mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-13 23:51:50 +00:00
da000b54ca
* fix(aws_profile_loader): New functions * fix(shellcheck): Temporary remove Shellcheck * fix(aws_cli_detector): new function * fix(jq_detector): New function * fix(os_detector): New function * fix(output_bucket): Output bucket input check in main * fix(python_detector): deleted unused python detector * fix(credentials): credentials check out of whoami * [break]refactor(main) * [BREAK] Get list of checks parsing all input options * [break]refactor(main): execute checks functions * [break]refactor(main): move functions to libs * fix(validations): custom check validation and typos * refactor(validate_options): Include comments * fix(custom_checks): Minor fixes * refactor(closing_files): include libraries * refactor(loader): Include ignored checks * refactor(main): Fix shellcheck * refactor(loader): beautify * refactor(monochrome): without variables * refactor(modes): MODES array not needed * refactor(whoami): get error from AWSCLI * refactor(secrets-detector) * refactor(secrets-detector) * fix(html_scoring): html scoring was fixed. * fix(load_checks_from_file) * fix(color-code): Print if not mono * fix(not extra): Fixed if EXCLUDE_CHECK_ID is empty * fix(IFS): Restore default IFS once modes are parsed * fix(bucket): validate before whoami * fix(bucket): validate before whoami Co-authored-by: n4ch04 <nachor1992@gmail.com> Co-authored-by: sergargar <sergio@verica.io> Co-authored-by: Nacho Rivera <59198746+n4ch04@users.noreply.github.com>
76 lines
3.6 KiB
Bash
76 lines
3.6 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Prowler - the handy cloud security tool (copyright 2018) by Toni de la Fuente
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
|
# use this file except in compliance with the License. You may obtain a copy
|
|
# of the License at http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software distributed
|
|
# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
|
|
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations under the License.
|
|
|
|
|
|
# It checks -p optoin first and use it as profile, if not -p provided then
|
|
# check environment variables and if not, it checks and loads credentials from
|
|
# instance profile (metadata server) if runs in an EC2 instance
|
|
|
|
aws_profile_loader() {
|
|
INSTANCE_PROFILE=$(curl -s -m 1 http://169.254.169.254/latest/meta-data/iam/security-credentials/)
|
|
if echo "$INSTANCE_PROFILE" | grep -q '404 - Not Found'; then
|
|
INSTANCE_PROFILE=
|
|
fi
|
|
|
|
if [[ $PROFILE ]]; then
|
|
PROFILE_OPT="--profile $PROFILE"
|
|
elif [[ $AWS_ACCESS_KEY_ID && $AWS_SECRET_ACCESS_KEY || $AWS_SESSION_TOKEN || $AWS_PROFILE ]];then
|
|
PROFILE="$AWS_PROFILE"
|
|
PROFILE_OPT=""
|
|
elif [[ -n $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ]] && [[ -z $INSTANCE_PROFILE ]]; then
|
|
PROFILE="INSTANCE-PROFILE"
|
|
AWS_ACCESS_KEY_ID=$(curl -s 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g')
|
|
AWS_SECRET_ACCESS_KEY_ID=$(curl -s 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
|
|
AWS_SESSION_TOKEN=$(curl -s 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI grep Token| cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
|
|
elif [[ $AWS_WEB_IDENTITY_TOKEN_FILE ]]; then
|
|
PROFILE=""
|
|
PROFILE_OPT=""
|
|
elif [[ $INSTANCE_PROFILE ]]; then
|
|
PROFILE="INSTANCE-PROFILE"
|
|
AWS_ACCESS_KEY_ID=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g')
|
|
AWS_SECRET_ACCESS_KEY_ID=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
|
|
AWS_SESSION_TOKEN=$(curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/${INSTANCE_PROFILE} grep Token| cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g')
|
|
elif [[ $AWS_EXECUTION_ENV == "CloudShell" ]]; then
|
|
PROFILE_OPT=""
|
|
else
|
|
PROFILE="default"
|
|
PROFILE_OPT="--profile $PROFILE"
|
|
fi
|
|
# Backing up $PROFILE_OPT needed to renew assume_role
|
|
PROFILE_OPT_BAK=$PROFILE_OPT
|
|
# Set default region by aws config, fall back to us-east-1
|
|
REGION_CONFIG=$(aws configure get region)
|
|
if [[ $REGION_OPT ]]; then
|
|
REGION="$REGION_OPT"
|
|
elif [[ $REGION_CONFIG ]]; then
|
|
REGION="$REGION_CONFIG"
|
|
else
|
|
REGION="us-east-1"
|
|
fi
|
|
}
|
|
|
|
# Function to get all regions
|
|
get_regions() {
|
|
# Get list of regions based on include/whoami
|
|
if ! REGIONS=$($AWSCLI ec2 describe-regions \
|
|
--query 'Regions[].RegionName' \
|
|
--output text ${PROFILE_OPT} \
|
|
--region "${REGION_FOR_STS}" \
|
|
--region-names ${FILTERREGION//[,]/ } 2>&1)
|
|
then
|
|
echo "$OPTRED Access Denied trying to describe regions! Review permissions as described here: https://github.com/prowler-cloud/prowler/#requirements-and-installation $OPTNORMAL"
|
|
EXITCODE=1
|
|
exit $EXITCODE
|
|
fi
|
|
}
|