Refactored aws access keys in config, added them to encrypted parameter list and added ScoutSuite specific exception

monkey/common/utils/exceptions.py

@@ -32,3 +32,7 @@ class InvalidAWSKeys(Exception):
 
 class NoInternetError(Exception):
     """ Raise to indicate problems caused when no internet connection is present"""
+
+
+class ScoutSuiteScanError(Exception):
+    """ Raise to indicate problems ScoutSuite encountered during scanning"""

monkey/infection_monkey/config.py

@@ -11,7 +11,8 @@ GUID = str(uuid.getnode())
 
 EXTERNAL_CONFIG_FILE = os.path.join(os.path.abspath(os.path.dirname(sys.argv[0])), 'monkey.bin')
 
-SENSITIVE_FIELDS = ["exploit_password_list", "exploit_user_list", "exploit_ssh_keys"]
+SENSITIVE_FIELDS = ["exploit_password_list", "exploit_user_list", "exploit_ssh_keys", "aws_secret_access_key",
+                    "aws_session_token"]
 LOCAL_CONFIG_VARS = ["name", "id", "current_server", "max_depth"]
 HIDDEN_FIELD_REPLACEMENT_CONTENT = "hidden"
 
@@ -245,9 +246,9 @@ class Configuration(object):
     exploit_ntlm_hash_list = []
     exploit_ssh_keys = []
 
-    access_key_id = ''
+    aws_access_key_id = ''
-    secret_access_key = ''
+    aws_secret_access_key = ''
-    session_token = ''
+    aws_session_token = ''
 
     # smb/wmi exploiter
     smb_download_timeout = 300  # timeout in seconds

monkey/infection_monkey/system_info/collectors/scoutsuite_collector/scoutsuite_collector.py

@@ -2,6 +2,7 @@ import logging
 
 import infection_monkey.system_info.collectors.scoutsuite_collector.scoutsuite_api as scoutsuite_api
 from common.cloud.scoutsuite_consts import CloudProviders
+from common.utils.exceptions import ScoutSuiteScanError
 from infection_monkey.config import WormConfiguration
 from infection_monkey.telemetry.scoutsuite_telem import ScoutSuiteTelem
 
@@ -12,17 +13,17 @@ def scan_cloud_security(cloud_type: CloudProviders):
     try:
         results = run_scoutsuite(cloud_type.value)
         if isinstance(results, dict) and 'error' in results and results['error']:
-            raise Exception(results['error'])
+            raise ScoutSuiteScanError(results['error'])
         send_results(results)
-    except Exception as e:
+    except (Exception, ScoutSuiteScanError) as e:
         logger.error(f"ScoutSuite didn't scan {cloud_type.value} security because: {e}")
 
 
 def run_scoutsuite(cloud_type: str):
     return scoutsuite_api.run(provider=cloud_type,
-                              aws_access_key_id=WormConfiguration.access_key_id,
+                              aws_access_key_id=WormConfiguration.aws_access_key_id,
-                              aws_secret_access_key=WormConfiguration.secret_access_key,
+                              aws_secret_access_key=WormConfiguration.aws_secret_access_key,
-                              aws_session_token=WormConfiguration.session_token)
+                              aws_session_token=WormConfiguration.aws_session_token)
 
 
 def send_results(results):

monkey/monkey_island/cc/services/config.py

@@ -28,9 +28,9 @@ ENCRYPTED_CONFIG_VALUES = \
         LM_HASH_LIST_PATH,
         NTLM_HASH_LIST_PATH,
         SSH_KEYS_PATH,
-        AWS_KEYS_PATH + ['access_key_id'],
+        AWS_KEYS_PATH + ['aws_access_key_id'],
-        AWS_KEYS_PATH + ['secret_access_key'],
+        AWS_KEYS_PATH + ['aws_secret_access_key'],
-        AWS_KEYS_PATH + ['session_token']
+        AWS_KEYS_PATH + ['aws_session_token']
     ]
 
 

monkey/monkey_island/cc/services/config_schema/internal.py

@@ -98,15 +98,15 @@ INTERNAL = {
                 "aws_keys": {
                     "type": "object",
                     "properties": {
-                        "access_key_id": {
+                        "aws_access_key_id": {
                             "type": "string",
                             "default": ""
                         },
-                        "secret_access_key": {
+                        "aws_secret_access_key": {
                             "type": "string",
                             "default": ""
                         },
-                        "session_token": {
+                        "aws_session_token": {
                             "type": "string",
                             "default": ""
                         }

monkey/monkey_island/cc/services/zero_trust/scoutsuite/scoutsuite_auth_service.py

@@ -35,16 +35,16 @@ def is_cloud_authentication_setup(provider: CloudProviders) -> Tuple[bool, str]:
 
 
 def is_aws_keys_setup():
-    return (ConfigService.get_config_value(AWS_KEYS_PATH + ['access_key_id']) and
+    return (ConfigService.get_config_value(AWS_KEYS_PATH + ['aws_access_key_id']) and
-            ConfigService.get_config_value(AWS_KEYS_PATH + ['secret_access_key']))
+            ConfigService.get_config_value(AWS_KEYS_PATH + ['aws_secret_access_key']))
 
 
 def set_aws_keys(access_key_id: str, secret_access_key: str, session_token: str):
     if not access_key_id or not secret_access_key:
         raise InvalidAWSKeys("Missing some of the following fields: access key ID, secret access key.")
-    _set_aws_key('access_key_id', access_key_id)
+    _set_aws_key('aws_access_key_id', access_key_id)
-    _set_aws_key('secret_access_key', secret_access_key)
+    _set_aws_key('aws_secret_access_key', secret_access_key)
-    _set_aws_key('session_token', session_token)
+    _set_aws_key('aws_session_token', session_token)
 
 
 def _set_aws_key(key_type: str, key_value: str):
@@ -54,9 +54,9 @@ def _set_aws_key(key_type: str, key_value: str):
 
 
 def get_aws_keys():
-    return {'access_key_id': _get_aws_key('access_key_id'),
+    return {'access_key_id': _get_aws_key('aws_access_key_id'),
-            'secret_access_key': _get_aws_key('secret_access_key'),
+            'secret_access_key': _get_aws_key('aws_secret_access_key'),
-            'session_token': _get_aws_key('session_token')}
+            'session_token': _get_aws_key('aws_session_token')}
 
 
 def _get_aws_key(key_type: str):