Open DDJSM opened 3 years ago
w0rmr1d3r
commented
3 years ago Hello @DDJSM ! Since this is a cross-account issue, could it be that your assumed role can't perform the action outside its account?
We might need to take a look at those IAM policies in order to have more info, but I believe the problem is with the policies and not with cloudmapper itself.
Cheers!
DDJSM
commented
3 years ago Ok, my IAM policies goes like this, cross account access roles...
Account A and B A = 111111111111 B = 222222222222
Policy C and D
** policy C { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSTSaccess", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::222222222222:role/role_cross", "arn:aws:iam::333333333333:role/role_cross", "arn:aws:iam::444444444444:role/role_cross" ] } ] }
* policy D { "Version": "2012-10-17", "Statement": [ { "Sid": "CloudMapperRead", "Effect": "Allow", "Action": [ "acm:DescribeCertificate", "acm:ListCertificates", "access-analyzer:ListAnalyzers", "apigateway:GET", "autoscaling:describe", "cloudformation:describestack", "cloudformation:GetStackPolicy", "cloudformation:GetTemplate", "cloudformation:liststack", "cloudfront:get", "cloudfront:list", "cloudsearch:DescribeDomains", "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudwatch:describe", "codecommit:BatchGetRepositories", "codecommit:GetBranch", "codecommit:GetObjectIdentifier", "codecommit:GetRepository", "codecommit:list", "codedeploy:batch", "codedeploy:get", "codedeploy:list", "config:deliver", "config:describe", "config:get", "datapipeline:DescribeObjects", "datapipeline:DescribePipelines", "datapipeline:EvaluateExpression", "datapipeline:GetPipelineDefinition", "datapipeline:ListPipelines", "datapipeline:QueryObjects", "datapipeline:ValidatePipelineDefinition", "directconnect:describe", "dynamodb:DescribeTable", "dynamodb:ListTables", "ec2:des", "ec2:get", "ecr:des", "ecr:get", "ecr:lis", "ecs:des", "ecs:lis", "eks:des", "eks:lis", "elasticache:Des", "elasticache:Lis", "elasticbeanstalk:describe", "elasticfilesystem:describe", "elasticloadbalancing:describe", "elasticmapreduce:DescribeJobFlows", "elasticmapreduce:ListClusters", "es:des", "es:lis", "events:DescribeEventBus", "events:ListRules", "firehose:describe", "firehose:list", "glacier:ListVaults", "glue:GetConnections", "glue:GetDataCatalogEncryptionSettings", "glue:GetDevEndpoints", "glue:GetJobs", "glue:GetTriggers", "glue:SearchTables", "guardduty:GetDetector", "guardduty:ListDetectors", "iam:GenerateCredentialReport", "iam:GenerateServiceLastAccessedDetails", "iam:Get", "iam:list", "kms:describe", "kms:get", "kms:list", "lambda:GetPolicy", "lambda:ListFunctions", "lambda:ListLayers", "lightsail:GetInstances", "lightsail:GetLoadBalancers", "logs:DescribeDestinations", "logs:DescribeLogGroups", "logs:DescribeMetricFilters", "logs:DescribeResourcePolicies", "organizations:DescribeOrganization", "organizations:ListAccounts", "rds:describe", "rds:DownloadDBLogFilePortion", "rds:ListTagsForResource", "redshift:describe", "route53domains:GetDomainDetail", "route53domains:GetOperationDetail", "route53domains:ListDomains", "route53domains:ListOperations", "route53domains:ListTagsForDomain", "route53:GetChange", "route53:GetCheckerIpRanges", "route53:GetGeoLocation", "route53:GetHealthCheck", "route53:GetHealthCheckCount", "route53:GetHealthCheckLastFailureReason", "route53:GetHostedZone", "route53:GetHostedZoneCount", "route53:GetReusableDelegationSet", "route53:ListHostedZonesByVPC", "route53:ListGeoLocations", "route53:ListHealthChecks", "route53:ListHostedZones", "route53:ListHostedZonesByName", "route53:ListQueryLoggingConfigs", "route53:ListResourceRecordSets", "route53:ListReusableDelegationSets", "route53:ListTagsForResource", "route53:ListTagsForResources", "s3:des", "s3:get", "s3:lis", "sagemaker:DescribeModel", "sagemaker:DescribeNotebookInstance", "sagemaker:DescribeTrainingJob", "sagemaker:ListModels", "sagemaker:ListNoteBookInstances", "sagemaker:ListTrainingJobs", "sdb:DomainMetadata", "sdb:ListDomains", "secretsmanager:ListSecrets", "ses:get", "ses:list", "ses:SendEmail", "sns:GetTopicAttributes", "sns:ListSubscriptionsByTopic", "sns:ListTopics", "sts:Decode", "sqs:GetQueueAttributes", "sqs:ListQueues", "ssm:DescribeInstanceInformation", "ssm:ListResourceComplianceSummaries", "support:Desc", "tag:GetResources", "tag:GetTagKeys", "wafv2:ListWebACLs" ], "Resource": "" } ] }
** aws-cli config [aws-account-A] credential_source = Ec2InstanceMetadata output = json region = us-east-1 [aws-account-B] role_arn = arn:aws:iam::222222222222:role/role_cross external_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx credential_source = Ec2InstanceMetadata output = json region = us-east-1 [aws-account-C] role_arn = arn:aws:iam::333333333333:role/role_cross external_id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx credential_source = Ec2InstanceMetadata output = json region = us-east-1
** cloudmapper config { "accounts": [ {"id": "222222222222", "name": "aws-account-B", "default": true} ], "cidrs": { "1.1.1.1/32": {"name": "SF Office"}, "2.2.2.2/28": {"name": "NY Office"} } }
Now, cloudmapper is running in account A on a ec2 instance with a IAM role linked to it and this role has the Policy C permissions
So I need cloudmapper to access account B, so I have setup a cross account role access on B, and this role is linked to Policy D permissions, but when I run cloudmapper on account A...
python3 cloudmapper.py collect --account aws-account-B
It only reads assets on aws-account-A, with this same configuration if I try to run Prowler on a specific account, it works perfectly.
w0rmr1d3r
commented
3 years ago Hello @DDJSM !
Let's see if I understood: You are saying that the role in account A has the policy that can assume the role in account B (good). The role in account B has the policy C (which is needed to use cloudmapper and other stuff), but can the role in account B be assumed by the role in account A? Have you tried, before using cloudmapper, to do an assume role cross-account from that EC2 instance, so that you can access account B from account A? The issue might be with the roles and policies, and not from Cloudmapper?
I have also found some info in the readme -> https://github.com/duo-labs/cloudmapper#generating-a-config-file It could be useful.
Maybe Prowler uses a different approach when scanning resources with cross-accounts. Are you using Prowler from localhost or from that very same EC2 instance?
If nothing of this helps, I'll wait for more info from the owners of cloudmapper, because I don't know how to proceed on this.
Hope it helps!
DDJSM
commented
3 years ago You are saying that the role in account A has the policy that can assume the role in account B (good). The role in account B has the policy C (which is needed to use cloudmapper and other stuff), but can the role in account B be assumed by the role in account A?
Exactly, the IAM role on account A is only used to assume role on B
Have you tried, before using cloudmapper, to do an assume role cross-account from that EC2 instance
Yeap, and it work's on every account, I'm actually accessing 15 account from A, and they all work well when I run any command from my linux shell using aws cli on the ec2 where the cloudmapper and the proweler are installed.
Maybe Prowler uses a different approach when scanning resources with cross-accounts. Are you using Prowler from localhost or from that very same EC2 instance?
Yeap exactly the same ec2 for both prowler and cloudmapper.
w0rmr1d3r
commented
3 years ago Hello @DDJSM !
Regarding this:
Have you tried, before using cloudmapper, to do an assume role cross-account from that EC2 instance
Yeap, and it works on every account, I'm actually accessing 15 account from A, and they all work well when I run any command from my linux shell using aws cli on the ec2 where the cloudmapper and the proweler are installed.
If I understood correctly, if you are inside the EC2, you can assume a role in account B? Can you provide any proof of that? And check if the policies on one of those 15 accounts that you are saying have any difference with the policy in B account?
Regarding this:
You are saying that the role in account A has the policy that can assume the role in account B (good). The role in account B has the policy C (which is needed to use cloudmapper and other stuff), but can the role in account B be assumed by the role in account A?
Exactly, the IAM role on account A is only used to assume role on B
I'm gonna assume that you know that a role in account A must have in its policy that can assume a role in account B, and that role in account B must have in its policies that can be assumed from account A, you do have that, don't you?
Cheers!
jefify
commented
3 years ago @DDJSM I am using exactly the same cross-account structure of Prowler, and had the same problem. I got it solved by reading the scirpt: https://github.com/duo-labs/cloudmapper/blob/37b7870da193b2225c8d1883d2eab9625a3fa903/auditor/s3_bucket_files/run_cloudmapper.sh#L27
When you specify the profile to be used, it seems that the main routine skips user check, so you can try:
python3 cloudmapper.py collect --account MYACCOUNT --profile MYACCOUNT_AWS_PROFILE
Good Luck!
DDJSM
commented
3 years ago Hello, yes, role in account B can be assumed by the role in account A, the cross account role is working, I'm using prowler with exactly same aws cli config and roles in accout A and B, but cloudmapper can't work this way, there is no option in cloudmappar to specify a profile from aws cli credentials, every role and policy is working flawlessly with prowler, just not with cloudmapper, my perception is that cloudmapper don't understand profiles, only Key and secretKey.
On Tue, 8 Jun 2021 at 11:53 Ramon @.***> wrote:
Hello @DDJSM https://github.com/DDJSM !
Let's see if I understood: You are saying that the role in account A has the policy that can assume the role in account B (good). The role in account B has the policy C (which is needed to use cloudmapper and other stuff), but can the role in account B be assumed by the role in account A? Have you tried, before using cloudmapper, to do an assume role cross-account from that EC2 instance, so that you can access account B from account A? The issue might be with the roles and policies, and not from Cloudmapper?
I have also found some info in the readme -> https://github.com/duo-labs/cloudmapper#generating-a-config-file It could be useful.
Maybe Prowler uses a different approach when scanning resources with cross-accounts. Are you using Prowler from localhost or from that very same EC2 instance?
If nothing of this helps, I'll wait for more info from the owners of cloudmapper, because I don't know how to proceed on this.
Hope it helps!
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/duo-labs/cloudmapper/issues/872#issuecomment-856837990, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHSM3OILT5IQBLJVP6ATDSTTRYVGBANCNFSM45FHGIRQ .
Please mention the following:
What command was run? python3 cloudmapper.py collect --account MYACCOUNT
Are you working out of a virtualenv environment, Docker, or something else? No, straight pure bash shell with aws cli on ubuntu 20.04
The error ERROR: Ensure your creds are valid. An error occurred (AccessDenied) when calling the GetUser operation: User: arn:aws:sts::??????????????:assumed-role/role_myrole/i-xxxxxxxxxxxxxxx is not authorized to perform: iam:GetUser on resource: user test
And yes I have iam:Getuser on my Policy
PS: this is a access with a ec2 cross account role access and not a IAM user with Private key and Secret Key