Sending finding to AWS security hub without creds

monkey/monkey_island/cc/resources/aws_exporter.py

@@ -1,17 +1,17 @@
 import logging
 import uuid
 from datetime import datetime
+
 import boto3
 from botocore.exceptions import UnknownServiceError
 
+from common.cloud.aws_instance import AwsInstance
+from monkey_island.cc.environment.environment import load_server_configuration_from_file
 from monkey_island.cc.resources.exporter import Exporter
 from monkey_island.cc.services.config import ConfigService
-from monkey_island.cc.environment.environment import load_server_configuration_from_file
-from common.cloud.aws_instance import AwsInstance
 
 __author__ = 'maor.rayzin'
 
-
 logger = logging.getLogger(__name__)
 
 AWS_CRED_CONFIG_KEYS = [['cnc', 'aws_config', 'aws_access_key_id'],
@@ -23,18 +23,21 @@ class AWSExporter(Exporter):
 
     @staticmethod
     def handle_report(report_json):
-        aws = AwsInstance()
+
         findings_list = []
         issues_list = report_json['recommendations']['issues']
         if not issues_list:
             logger.info('No issues were found by the monkey, no need to send anything')
             return True
+
+        current_aws_region = AwsInstance().get_region()
+
         for machine in issues_list:
             for issue in issues_list[machine]:
                 if issue.get('aws_instance_id', None):
-                    findings_list.append(AWSExporter._prepare_finding(issue, aws.get_region()))
+                    findings_list.append(AWSExporter._prepare_finding(issue, current_aws_region))
 
-        if not AWSExporter._send_findings(findings_list, AWSExporter._get_aws_keys(), aws.get_region()):
+        if not AWSExporter._send_findings(findings_list, current_aws_region):
             logger.error('Exporting findings to aws failed')
             return False
 
@@ -100,17 +103,11 @@ class AWSExporter(Exporter):
         return AWSExporter.merge_two_dicts(finding, findings_dict[issue['type']](issue, instance_arn))
 
     @staticmethod
-    def _send_findings(findings_list, creds_dict, region):
+    def _send_findings(findings_list, region):
         try:
-            if not creds_dict:
-                logger.info('No AWS access credentials received in configuration')
-                return False
-
-            securityhub = boto3.client('securityhub',
-                                       aws_access_key_id=creds_dict.get('aws_access_key_id', ''),
-                                       aws_secret_access_key=creds_dict.get('aws_secret_access_key', ''),
-                                       region_name=region)
-
+            securityhub = boto3.client('securityhub', region_name=region)
+            # Assumes the machine has the correct IAM role to do this, @see
+            # https://github.com/guardicore/monkey/wiki/Monkey-Island:-Running-the-monkey-on-AWS-EC2-instances
             import_response = securityhub.batch_import_findings(Findings=findings_list)
             if import_response['ResponseMetadata']['HTTPStatusCode'] == 200:
                 return True
@@ -243,7 +240,8 @@ class AWSExporter(Exporter):
                         {0} in the networks {1} \
                         could directly access the Monkey Island server in the networks {2}.".format(issue['machine'],
                                                                                                     issue['networks'],
-                                                                                                    issue['server_networks']),
+                                                                                                    issue[
+                                                                                                                                   'server_networks']),
             instance_arn=instance_arn,
             instance_id=issue['aws_instance_id'] if 'aws_instance_id' in issue else None
         )