search

nccgroup / ScoutSuite

Multi-Cloud Security Auditing Tool
GNU General Public License v2.0
6.68k stars 1.06k forks source link

ScoutSuite CLI errors #464

Closed ghost closed 5 years ago

ghost commented 5 years ago

Hello Team, We have followed the steps mentioned in the document https://github.com/nccgroup/ScoutSuite/wiki/Amazon-Web-Services, created a new user with ReadOnlyAccess and SecurityAudit policies attached to it. ScoutSuit is installed on Kali Linux . We have tried using both the below commands:

  1. python scout.py aws --regions us-east-2 us-east-1 us-west-1 us-west-2 ap-east-1 ap-south-1 ap-northeast-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ca-central-1 cn-north-1 cn-northwest-1 eu-central-1 eu-west-1 eu-west-2 eu-west-3 eu-north-1 sa-east-1 us-gov-east-1 us-gov-west-1
  2. python scout.py aws

Still getting multiple errors while ScoutSuit scan as follows : 2019-07-11 10:48:34 kali scout[4703] ERROR config.py L20: Failed to get Config recorders: An error occurred (UnrecognizedClientException) when calling the DescribeConfigurationRecorders operation: The security token included in the request is invalid. 2019-07-11 10:48:34 kali scout[4703] ERROR config.py L11: Failed to get Config rules: An error occurred (UnrecognizedClientException) when calling the DescribeConfigRules operation: The security token included in the request is invalid. 2019-07-11 10:48:35 kali scout[4703] ERROR elasticache.py L48: Failed to get ElastiCache security groups: An error occurred (InvalidClientTokenId) when calling the DescribeCacheSecurityGroups operation: The security token included in the request is invalid. 2019-07-11 10:48:35 kali scout[4703] ERROR ec2.py L65: Failed to describe EC2 VPC: An error occurred (AuthFailure) when calling the DescribeVpcs operation: AWS was not able to validate the provided access credentials 2019-07-11 10:48:35 kali scout[4703] ERROR elasticache.py L80: Failed to describe cache parameter groups: An error occurred (InvalidClientTokenId) when calling the DescribeCacheParameterGroups operation: The security token included in the request is invalid. 2019-07-11 10:48:38 kali scout[4703] ERROR awslambda.py L9: Failed to get Lambda functions: An error occurred (UnrecognizedClientException) when calling the ListFunctions operation: The security token included in the request is invalid. 2019-07-11 10:48:38 kali scout[4703] ERROR ec2.py L65: Failed to describe EC2 VPC: An error occurred (AuthFailure) when calling the DescribeVpcs operation: AWS was not able to validate the provided access credentials. 2019-07-11 10:48:39 kali scout[4703] ERROR elb.py L52: Failed to describe ELB policies: An error occurred (InvalidClientTokenId) when calling the DescribeLoadBalancers operation: The security token included in the request is invalid. 2019-07-11 10:48:40 kali scout[4703] ERROR cloudtrail.py L13: Failed to describe CloudTrail trail: An error occurred (UnrecognizedClientException) when calling the DescribeTrails operation: The security token included in the request is invalid. 2019-07-11 10:48:41 kali scout[4703] ERROR cloudwatch.py L10: Failed to get CloudWatch alarms: An error occurred (InvalidClientTokenId) when calling the DescribeAlarms operation: The security token included in the request is invalid.

Reports are being generated but findings for some services are not opening. Please advise as appropriate.

x4v13r64 commented 5 years ago

This looks to be a duplicate of https://github.com/nccgroup/ScoutSuite/issues/381.

To confirm run without specifying the ap-east-1 region.

ghost commented 5 years ago

Hi, Tried Scan without specifying the ap-east-1 region, (UnrecognizedClientException) and (InvalidClientTokenId) these issues are resolved.

But now getting following errors:

Task exception was never retrieved future: <Task finished coro=<IAMFacade._get_and_set_user_groups() done, defined at /home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/iam.py:122> exception=ClientError('An error occurred (Throttling) when calling the ListGroupsForUser operation (reached max retries: 4): Rate exceeded')> Traceback (most recent call last): File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/iam.py", line 124, in _get_and_set_user_groups 'iam', None, self.session, 'list_groups_for_user', 'Groups', UserName=user['UserName']) File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/utils.py", line 28, in get_all_pages service, region, session, paginator_name, [entity], *paginator_args) File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/utils.py", line 58, in get_multiple_entities_from_all_pages return await run_concurrently(lambda: AWSFacadeUtils._get_all_pages_from_paginator(paginator, entities)) File "/usr/lib/python3.7/concurrent/futures/thread.py", line 57, in run result = self.fn(self.args, **self.kwargs) File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/utils.py", line 58, in return await run_concurrently(lambda: AWSFacadeUtils._get_all_pages_from_paginator(paginator, entities)) File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/facade/utils.py", line 74, in _get_all_pages_from_paginator for page in paginator: File "/home/ec2-user/ScoutSuite/venv/lib/python3.7/site-packages/botocore/paginate.py", line 255, in iter response = self._make_request(current_kwargs) File "/home/ec2-user/ScoutSuite/venv/lib/python3.7/site-packages/botocore/paginate.py", line 332, in _make_request

Please help me with this.

x4v13r64 commented 5 years ago

Looks like you're being rate limited by AWS, try running with a lower count of --max-workers (e.g. 5).

ghost commented 5 years ago

Hi, Sorry my bad I was on another branch, issues we were facing was with 5.1.0, now we switched to master branch paginator issues are resolved but facing IAM related issues.

2019-07-12 09:49:55 kali scout[2678] ERROR s3.py L144: Failed to get bucket policy for test-bucket: An error occurred (AccessDenied) when calling the GetBucketPolicy operation: Access Denied 2019-07-12 09:49:55 kali scout[2678] ERROR s3.py L86: Failed to get web hosting configuration for test-bucket-2: An error occurred (AccessDenied) when calling the GetBucketWebsite operation: Access Denied Task exception was never retrieved future: <Task finished coro=<Groups.fetch_all() done, defined at /home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/resources/iam/groups.py:5> exception=KeyError('Users')> Traceback (most recent call last): File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/resources/iam/groups.py", line 8, in fetch_all name, resource = self._parse_group(raw_group) File "/home/ec2-user/ScoutSuite/ScoutSuite/providers/aws/resources/iam/groups.py", line 18, in _parse_group raw_group['users'] = raw_group.pop('Users') KeyError: 'Users' 2019-07-12 09:49:55 kali scout[2678] ERROR services.py L53: Could not fetch iam configuration: None

Please advise as appropriate.

x4v13r64 commented 5 years ago

Looks to me like you aren't running Scout with the appropriate permissions?

ghost commented 5 years ago

These buckets are private for which access is denied, it(private bucket) can be a reason for these errors??

x4v13r64 commented 5 years ago

Shouldn't be, just means the principal you're running Scout with doesn't have sufficient privileges on that bucket.

pradeephrish commented 5 years ago

I am seeing similar issue with s3 buckets. I do have permissions as specified here on S3 Buckets - https://github.com/nccgroup/ScoutSuite/wiki/AWS-Minimal-Privileges-Policy

x4v13r64 commented 5 years ago

Have you confirmed that these buckets don't have resource-policies that disallow those actions? The policy you linked explicitly includes the actions disallowed in your output.

ghost commented 5 years ago

Issues are resolved, listed regions with aws-cli and mentioned only those regions while performing the scan.