ARN isn't valid | WAFV2

[Nebula-Ninjas]

@joshlarsen didn't know you were the creator of this one as well, pretty awesome!

When running the following command I get following error:

AWS_PROFILE=coda-dev /gems/bin/aws_recon -j \ -r global,us-east-1 \ -f custom > output.json

Traceback (most recent call last): 23: from /gems/gems/parallel-1.20.1/lib/parallel.rb:215:in block (4 levels) in in_threads' 22: from /gems/gems/parallel-1.20.1/lib/parallel.rb:366:inblock in work_in_threads' 21: from /gems/gems/parallel-1.20.1/lib/parallel.rb:518:in with_instrumentation' 20: from /gems/gems/parallel-1.20.1/lib/parallel.rb:367:inblock (2 levels) in work_in_threads' 19: from /gems/gems/parallel-1.20.1/lib/parallel.rb:507:in call_with_index' 18: from /gems/gems/aws_recon-0.5.6/lib/aws_recon/aws_recon.rb:110:inblock (2 levels) in start' 17: from /gems/gems/aws_recon-0.5.6/lib/aws_recon/aws_recon.rb:49:in collect' 16: from /gems/gems/aws_recon-0.5.6/lib/aws_recon/collectors/wafv2.rb:21:incollect' 15: from /gems/gems/aws_recon-0.5.6/lib/aws_recon/collectors/wafv2.rb:21:in each' 14: from /gems/gems/aws_recon-0.5.6/lib/aws_recon/collectors/wafv2.rb:22:inblock in collect' 13: from /gems/gems/aws_recon-0.5.6/lib/aws_recon/collectors/wafv2.rb:22:in each_with_index' 12: from /gems/gems/aws-sdk-core-3.114.0/lib/aws-sdk-core/pageable_response.rb:93:ineach' 11: from /gems/gems/aws_recon-0.5.6/lib/aws_recon/collectors/wafv2.rb:25:in block (2 levels) in collect' 10: from /gems/gems/aws_recon-0.5.6/lib/aws_recon/collectors/wafv2.rb:25:ineach' 9: from /gems/gems/aws_recon-0.5.6/lib/aws_recon/collectors/wafv2.rb:43:in block (3 levels) in collect' 8: from /gems/gems/aws-sdk-wafv2-1.20.0/lib/aws-sdk-wafv2/client.rb:3764:inlist_resources_for_web_acl' 7: from /gems/gems/aws-sdk-core-3.114.0/lib/seahorse/client/request.rb:72:in send_request' 6: from /gems/gems/aws-sdk-core-3.114.0/lib/seahorse/client/plugins/response_target.rb:24:incall' 5: from /gems/gems/aws-sdk-core-3.114.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in call' 4: from /gems/gems/aws-sdk-core-3.114.0/lib/seahorse/client/plugins/request_callback.rb:71:incall' 3: from /gems/gems/aws-sdk-core-3.114.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in call' 2: from /gems/gems/aws-sdk-core-3.114.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:incall' 1: from /gems/gems/aws-sdk-core-3.114.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:22:in call' /gems/gems/aws-sdk-core-3.114.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:incall': Error reason: The ARN isn't valid. A valid ARN begins with arn: and includes other information separated by colons or slashes., field: RESOURCE_ARN, parameter: ResourceArn (Aws::WAFV2::Errors::WAFInvalidParameterException)

I then just re-ran the command to exclude this service (command below) and it seemed to complete successfully.

AWS_PROFILE=coda-dev /gems/bin/aws_recon -j \ -x WAFV2 \
-r global,us-east-1 \ -f custom > output.json

Hope this helps.

William

[joshlarsen]

Ah, yes, there is a typo in this collector. We'll push an update later today to correct.

[Nebula-Ninjas]

Sounds good, thanks @joshlarsen

[Nebula-Ninjas]

@joshlarsen some other oddities I'd like to get your feedback on.

• Running the awsrecon command to exclude the WAFV2 service (I attempted to remove lambda as well, as I have some functions with 'vpcid' associations and looked at your *.rb file (within OpenCSPM) lambda and noticed that is pending, but it did skip that service when running)
• When excluding services should they be listed as all uppercase / lowercase? I noticed when doing WAFv2 it did not work, but when doing WAFV2 it did. Had similar experience with config and cloudtrail.
• I had to run the commands in a specific order for aws_recon to successfully work. For example:

This will run as expected in the specific regions:

AWS_PROFILE=coda-dev /gems/bin/aws_recon -j \ -r global,us-east-1 \ -f custom > output.json \ -x WAFV2,lambda

This will attempt to scan other regions (suggested format for creating JSON for OpenCSPM):

AWS_PROFILE=coda-dev /gems/bin/awsrecon -j \ -s SERVICENAME (here I used the -x WAFV2,lambda call and kept getting "access denied" errors on services in other regions)_ -r global,us-east-1 \ -f custom > output.json \

Any how, hope this helps you all out and awesome stuff you all created. I'll be utilizing both these tools a ton, so let me know if you ever need any testing done.

Sincerely,

William

[joshlarsen]

Hi William,

When excluding services, the name has to match either the name or alias field from lib/aws_recon/services.yaml. The name field is the same as whatever AWS calls the service in the APIs. The alias field is arbitrary and really just for convenience. Hope that helps.

[joshlarsen]

William,

Upgrade to the 0.5.7 gem to fix the WAFv2 collection.

[Nebula-Ninjas]

@joshlarsen will do, thanks!

[joshlarsen]

Lambda vpc_id issue fixed in https://github.com/darkbitio/aws-recon/commit/4faeaa2364cdb9706a4fbac3d3c339fd7636968f.