search

duo-labs / cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
BSD 3-Clause "New" or "Revised" License
5.96k stars 800 forks source link

Region hardcoded -> Unauthorized operations #712

Closed dr460neye closed 4 years ago

dr460neye commented 4 years ago

Please mention the following:

python cloudmapper.py collect --account all_systems vs. aws ec2 describe-regions

First command is not working, while last command ist.

Reason: The current implementation expects that access to all reasons is allowed by "subcontractors", which is mostly not for bigger companies.

Due to testing i changes the following hard coded force to use the us api:

    # Identify the default region used by global services such as IAM
    default_region = os.environ.get("AWS_REGION", "us-east-1")
    if 'gov-' in default_region:
        default_region = 'us-gov-west-1'
    elif 'cn-' in default_region:
        default_region = 'cn-north-1'
    else:
        default_region = 'us-east-1'

How to fix this?

    # Identify the default region used by global services such as IAM
    default_region = os.environ.get("AWS_REGION", "us-east-1")
    if 'gov-' in default_region:
        default_region = 'us-gov-west-1'
    elif 'cn-' in default_region:
        default_region = 'cn-north-1'

The "else" block is the reason why the code does not work. In this case, the else block is not neccesary, because regions can be provided by different reasons, and can already been overwritten with environment settings.

E.g. for me, we are fully restricted to use eu-central-1 due to GDPR compliances.

There are some more interesting piece of code, which are producing region issues like:

def get_us_east_1(account):
    for region_json in get_regions(account):
        region = Region(account, region_json)
        if region.name == "us-east-1":
            return region

    raise Exception("us-east-1 not found")
0xdabbad00 commented 4 years ago

Duplicate of #682