@@ Expand All / @@ -183,20 +289,23 @@ export class AWSSecurityService { @@
         return allFindings;
       }
-      private mapFinding(finding: {
-        Id?: string;
-        Title?: string;
-        Description?: string;
-        Remediation?: { Recommendation?: { Text?: string } };
-        Severity?: { Label?: string };
-        Resources?: Array<{ Type?: string; Id?: string }>;
-        AwsAccountId?: string;
-        Region?: string;
-        Compliance?: { Status?: string };
-        GeneratorId?: string;
-        CreatedAt?: string;
-        UpdatedAt?: string;
-      }): SecurityFinding {
+      private mapFinding(
+        finding: {
+          Id?: string;
+          Title?: string;
+          Description?: string;
+          Remediation?: { Recommendation?: { Text?: string } };
+          Severity?: { Label?: string };
+          Resources?: Array<{ Type?: string; Id?: string }>;
+          AwsAccountId?: string;
+          Region?: string;
+          Compliance?: { Status?: string };
+          GeneratorId?: string;
+          CreatedAt?: string;
+          UpdatedAt?: string;
+        },
+        scanRegion: string,
+      ): SecurityFinding {
         const severityMap: Record<string, SecurityFinding['severity']> = {
           INFORMATIONAL: 'info',
           LOW: 'low',
@@ Expand All / @@ -208,9 +317,16 @@ export class AWSSecurityService { @@
         const complianceStatus = finding.Compliance?.Status;
         const passed = complianceStatus === 'PASSED';
+        // Use the finding's region if available, otherwise use the scan region
+        const findingRegion = finding.Region || scanRegion;
+        // Append region to title for frontend filtering (e.g., "Finding Title (us-east-1)")
+        const baseTitle = finding.Title || 'Untitled Finding';
+        const titleWithRegion = `${baseTitle} (${findingRegion})`;
         return {
           id: finding.Id || '',
-          title: finding.Title || 'Untitled Finding',
+          title: titleWithRegion,
           description: finding.Description || 'No description available',
           severity: severityMap[finding.Severity?.Label || 'INFO'] || 'medium',
           resourceType: finding.Resources?.[0]?.Type || 'unknown',
@@ Expand All / @@ -219,7 +335,7 @@ export class AWSSecurityService { @@
             finding.Remediation?.Recommendation?.Text || 'No remediation available',
           evidence: {
             awsAccountId: finding.AwsAccountId,
-            region: finding.Region,
+            region: findingRegion,
             complianceStatus,
             generatorId: finding.GeneratorId,
             updatedAt: finding.UpdatedAt,
@@ Expand Down @@

apps/api/src/integration-platform/controllers/connections.controller.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -633,7 +633,8 @@ export class ConnectionsController { @@
               'Invalid credentials. Please check your IAM role configuration.';
           }
-          this.logger.error(`AWS validation failed: ${errorMessage}`);
+          // Use warn instead of error - this is a user configuration issue, not a system error
+          this.logger.warn(`AWS validation failed: ${errorMessage}`);
           return { success: false, message: friendlyMessage };
         }
       }
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[dev] [tofikwest] tofik/aws-integration-fix #2071

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!