Before performing AWS functions, verify credentials

monkey/common/cloud/aws_service.py

@@ -1,4 +1,5 @@
 import boto3
+from botocore.exceptions import ClientError
 
 __author__ = 'itay.mizeretz'
 
@@ -39,6 +40,14 @@ class AwsService(object):
     def get_regions():
         return AwsService.get_session().get_available_regions('ssm')
 
+    @staticmethod
+    def test_client():
+        try:
+            AwsService.get_client('ssm').describe_instance_information()
+            return True
+        except ClientError:
+            return False
+
     @staticmethod
     def get_instances():
         return \

monkey/monkey_island/cc/resources/remote_run.py

@@ -15,7 +15,6 @@ class RemoteRun(flask_restful.Resource):
     def run_aws_monkeys(self, request_body):
         instances = request_body.get('instances')
         island_ip = request_body.get('island_ip')
-        RemoteRunAwsService.update_aws_auth_params()
         return RemoteRunAwsService.run_aws_monkeys(instances, island_ip)
 
     @jwt_required()
@@ -25,8 +24,10 @@ class RemoteRun(flask_restful.Resource):
             is_aws = RemoteRunAwsService.is_running_on_aws()
             resp = {'is_aws': is_aws}
             if is_aws:
-                RemoteRunAwsService.update_aws_auth_params()
+                is_auth = RemoteRunAwsService.update_aws_auth_params()
-                resp['instances'] = AwsService.get_instances()
+                resp['auth'] = is_auth
+                if is_auth:
+                    resp['instances'] = AwsService.get_instances()
             return jsonify(resp)
 
         return {}
@@ -34,9 +35,14 @@ class RemoteRun(flask_restful.Resource):
     @jwt_required()
     def post(self):
         body = json.loads(request.data)
+        resp = {}
         if body.get('type') == 'aws':
-            result = self.run_aws_monkeys(body)
+            is_auth = RemoteRunAwsService.update_aws_auth_params()
-            return jsonify({'result': result})
+            resp['auth'] = is_auth
+            if is_auth:
+                result = self.run_aws_monkeys(body)
+                resp['result'] = result
+            return jsonify(resp)
 
         # default action
         return make_response({'error': 'Invalid action'}, 500)

monkey/monkey_island/cc/services/remote_run_aws.py

@@ -10,6 +10,7 @@ __author__ = "itay.mizeretz"
 
 class RemoteRunAwsService:
     aws_instance = None
+    is_auth = False
 
     def __init__(self):
         pass
@@ -48,13 +49,19 @@ class RemoteRunAwsService:
     def update_aws_auth_params():
         """
         Updates the AWS authentication parameters according to config
-        :return: None
+        :return: True if new params allow successful authentication. False otherwise
         """
         access_key_id = ConfigService.get_config_value(['cnc', 'aws_config', 'aws_access_key_id'], False, True)
         secret_access_key = ConfigService.get_config_value(['cnc', 'aws_config', 'aws_secret_access_key'], False, True)
-        AwsService.set_auth_params(access_key_id, secret_access_key)
+
+        if (access_key_id != AwsService.access_key_id) or (secret_access_key != AwsService.secret_access_key):
+            AwsService.set_auth_params(access_key_id, secret_access_key)
+            RemoteRunAwsService.is_auth = AwsService.test_client()
+
         AwsService.set_region(RemoteRunAwsService.aws_instance.region)
 
+        return RemoteRunAwsService.is_auth
+
     @staticmethod
     def get_bitness(instances):
         """