search

nccgroup / ScoutSuite

Multi-Cloud Security Auditing Tool
GNU General Public License v2.0
6.72k stars 1.06k forks source link

AWS: Running with --local still requires valid creds #1659

Open rdegraaf opened 3 months ago

rdegraaf commented 3 months ago

Describe the bug

ScoutSuite's "--local" option (valid for the AWS provider; I haven't tested the others) is documented as follows:

 -l, --local           Use local data previously fetched and re-run the analysis.

Using previously-fetched data implies no need to hit the provider again, which in turn implies no need for valid credentials. However, the first thing that it does, even in "--local" mode, is:

2024-07-24 14:09:40 <redacted> scout[11483] INFO Authenticating to cloud provider

If the user's credentials have expired, ScoutSuite fails:

2024-07-24 14:09:43 <redacted> scout[11483] ERROR __main__.py L217: Authentication failure: An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired

When run with the "--debug" argument, ScoutSuite provides the following stack trace:

Traceback (most recent call last):
  File "<redacted>/ScoutSuite/ScoutSuite/providers/aws/authentication_strategy.py", line 50, in authenticate  get_caller_identity(session)
  File "<redacted>/ScoutSuite/ScoutSuite/providers/aws/utils.py", line 10, in get_caller_identity identity = sts_client.get_caller_identity()
  File "<redacted>/ScoutSuite/test-venv/lib/python3.10/site-packages/botocore/client.py", line 565, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "<redacted>/ScoutSuite/test-venv/lib/python3.10/site-packages/botocore/client.py", line 1021, in _make_api_call
    raise error_class(parsed_response, operation_name)
  botocore.exceptions.ClientError: An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<redacted>/ScoutSuite/ScoutSuite/__main__.py", line 217, in _run
    credentials = auth_strategy.authenticate(profile=profile,
  File "<redacted>/ScoutSuite/ScoutSuite/providers/aws/authentication_strategy.py", line 60, in authenticate
    raise AuthenticationException(e)
ScoutSuite.providers.base.authentication_strategy.AuthenticationException: An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired

To Reproduce

  1. Obtain temporary credentials to an AWS account that have at least the minimum permissions required to run a ScoutSuite scan.
  2. Run a ScoutSuite scan against the target account: scout aws --force --no-browser.
  3. Wait until the temporary credentials have expired. I suspect that also works to tamper with the credentials so that they are no longer valid but I did not test this.
  4. Attempt to re-analyze the previously-retrieved data: scout aws --force --no-browser --local.
  5. Note ScoutSuite's failure.
x64-latacora commented 3 months ago

This is the case because the valid credentials are being used to evaluate a few details about the cloud environment which are used to define the name of the output files and possibly a few other things.