p20319658
/
monkey
forked from p34709852/monkey
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Getting the AWS account ID programmatically 

And configuration can override it
This commit is contained in:
Shay Nehmad 2019-04-23 18:09:06 +03:00
parent 1965180487
commit 7b6ff8b9c0
3 changed files with 31 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
monkey/common/cloud/aws_instance.py
View File

@ -1,25 +1,39 @@
import json
import re import re
import urllib2 import urllib2
__author__ = 'itay.mizeretz' __author__ = 'itay.mizeretz'
AWS_INSTANCE_METADATA_LOCAL_IP_ADDRESS = "169.254.169.254"
AWS_LATEST_METADATA_URI_PREFIX = 'http://{0}/latest/'.format(AWS_INSTANCE_METADATA_LOCAL_IP_ADDRESS)
ACCOUNT_ID_KEY = "accountId"
class AwsInstance(object): class AwsInstance(object):
""" """
Class which gives useful information about the current instance you're on. Class which gives useful information about the current instance you're on.
""" """
def __init__(self): def __init__(self):
try: try:
self.instance_id = urllib2.urlopen('http://169.254.169.254/latest/meta-data/instance-id', timeout=2).read() self.instance_id = urllib2.urlopen(
AWS_LATEST_METADATA_URI_PREFIX + 'meta-data/instance-id', timeout=2).read()
self.region = self._parse_region( self.region = self._parse_region(
urllib2.urlopen('http://169.254.169.254/latest/meta-data/placement/availability-zone').read()) urllib2.urlopen(AWS_LATEST_METADATA_URI_PREFIX + 'meta-data/placement/availability-zone').read())
except urllib2.URLError: except urllib2.URLError:
self.instance_id = None self.instance_id = None
self.region = None self.region = None
try:
self.account_id = self._extract_account_id(
urllib2.urlopen(
AWS_LATEST_METADATA_URI_PREFIX + 'dynamic/instance-identity/document', timeout=2).read())
except urllib2.URLError:
self.account_id = None
@staticmethod @staticmethod
def _parse_region(region_url_response): def _parse_region(region_url_response):
# For a list of regions: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html # For a list of regions, see:
# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
# This regex will find any AWS region format string in the response. # This regex will find any AWS region format string in the response.
re_phrase = r'((?:us|eu|ap|ca|cn|sa)-[a-z]*-[0-9])' re_phrase = r'((?:us|eu|ap|ca|cn|sa)-[a-z]*-[0-9])'
finding = re.findall(re_phrase, region_url_response, re.IGNORECASE) finding = re.findall(re_phrase, region_url_response, re.IGNORECASE)
@ -36,3 +50,10 @@ class AwsInstance(object):
def is_aws_instance(self): def is_aws_instance(self):
return self.instance_id is not None return self.instance_id is not None
@staticmethod
def _extract_account_id(instance_identity_document_response):
return json.loads(instance_identity_document_response)[ACCOUNT_ID_KEY]
def get_account_id(self):
return self.account_id

8
monkey/monkey_island/cc/resources/aws_exporter.py
View File

@ -86,6 +86,10 @@ class AWSExporter(Exporter):
product_arn = 'arn:aws:securityhub:{region}:{arn}'.format(region=region, arn=configured_product_arn) product_arn = 'arn:aws:securityhub:{region}:{arn}'.format(region=region, arn=configured_product_arn)
instance_arn = 'arn:aws:ec2:' + str(region) + ':instance:{instance_id}' instance_arn = 'arn:aws:ec2:' + str(region) + ':instance:{instance_id}'
account_id = AWSExporter._get_aws_keys().get('aws_account_id', '') account_id = AWSExporter._get_aws_keys().get('aws_account_id', '')
if account_id is '':
logger.debug("aws account id not manually configured - acquiring via AwsInstance")
account_id = AwsInstance().get_account_id()
logger.debug("aws account id acquired: {}".format(account_id))
finding = { finding = {
"SchemaVersion": "2018-10-08", "SchemaVersion": "2018-10-08",
@ -119,10 +123,10 @@ class AWSExporter(Exporter):
else: else:
return False return False
except UnknownServiceError as e: except UnknownServiceError as e:
logger.warning('AWS exporter called but AWS-CLI securityhub service is not installed') logger.warning('AWS exporter called but AWS-CLI securityhub service is not installed. Error: ' + e.message)
return False return False
except Exception as e: except Exception as e:
logger.exception('AWS security hub findings failed to send.') logger.exception('AWS security hub findings failed to send. Error: ' + e.message)
return False return False
@staticmethod @staticmethod

14
monkey/monkey_island/cc/services/config_schema.py
View File

@ -651,19 +651,7 @@ SCHEMA = {
'aws_account_id': { 'aws_account_id': {
'title': 'AWS account ID', 'title': 'AWS account ID',
'type': 'string', 'type': 'string',
'description': 'Your AWS account ID that is subscribed to security hub feeds', 'description': 'Your AWS account ID that is subscribed to security hub feeds. If left empty, the island will try to automatically acquire this via the AWS metadata service.',
'default': ''
},
'aws_access_key_id': {
'title': 'AWS access key ID',
'type': 'string',
'description': 'Your AWS public access key ID, can be found in the IAM user interface in the AWS console.',
'default': ''
},
'aws_secret_access_key': {
'title': 'AWS secret access key',
'type': 'string',
'description': 'Your AWS secret access key id, you can get this after creating a public access key in the console.',
'default': '' 'default': ''
} }
} }