Closed lazize closed 2 years ago
File: assume_role
backupInitialAWSCredentials() {
if [[ $(printenv AWS_ACCESS_KEY_ID) && $(printenv AWS_SECRET_ACCESS_KEY) && $(printenv AWS_SESSION_TOKEN) ]]
then
INITIAL_AWS_ACCESS_KEY_ID=$(printenv AWS_ACCESS_KEY_ID)
INITIAL_AWS_SECRET_ACCESS_KEY=$(printenv AWS_SECRET_ACCESS_KEY)
INITIAL_AWS_SESSION_TOKEN=$(printenv AWS_SESSION_TOKEN)
else
echo -e "$RED ERROR Can't Backup Initial AWS Credentials $NORMAL"
exit 1
fi
}
As you can see below, my environment doesn't have any environment variable with AWS word on it.
[root@ip-172-31-8-176 prowler]# env | grep -i AWS
[root@ip-172-31-8-176 prowler]#
Hi @lazize we are going to check it and let you know asap
Thanks @n4ch04 , If I run without assume role, it works fine. It only fails if I try to assume role on another account.
Hi @lazize I've just check it right now in an ec2 instance with an instance profile included in the trust relationship of the role that is going to be assumed in other account and it is working. We have been making changes in that logic, so maybe you don't have the last changes downloaded locally. Could you please try download it the last version and let us know it the problem persists? Thanks !!
I am using the latest version, as you can see below.
[root@ip-172-31-8-176 prowler]# git pull
Already up to date.
[root@ip-172-31-8-176 prowler]# ./prowler -R ProwlerExecRole -A "****4909" -M csv,html -T 43200
_
_ __ _ __ _____ _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V V /| | __/ |
| .__/|_| \___/ \_/\_/ |_|\___|_|v2.10.0-25May2022
|_| the handy cloud security tool
Date: Mon Jun 27 14:41:58 UTC 2022
Color code for results:
- INFO (Information)
- PASS (Recommended value)
- WARNING (Ignored by allowlist)
- FAIL (Fix required)
This report is being generated using credentials below:
AWS-CLI Profile: [default] AWS API Region: [us-east-1] AWS Filter Region: [all]
AWS Account: [****4909] UserId: [AROA****]
Caller Identity ARN: [arn:aws:sts::****4909:assumed-role/ProwlerEC2Role/i-000****]
ERROR Can't Backup Initial AWS Credentials
Hi @lazize could you try replacing backupInitialAWSCredentials()
function with the following and see if it fixes the issue?
backupInitialAWSCredentials() {
if [[ $(printenv AWS_ACCESS_KEY_ID) && $(printenv AWS_SECRET_ACCESS_KEY) && $(printenv AWS_SESSION_TOKEN) ]]
then
INITIAL_AWS_ACCESS_KEY_ID=$(printenv AWS_ACCESS_KEY_ID)
INITIAL_AWS_SECRET_ACCESS_KEY=$(printenv AWS_SECRET_ACCESS_KEY)
INITIAL_AWS_SESSION_TOKEN=$(printenv AWS_SESSION_TOKEN)
fi
}
Thanks!
Yes, it works fine with this change.
@lazize, we were getting credentials from instance metadata before calling assume role, that's why we did not get an error, if we did not have set the three aws creds variables that function kills the execution, really tricky bug ... Thanks for your contribution !!
Please @lazize, could you send us the debug log using the following command?
bash -x ./prowler -R ProwlerExecRole -A "*****4909" -M csv,html -T 43200 1>debug.log 2>&1
We need it to investigate it a little more because the behaviour you're describing is not expected.
Sure, see below the debug. I anonymized my personal data. I executed only one specific check to keep it short.
If you want I can apply the fix proposed above and post the debug again.
[root@ip-172-31-8-176 prowler]# bash -x ./prowler -R ProwlerExecRole -A "****4909" -M csv,html -T 43200 -c check11 2>&1
+ PROWLER_VERSION=2.10.0-25May2022
++ dirname ./prowler
+ PROWLER_DIR=.
+ . ./include/default_variables
++ OPTRED=''
++ export OPTRED
++ OPTNORMAL=''
++ export OPTNORMAL
++ REGION=
++ export REGION
++ FILTERREGION=
++ export FILTERREGION
++ MAXITEMS=100
++ export MAXITEMS
++ MODE=text
++ export MODE
++ SEND_TO_SECURITY_HUB=0
++ export SEND_TO_SECURITY_HUB
++ TZ=UTC
++ export TZ
+++ date -u +%Y-%m-%dT%H:%M:%S%z
++ PROWLER_START_TIME=2022-06-28T11:55:08+0000
++ export PROWLER_START_TIME
+++ date -u +%Y%m%d%H%M%S
++ OUTPUT_DATE=20220628115508
++ export OUTPUT_DATE
++ QUIET=0
++ export QUIET
++ SEP=,
++ export SEP
++ KEEPCREDREPORT=0
++ export KEEPCREDREPORT
++ EXITCODE=0
++ export EXITCODE
++ FAILED_CHECK_FAILED_SCAN=1
++ export FAILED_CHECK_FAILED_SCAN
+ . ./include/colors
+ . ./include/os_detector
++ DATE_CMD=date
++ BASE64_CMD=base64
+ . ./include/aws_profile_loader
+ . ./include/awscli_detector
+ . ./include/whoami
+ . ./include/assume_role
+ . ./include/csv_header
+ . ./include/banner
+ . ./include/html_report
+ . ./include/tools_detector
+ . ./include/outputs_bucket
+ . ./include/outputs
++ EXTENSION_CSV=csv
++ EXTENSION_JSON=json
++ EXTENSION_ASFF=asff.json
++ EXTENSION_TEXT=txt
++ EXTENSION_HTML=html
++ HTML_LOGO_URL=https://github.com/prowler-cloud/prowler/
++ HTML_LOGO_IMG=https://github.com/prowler-cloud/prowler/raw/master/util/html/prowler-logo-new.png
++ PROWLER_PARAMETERS='-R ProwlerExecRole -A ****4909 -M csv,html -T 43200 -c check11'
+ . ./include/credentials_report
+ . ./include/scoring
+ . ./include/secrets_detector
+ . ./include/check_creds_last_used
+ . ./include/check3x
+ . ./include/connection_tests
+ . ./include/securityhub_integration
+ . ./include/junit_integration
++ JUNIT_OUTPUT_DIRECTORY=junit-reports
++ JUNIT_TESTS_COUNT=0
++ JUNIT_SUCCESS_COUNT=0
++ JUNIT_FAILURES_COUNT=0
++ JUNIT_SKIPPED_COUNT=0
++ JUNIT_ERRORS_COUNT=0
+ . ./include/organizations_metadata
+ . ./include/custom_checks
+ . ./include/allowlist
+ . ./include/db_connector
++ SUPPORTED_DB_PROVIDERS=postgresql
++ export SUPPORTED_DB_PROVIDERS
+ . ./include/show_titles
+ . ./include/loader
+ . ./include/execute_check
+ . ./include/validate_options
+ . ./include/traps
+ jq_detector
+ command -v jq
+ curl_detector
+ command -v curl
+ set_aws_default_output
+ [[ -z '' ]]
+ ORIGINAL_OUTPUT=
+ export AWS_DEFAULT_OUTPUT=json
+ AWS_DEFAULT_OUTPUT=json
+ getopts :hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:O:a:d: OPTION
+ case $OPTION in
+ ROLE_TO_ASSUME=ProwlerExecRole
+ getopts :hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:O:a:d: OPTION
+ case $OPTION in
+ ACCOUNT_TO_ASSUME=****4909
+ getopts :hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:O:a:d: OPTION
+ case $OPTION in
+ MODE=csv,html
+ getopts :hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:O:a:d: OPTION
+ case $OPTION in
+ SESSION_DURATION_TO_ASSUME=43200
+ getopts :hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:O:a:d: OPTION
+ case $OPTION in
+ CHECK_ID=check11
+ getopts :hlLkqp:r:c:C:g:f:m:M:E:x:enbVsSI:A:R:T:w:N:o:B:D:F:zZ:O:a:d: OPTION
+ set_colors
+ [[ csv,html =~ mono ]]
+ NORMAL=''
+ WARNING=''
+ NOTICE=''
+ OK=''
+ BAD=''
+ CYAN=''
+ BLUE=''
+ BROWN=''
+ MAGENTA=''
+ RED=''
+ YELLOW=''
+ prowlerBanner
+ [[ '' != \0 ]]
+ echo -e ' _'
_
+ echo -e ' _ __ _ __ _____ _| | ___ _ __'
_ __ _ __ _____ _| | ___ _ __
+ echo -e ' | '\''_ \| '\''__/ _ \ \ /\ / / |/ _ \ '\''__|'
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
+ echo -e ' | |_) | | | (_) \ V V /| | __/ |'
| |_) | | | (_) \ V V /| | __/ |
+ echo -e ' | .__/|_| \___/ \_/\_/ |_|\___|_|v2.10.0-25May2022'
| .__/|_| \___/ \_/\_/ |_|\___|_|v2.10.0-25May2022
+ echo -e ' |_| the handy cloud security tool\n'
|_| the handy cloud security tool
++ date
+ echo -e ' Date: Tue Jun 28 11:55:08 UTC 2022'
Date: Tue Jun 28 11:55:08 UTC 2022
+ printColorsCode
+ [[ ! csv,html =~ mono ]]
+ echo -e '\n Color code for results: '
Color code for results:
+ echo -e ' - INFO (Information)'
- INFO (Information)
+ echo -e ' - PASS (Recommended value)'
- PASS (Recommended value)
+ echo -e ' - WARNING (Ignored by allowlist)'
- WARNING (Ignored by allowlist)
+ echo -e ' - FAIL (Fix required)'
- FAIL (Fix required)
+ load_groups
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group10_hipaa
++ GROUP_ID[10]=hipaa
++ GROUP_NUMBER[10]=10.0
++ GROUP_TITLE[10]='HIPAA Compliance - ONLY AS REFERENCE - [hipaa] ****************'
++ GROUP_CHECKS[10]=check12,check113,check23,check26,check27,check29,extra718,extra725,extra72,extra75,extra717,extra729,extra734,check38,extra73,extra740,extra735,check112,check13,check15,check16,check17,check18,check19,check21,check24,check28,check31,check310,check311,check312,check313,check314,check32,check33,check34,check35,check36,check37,check39,extra792
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group11_secrets
++ GROUP_ID[11]=secrets
++ GROUP_NUMBER[11]=11.0
++ GROUP_TITLE[11]='Look for keys secrets or passwords around resources - [secrets]'
++ GROUP_CHECKS[11]=extra741,extra742,extra759,extra760,extra768,extra775,extra7141
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group12_apigateway
++ GROUP_ID[12]=apigateway
++ GROUP_NUMBER[12]=12.0
++ GROUP_TITLE[12]='API Gateway security checks - [apigateway] ********************'
++ GROUP_CHECKS[12]=extra722,extra743,extra744,extra745,extra746
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group13_rds
++ GROUP_ID[13]=rds
++ GROUP_NUMBER[13]=13.0
++ GROUP_TITLE[13]='RDS security checks - [rds] ***********************************'
++ GROUP_CHECKS[13]=extra78,extra723,extra735,extra739,extra747,extra7113,extra7131,extra7132,extra7133
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group14_elasticsearch
++ GROUP_ID[14]=elasticsearch
++ GROUP_NUMBER[14]=14.0
++ GROUP_TITLE[14]='Elasticsearch related security checks - [elasticsearch] *******'
++ GROUP_CHECKS[14]=extra715,extra716,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra7101
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group15_pci
++ GROUP_ID[15]=pci
++ GROUP_NUMBER[15]=15.0
++ GROUP_TITLE[15]='PCI-DSS v3.2.1 Readiness - ONLY AS REFERENCE - [pci] **********'
++ GROUP_CHECKS[15]=check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check112,check113,check114,check116,check21,check23,check25,check26,check27,check28,check29,check314,check36,check38,check43,extra711,extra713,extra717,extra718,extra72,extra729,extra735,extra738,extra740,extra744,extra748,extra75,extra750,extra751,extra753,extra754,extra755,extra773,extra78,extra780,extra781,extra782,extra783,extra784,extra785,extra787,extra788,extra798
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group16_trustboundaries
++ GROUP_ID[16]=trustboundaries
++ GROUP_NUMBER[16]=16.0
++ GROUP_TITLE[16]='Find cross-account trust boundaries - [trustboundaries] *******'
++ GROUP_CHECKS[16]=extra789,extra790
++ GROUP_TRUSTBOUNDARIES_TRUSTED_ACCOUNT_IDS=
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group17_internetexposed
++ GROUP_ID[17]=internet-exposed
++ GROUP_NUMBER[17]=17.0
++ GROUP_TITLE[17]='Find resources exposed to the internet - [internet-exposed] ***'
++ GROUP_CHECKS[17]=check41,check42,check45,check46,extra72,extra73,extra74,extra76,extra77,extra78,extra79,extra710,extra711,extra716,extra723,extra727,extra731,extra736,extra738,extra745,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra770,extra771,extra778,extra779,extra787,extra788,extra795,extra796,extra798,extra7102,extra7134,extra7135,extra7136,extra7137,extra7138
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group18_iso27001
++ GROUP_ID[18]=iso27001
++ GROUP_NUMBER[18]=18.0
++ GROUP_TITLE[18]='ISO 27001:2013 Readiness - ONLY AS REFERENCE - [iso27001] *****'
++ GROUP_CHECKS[18]=check11,check110,check111,check112,check113,check114,check115,check116,check119,check12,check122,check13,check14,check15,check16,check17,check18,check19,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check310,check311,check312,check313,check314,check32,check33,check34,check35,check36,check37,check38,check39,check41,check42,check43,check44,extra71,extra710,extra7100,extra711,extra7113,extra7123,extra7125,extra7126,extra7128,extra7129,extra713,extra714,extra7130,extra718,extra719,extra72,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra731,extra73,extra731,extra735,extra739,extra74,extra741,extra747,extra748,extra75,extra757,extra758,extra759,extra76,extra760,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra77,extra771,extra772,extra774,extra776,extra777,extra778,extra78,extra789,extra79,extra790,extra792,extra793,extra794,extra795,extra796,extra798
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group19_eks-cis
++ GROUP_ID[19]=eks-cis
++ GROUP_NUMBER[19]=19.0
++ GROUP_TITLE[19]='CIS EKS Benchmark - [eks-cis] *********************************'
++ GROUP_CHECKS[19]=extra765,extra794,extra795,extra796,extra797
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group1_iam
++ GROUP_ID[1]=group1
++ GROUP_NUMBER[1]=1.0
++ GROUP_TITLE[1]='Identity and Access Management - CIS only - [group1] ***********'
++ GROUP_CHECKS[1]=check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group20_ffiec
++ GROUP_ID[20]=ffiec
++ GROUP_NUMBER[20]=20.0
++ GROUP_TITLE[20]='FFIEC Cybersecurity Readiness - ONLY AS REFERENCE - [ffiec] ***'
++ GROUP_CHECKS[20]=check11,check12,check13,check14,check16,check18,check19,check21,check23,check25,check29,check29,check31,check32,check33,check34,check35,check36,check37,check37,check38,check39,check41,check42,check43,check110,check112,check113,check116,check310,check311,check312,check313,check314,extra72,extra76,extra78,extra711,extra723,extra729,extra731,extra734,extra735,extra763,extra792
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group21_soc2
++ GROUP_ID[21]=soc2
++ GROUP_NUMBER[21]=21.0
++ GROUP_TITLE[21]='SOC2 Readiness - ONLY AS REFERENCE - [soc2] *******************'
++ GROUP_CHECKS[21]=check110,check111,check113,check12,check122,check13,check15,check16,check17,check18,check19,check21,check31,check310,check32,check33,check34,check35,check36,check37,check38,check39,check41,check42,check43,extra711,extra72,extra723,extra729,extra731,extra734,extra735,extra739,extra76,extra78,extra792
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group22_sagemaker
++ GROUP_ID[22]=sagemaker
++ GROUP_NUMBER[22]=22.0
++ GROUP_TITLE[22]='Amazon SageMaker related security checks - [sagemaker] ********'
++ GROUP_CHECKS[22]=extra7103,extra7104,extra7111,extra7112,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group23_ens
++ GROUP_ID[23]=ens
++ GROUP_NUMBER[23]=23.0
++ GROUP_TITLE[23]='ENS Esquema Nacional de Seguridad security checks - [ens] *****'
++ GROUP_CHECKS[23]=extra733,extra7123,check13,check14,check121,extra7100,check120,check116,extra7124,check12,extra7125,check14,check13,check21,check25,extra7127,check35,check24,check31,check36,check32,check33,check34,check22,extra71,check23,check23,check27,check37,extra736,check28,extra713,check21,check29,extra793,extra792,extra764,extra738,check43,extra74,extra710,extra75,check41,check42,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra7128,extra729,extra761,extra740,extra735,extra734,extra728,extra781,extra773,extra744,extra7126,extra7129
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group24_glue
++ GROUP_ID[24]=glue
++ GROUP_NUMBER[24]=24.0
++ GROUP_TITLE[24]='Amazon Glue related security checks - [glue] ******************'
++ GROUP_CHECKS[24]=extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group25_FTR
++ GROUP_ID[25]=ftr
++ GROUP_NUMBER[25]=25.0
++ GROUP_TITLE[25]='Amazon FTR related security checks - [ftr] ********************'
++ GROUP_CHECKS[25]=check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check111,check112,check113,check117,check118,check122,check21,check22,extra759,extra760,extra768,extra775,extra797,extra7141,extra73
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group26_ds
++ GROUP_ID[26]=ds
++ GROUP_NUMBER[26]=26.0
++ GROUP_TITLE[26]='Amazon Directory Service related security checks - [ds] *******'
++ GROUP_CHECKS[26]=extra7181,extra7182,extra7183,extra7184
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group2_logging
++ GROUP_ID[2]=group2
++ GROUP_NUMBER[2]=2.0
++ GROUP_TITLE[2]='Logging - CIS only - [group2] **********************************'
++ GROUP_CHECKS[2]=check21,check22,check23,check24,check25,check26,check27,check28,check29
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group3_monitoring
++ GROUP_ID[3]=group3
++ GROUP_NUMBER[3]=3.0
++ GROUP_TITLE[3]='Monitoring - CIS only - [group3] *******************************'
++ GROUP_CHECKS[3]=check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group4_networking
++ GROUP_ID[4]=group4
++ GROUP_NUMBER[4]=4.0
++ GROUP_TITLE[4]='Networking - CIS only - [group4] *******************************'
++ GROUP_CHECKS[4]=check41,check42,check43,check44,check45,check46
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group5_cislevel1
++ GROUP_ID[5]=cislevel1
++ GROUP_NUMBER[5]=5.0
++ GROUP_TITLE[5]='CIS Level 1 - CIS only - [cislevel1] ***************************'
++ GROUP_CHECKS[5]=check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check115,check116,check117,check118,check119,check120,check122,check21,check23,check24,check25,check26,check31,check32,check33,check34,check35,check38,check312,check313,check314,check41,check42
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group6_cislevel2
++ GROUP_ID[6]=cislevel2
++ GROUP_NUMBER[6]=6.0
++ GROUP_TITLE[6]='CIS Level 2 - CIS only - [cislevel2] ***************************'
++ GROUP_CHECKS[6]=check11,check12,check13,check14,check15,check16,check17,check18,check19,check110,check111,check112,check113,check114,check115,check116,check117,check118,check119,check120,check121,check122,check21,check22,check23,check24,check25,check26,check27,check28,check29,check31,check32,check33,check34,check35,check36,check37,check38,check39,check310,check311,check312,check313,check314,check41,check42,check43,check44
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group7_extras
++ GROUP_ID[7]=extras
++ GROUP_NUMBER[7]=7.0
++ GROUP_TITLE[7]='Extras - all non CIS specific checks - [extras] ****************'
++ GROUP_CHECKS[7]=extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra776,extra777,extra778,extra779,extra780,extra781,extra782,extra783,extra784,extra785,extra786,extra787,extra788,extra791,extra792,extra793,extra794,extra795,extra796,extra797,extra798,extra799,extra7100,extra7101,extra7102,extra7103,extra7104,extra7105,extra7106,extra7107,extra7108,extra7109,extra7110,extra7111,extra7112,extra7113,extra7114,extra7115,extra7116,extra7117,extra7118,extra7119,extra7120,extra7121,extra7122,extra7123,extra7124,extra7125,extra7126,extra7127,extra7128,extra7129,extra7130,extra7131,extra7132,extra7133,extra7134,extra7135,extra7136,extra7137,extra7138,extra7139,extra7140,extra7141,extra7142,extra7143,extra7144,extra7145,extra7146,extra7147,extra7148,extra7149,extra7150,extra7151,extra7152,extra7153,extra7154,extra7155,extra7156,extra7157,extra7158,extra7159,extra7160,extra7161,extra7162,extra7163,extra7164,extra7165,extra7166,extra7167,extra7168,extra7169,extra7170,extra7171,extra7172,extra7173,extra7174,extra7175,extra7176,extra7177,extra7178,extra7179,extra7180,extra7181,extra7182,extra7183,extra7184,extra7185,extra7186,extra7187,extra7188,extra7189
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group8_forensics
++ GROUP_ID[8]=forensics-ready
++ GROUP_NUMBER[8]=8.0
++ GROUP_TITLE[8]='Forensics Readiness - [forensics-ready] ************************'
++ GROUP_CHECKS[8]=check21,check22,check23,check24,check25,check26,check27,check29,extra712,extra713,extra714,extra715,extra717,extra718,extra719,extra720,extra721,extra722,extra725,extra7101,extra794
+ for group in '"${PROWLER_DIR}"/groups/group[0-9]*'
+ . ./groups/group9_gdpr
++ GROUP_ID[9]=gdpr
++ GROUP_NUMBER[9]=9.0
++ GROUP_TITLE[9]='GDPR Readiness - ONLY AS REFERENCE - [gdpr] ********************'
++ GROUP_CHECKS[9]=extra718,extra725,extra727,check12,check113,check114,extra71,extra731,extra732,extra733,check25,check39,check21,check22,check23,check24,check26,check27,check35,extra726,extra714,extra715,extra717,extra719,extra720,extra721,extra722,check43,check25,extra714,extra729,extra734,extra735,extra736,extra738,extra740,extra761,check11,check110,check111,check112,check116,check120,check122,check13,check14,check15,check16,check17,check18,check19,check28,check29,check31,check310,check311,check312,check313,check314,check32,check33,check34,check36,check37,check38,check41,check42,extra711,extra72,extra723,extra730,extra739,extra76,extra763,extra778,extra78,extra792,extra798
+ get_checks
+ [[ -n '' ]]
+ [[ -n '' ]]
+ '[' -n check11 ']'
+ IFS=,
+ read -ra TOTAL_CHECKS
+ for LOAD_PATH_CHECK in '"${TOTAL_CHECKS[@]}"'
+ [[ check11 =~ extra ]]
+ load_check check11
+ CHECK=check11
+ . ./checks/check11
++ CHECK_ID_check11=1.1
++ CHECK_TITLE_check11='[check11] Avoid the use of the root account'
++ CHECK_SCORED_check11=SCORED
++ CHECK_CIS_LEVEL_check11=LEVEL1
++ CHECK_SEVERITY_check11=High
++ CHECK_ASFF_TYPE_check11='Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark'
++ CHECK_ALTERNATE_check101=check11
++ CHECK_SERVICENAME_check11=iam
++ CHECK_RISK_check11='The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.'
++ CHECK_REMEDIATION_check11='Follow the remediation instructions of the Ensure IAM policies are attached only to groups or roles recommendation.'
++ CHECK_DOC_check11=http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
++ CHECK_CAF_EPIC_check11=IAM
+ trap clean_up EXIT
+ trap handle_ctrl_c INT
+ unset AWS_DEFAULT_OUTPUT
+ os_detector
+ '[' linux-gnu == linux-gnu ']'
++ mktemp -t -p /tmp prowler.cred_report-XXXXXX
+ TEMP_REPORT_FILE=/tmp/prowler.cred_report-P3NfRz
++ get_iso8601_timestamp
++ gnu_get_iso8601_timestamp
++ date -u +%Y-%m-%dT%H:%M:%SZ
+ TIMESTAMP=2022-06-28T11:55:08Z
+ validate_list_checks
+ [[ '' -eq 1 ]]
+ validate_list_groups
+ [[ '' -eq 1 ]]
+ validate_database
+ [[ -n '' ]]
+ validate_modes
+ '[' -n csv,html ']'
+ AVAILABLE_OUTPUT_MODES='mono|text|csv|json|json-asff|junit-xml|html'
+ OIFS='
'
+ IFS=,
+ for MODE_TYPE in '${MODE}'
+ grep -w -q -E 'mono|text|csv|json|json-asff|junit-xml|html'
+ for MODE_TYPE in '${MODE}'
+ grep -w -q -E 'mono|text|csv|json|json-asff|junit-xml|html'
+ IFS='
'
+ validate_output_bucket
+ [[ -n '' ]]
+ aws_cli_detector
++ which aws
+ '[' '!' -z /usr/local/sbin/aws ']'
++ which aws
+ AWSCLI=/usr/local/sbin/aws
+ aws_profile_loader
++ curl -s -m 1 http://169.254.169.254/latest/meta-data/iam/security-credentials/
+ INSTANCE_PROFILE=
+ echo ''
+ grep -q '404 - Not Found'
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ '' == \C\l\o\u\d\S\h\e\l\l ]]
+ PROFILE=default
+ PROFILE_OPT='--profile default'
+ PROFILE_OPT_BAK='--profile default'
++ aws configure get region
+ REGION_CONFIG=us-east-1
+ [[ -n '' ]]
+ [[ -n us-east-1 ]]
+ REGION=us-east-1
+ get_caller_identity
+ case "$REGION" in
+ REGION_FOR_STS=us-east-1
++ /usr/local/sbin/aws sts get-caller-identity --profile default --output text --region us-east-1 --query '[Arn,UserId,Account]'
+ GETCALLER='arn:aws:sts::****4909:assumed-role/ProwlerEC2Role/i-000**** AROA****:i-000**** ****4909'
+ read -r CALLER_ARN USER_ID ACCOUNT_NUM
+ [[ -n ****4909 ]]
+ ACCOUNT_NUM=****4909
++ cut -d: -f2
+ AWS_PARTITION=aws
+ export AWS_PARTITION
+ print_whoami
+ echo -e '\n This report is being generated using credentials below:\n'
This report is being generated using credentials below:
+ echo -e ' AWS-CLI Profile: [default] AWS API Region: [us-east-1] AWS Filter Region: [all]'
AWS-CLI Profile: [default] AWS API Region: [us-east-1] AWS Filter Region: [all]
+ echo -e ' AWS Account: [****4909] UserId: [AROA****:i-000****]'
AWS Account: [****4909] UserId: [AROA****:i-000****]
+ echo -e ' Caller Identity ARN: [arn:aws:sts::****4909:assumed-role/ProwlerEC2Role/i-000****]\n'
Caller Identity ARN: [arn:aws:sts::****4909:assumed-role/ProwlerEC2Role/i-000****]
+ validate_allowlist
+ [[ -n '' ]]
+ validate_organizations
+ [[ -n '' ]]
+ validate_assume_role
+ [[ -n ****4909 ]]
+ backupInitialAWSCredentials
++ printenv AWS_ACCESS_KEY_ID
+ [[ -n '' ]]
+ echo -e ' ERROR Can'\''t Backup Initial AWS Credentials '
ERROR Can't Backup Initial AWS Credentials
+ exit 1
+ clean_up
+ rm -f '/tmp/prowler*.policy.*'
+ '[' -z '' ']'
+ export AWS_DEFAULT_OUTPUT=
+ AWS_DEFAULT_OUTPUT=
+ [[ 0 -ne 1 ]]
+ rm -fr /tmp/prowler.cred_report-P3NfRz
+ cleanSTSAssumeFile
+ rm -fr ''
+ rm -fr ''
[root@ip-172-31-8-176 prowler]#
Here is the code that is callingbackupInitialAWSCredentials
function. Based on my debug log above.
validate_assume_role() {
if [[ -n "${ACCOUNT_TO_ASSUME}" || -n "${ROLE_TO_ASSUME}" ]]
then
backupInitialAWSCredentials
assume_role
fi
}
Hi, I have the same problem when using the -A and -R options (in my case I'm using it even for the same account) and it gives me the same error.
If I comment out the backupInitialAWSCredentials
function call inside validate_assume_role()
then it works fine. I did it because the $(printenv AWS_ACCESS_KEY_ID) && $(printenv AWS_SECRET_ACCESS_KEY) && $(printenv AWS_SESSION_TOKEN)
condition of that function is always going to return false as those env variables have never been set.
Hi @orsifacundo, it only fails when launching the tool with a profile with the credentials stored into the config file. We have removed the exit conditional in that function, please let us know if any new fails.
What happened?
When I run Prowler to assume role on another account it gives me the error below:
As it is running inside an EC2 instance, I don't have any environment variable set with credentials. So it doesn't need to backup any current credential.
How to reproduce it
Steps to reproduce the behavior:
./prowler -R ProwlerExecRole -A "*****4909" -M csv,html -T 43200
Organization
Expected behavior
A clear and concise description of what you expected to happen. Run it without any error
Screenshots or Logs
If applicable, add screenshots to help explain your problem. Also, you can add logs (anonymize them first!). Here a command that may help to share a log
bash -x ./prowler -options > debug.log 2>&1
then attach heredebug.log
From where are you running Prowler?
Please, complete the following information:
EC2 Instance
Amazon Linux 2
aws --version
]:aws-cli/2.7.11 Python/3.9.11 Linux/4.14.281-212.502.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off
./prowler -V
]:Prowler 2.10.0-25May2022
GNU bash, version 4.2.46(2)-release (x86_64-koji-linux-gnu)
Additional context Add any other context about the problem here.