search

nccgroup / Scout2

Security auditing tool for AWS environments
http://nccgroup.github.io/Scout2/
GNU General Public License v2.0
1.73k stars 300 forks source link

List open S3 Buckets #272

Closed marcinguy closed 5 years ago

marcinguy commented 6 years ago

Trying to get all world readable S3 Buckets

None were identified in my scan.

Is this the right way to do it when there will be some identified?

Shouldn't Scout2Listall.py just say, no items found.

Below is what I am trying:

$ Scout2/Scout2Listall.py --config s3-bucket-world-acl.json  --config-args AllUsers read --format-file /home/user/Scout2/AWSScout2/rules/data/findings/s3-bucket-world-acl.md
Error: unhandled case, typeof(current_info) = <type 'NoneType'>
Path: [u's3', u'buckets', u'731c5473f01102de83d83e5d099ffac1cd23f36e', u'grantees']
Object: None
Entry target path: [u'id']

Failed to process rule defined in s3-bucket-world-acl.json
Traceback (most recent call last):
  File "Scout2/Scout2Listall.py", line 8, in <module>
    sys.exit(main())
  File "/home/user/Scout2/AWSScout2/__listall__.py", line 88, in main
    resources = aws_config['services'][rule_service][rule_type][rule_key]['items']
KeyError: 'items'
$ cat Scout2/AWSScout2/rules/data/findings/s3-bucket-world-acl.json
{
    "arg_names": [ "Grantee", "Permission", "Description", "Level" ],
    "key": "s3-bucket-_ARG_0_-_ARG_1_",
    "dashboard_name": "Bucket ACLs",
    "description": "_ARG_2_",
    "path": "s3.buckets.id.grantees.id",
    "display_path": "s3.buckets.id",
    "conditions": [ "and",
        [ "s3.buckets.id.grantees.id.", "withKey", "URI" ],
        [ "s3.buckets.id.grantees.id.URI", "equal", "http://acs.amazonaws.com/groups/global/_ARG_0_" ],
        [ "s3.buckets.id.grantees.id.permissions._ARG_1_", "true", "" ]
    ],
    "id_suffix": "_ARG_1_",
    "keys": [
        "s3.buckets.id.grantees.id"
    ]

}
$ cat Scout2/AWSScout2/rules/data/findings/s3-bucket-world-acl.md  
_ITEM_(| _KEY_(s3.buckets.id.grantees.id) |)_METI_

Thanks,

x4v13r64 commented 6 years ago

When there is no output, nothing is returned (blank output). You must first run Scout2 before running Scout2Listall.

Don't use absolute paths (currently not supported).

This is what I get then running your markdown file when there is an open S3 bucket:

python Scout2Listall.py --profile aws_scout2 --config s3-bucket-world-acl.json --format-file s3-bucket-world-acl.md --config-args AllUsers read
| AllUsers |

This is what I get then running your markdown file when there is no open S3 bucket:

python Scout2Listall.py --profile aws_scout2 --config s3-bucket-world-acl.json --format-file s3-bucket-world-acl.md --config-args AllUsers read

Does this answer your question?

marcinguy commented 6 years ago

Thanks for your reply. I think there is a bug somewhere.

In my case the rule does not return items. I pprinted() the aws_config['services'][rule_service][rule_type][rule_key]

python Scout2Listall.py --profile test --config s3-bucket-world-acl.json --format-file s3-bucket-world-acl.md --config-args AllUsers read
Error: unhandled case, typeof(current_info) = <type 'NoneType'>
Path: [u's3', u'buckets', u'731c5473f01102de83d83e5d099ffac1cd23f36e', u'grantees']
Object: None
Entry target path: [u'id']

Failed to process rule defined in s3-bucket-world-acl.json
{'checked_items': 0,
 'description': u'',
 'display_path': u's3.buckets.id',
 'flagged_items': 0,
 'id_suffix': u'read',
 'level': u'danger',
 'path': u's3.buckets.id.grantees.id'}
Traceback (most recent call last):
  File "Scout2Listall.py", line 8, in <module>
    sys.exit(main())
  File "/home/user/Scout2/AWSScout2/__listall__.py", line 89, in main
    resources = aws_config['services'][rule_service][rule_type][rule_key]['items']
KeyError: 'items'

FYI Had this error while running Scout2:

Fetching S3 config...
             buckets
                1/89g configuration for test-documentation
An error occurred (AccessDenied) when calling the GetBucketLogging operation: Access Denied
                7/89An error occurred (AccessDenied) when calling the GetBucketAcl operation: Access Denied
                9/89An error occurred (AccessDenied) when calling the GetBucketPolicy operation: Access Denied
               89/89

Maybe the config json is somehow not incomplete?

How can I debug/fix this?

Thanks,

x4v13r64 commented 6 years ago

I'll try to reproduce the first error you are getting.

Regarding the second error, you're getting it because the user/role you are using to run Scout2 doesn't have access to those buckets (hence the AccessDenied response). Check the bucket ACLs as that's most likely where you are getting access denied.

l01cd3v commented 6 years ago

@marcinguy, are the buckets identified in the Scout2 HTML report? This would help determine whether the issue is in Scout2 or Scout2Listall.

marcinguy commented 6 years ago

@l01cd3v yes I think so, I see buckets (Buckets Checked). For example: 

Bucket without versioning 
Buckets checked: 89 
Buckets flagged: 83
x4v13r64 commented 6 years ago

@marcinguy do you have 89 buckets in the account? Because those that can't be accessed (which return the AccessDenied response) won't be counted in there.

marcinguy commented 6 years ago

@j4v I checked, yes I have 89 buckets. So maybe the bug is that it adds AccessDeniend buckets also. You are right, there should be at least 3 less (Bucket 1,7 and 9) based on my previous output.