prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
https://prowler.com
Apache License 2.0
10.77k stars 1.54k forks source link

[Bug]: Could not connect to the endpoint URL: "https://sts.us-east.amazonaws.com/" #1654

Closed fgont closed 1 year ago

fgont commented 1 year ago

What happened?

Installed prowler, configured aws credendials, but when running it as prowler aws

I got:

                         _
 _ __  _ __ _____      _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V  V /| |  __/ |
| .__/|_|  \___/ \_/\_/ |_|\___|_|v3.0.1
|_| the handy cloud security tool

Date: 2023-01-04 16:04:26

2023-01-04 16:04:37,934 [File: audit_info.py:30]    [Module: audit_info]     CRITICAL: EndpointConnectionError -- Could not connect to the endpoint URL: "https://sts.us-east.amazonaws.com/"`

How to reproduce it Steps to reproduce the behavior:

  1. What command are you running?

prowler aws

  1. Cloud provider you are launching

aws

  1. Environment you have like single account, multi-account, organizations, multi or single subsctiption, etc.

organization

  1. See error

2023-01-04 16:04:37,934 [File: audit_info.py:30] [Module: audit_info] CRITICAL: EndpointConnectionError -- Could not connect to the endpoint URL: "https://sts.us-east.amazonaws.com/"

Note: that domain name no longer resolves to any IP address.

Expected behavior

Screenshots or Logs If applicable, add screenshots to help explain your problem. Also, you can add logs (anonymize them first!). Here a command that may help to share a log prowler <your arguments> --log-level DEBUG --log-file $(date +%F)_debug.log then attach here the log file.

(there seem to be other instances in the code of names that do not resolve to IP addresses)

From where are you running Prowler? Please, complete the following information:

VM instance (neither AWS nor GCP)

"Ubuntu 22.04.1 LTS"

Prowler 3.0.1

python3 --version Python 3.10.6

pip package

Additional context Add any other context about the problem here.

toniblyx commented 1 year ago

Thanks for reporting this to us. That seems too weird because there is not such an endpoint like sts.us-east.amazonaws.com. us-east is not a valid region actually. Can you see if you have anything wrong in your AWS configuration?

  1. First I would try with prowler aws --region us-east-1 if that works means your AWS configuration is not correct.
  2. I would review all my environment variables and configuration related to AWS doing env | grep AWS or echo $AWS_STS_REGIONAL_ENDPOINTS or looking at ~/.aws/config and ~/.aws/credentials.

Please, let us know what you both get.

toniblyx commented 1 year ago

We are mixing issues here, the SSH connection reset issue commented by @SrikanthREEF has been moved to https://github.com/prowler-cloud/prowler/issues/1659

We will keep here the issue with AWS STS Endpoints as requested by @fgont

n4ch04 commented 1 year ago

Hi @fgont, did the previous workaround solve your issue?

n4ch04 commented 1 year ago

Hi @fgont since we are not receiving feedback from your side we assume that the issue is solved. We are going to close the issue, feel free to reopen or open another one if the issue persist.

Thanks for using Prowler !!

bobbyhiddn commented 1 week ago

Dealing with this issue in gov-cloud where the suffix amazonaws.com is not correct. This is the relevant snippet from aws_provider.py:

    @staticmethod
    def create_sts_session(
        session: Session, aws_region: str = AWS_STS_GLOBAL_ENDPOINT_REGION
    ) -> Session.client:
        """
        Create an STS session client.

        Parameters:
        - session (session.Session): The AWS session object.
        - aws_region (str): The AWS region to use for the session.

        Returns:
        - session.Session.client: The STS session client.

        Example:
            session = boto3.session.Session()
            sts_client = create_sts_session(session, 'us-west-2')
        """
        try:
            sts_endpoint_url = (
                f"https://sts.{aws_region}.amazonaws.com"
                if not aws_region.startswith("cn-")
                else f"https://sts.{aws_region}.amazonaws.com.cn"
            )
            return session.client("sts", aws_region, endpoint_url=sts_endpoint_url)
        except Exception as error:
            logger.critical(
                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
            )
            raise error

If this function allowed for an environmental variable override like with region, we would be set, but we are currently having to build a custom version of the library.