Getting the AWS account ID programmatically

And configuration can override it
2019-04-23 18:09:06 +03:00 · 2019-04-23 18:09:06 +03:00 · 7b6ff8b9c0
parent 1965180487
commit 7b6ff8b9c0
3 changed files with 31 additions and 18 deletions
--- a/monkey/common/cloud/aws_instance.py
+++ b/monkey/common/cloud/aws_instance.py
@ -1,25 +1,39 @@
+import json
 import re
 import urllib2

 __author__ = 'itay.mizeretz'

+AWS_INSTANCE_METADATA_LOCAL_IP_ADDRESS = "169.254.169.254"
+AWS_LATEST_METADATA_URI_PREFIX = 'http://{0}/latest/'.format(AWS_INSTANCE_METADATA_LOCAL_IP_ADDRESS)
+ACCOUNT_ID_KEY = "accountId"
+

 class AwsInstance(object):
    """
    Class which gives useful information about the current instance you're on.
    """
+
    def __init__(self):
        try:
-            self.instance_id = urllib2.urlopen('http://169.254.169.254/latest/meta-data/instance-id', timeout=2).read()
+            self.instance_id = urllib2.urlopen(
+                AWS_LATEST_METADATA_URI_PREFIX + 'meta-data/instance-id', timeout=2).read()
            self.region = self._parse_region(
-                urllib2.urlopen('http://169.254.169.254/latest/meta-data/placement/availability-zone').read())
+                urllib2.urlopen(AWS_LATEST_METADATA_URI_PREFIX + 'meta-data/placement/availability-zone').read())
        except urllib2.URLError:
            self.instance_id = None
            self.region = None
+        try:
+            self.account_id = self._extract_account_id(
+                urllib2.urlopen(
+                    AWS_LATEST_METADATA_URI_PREFIX + 'dynamic/instance-identity/document', timeout=2).read())
+        except urllib2.URLError:
+            self.account_id = None

    @staticmethod
    def _parse_region(region_url_response):
-        # For a list of regions: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
+        # For a list of regions, see:
+        # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
        # This regex will find any AWS region format string in the response.
        re_phrase = r'((?:us|eu|ap|ca|cn|sa)-[a-z]*-[0-9])'
        finding = re.findall(re_phrase, region_url_response, re.IGNORECASE)
@ -36,3 +50,10 @@ class AwsInstance(object):

    def is_aws_instance(self):
        return self.instance_id is not None
+
+    @staticmethod
+    def _extract_account_id(instance_identity_document_response):
+        return json.loads(instance_identity_document_response)[ACCOUNT_ID_KEY]
+
+    def get_account_id(self):
+        return self.account_id
--- a/monkey/monkey_island/cc/resources/aws_exporter.py
+++ b/monkey/monkey_island/cc/resources/aws_exporter.py
@ -86,6 +86,10 @@ class AWSExporter(Exporter):
        product_arn = 'arn:aws:securityhub:{region}:{arn}'.format(region=region, arn=configured_product_arn)
        instance_arn = 'arn:aws:ec2:' + str(region) + ':instance:{instance_id}'
        account_id = AWSExporter._get_aws_keys().get('aws_account_id', '')
+        if account_id is '':
+            logger.debug("aws account id not manually configured - acquiring via AwsInstance")
+            account_id = AwsInstance().get_account_id()
+            logger.debug("aws account id acquired: {}".format(account_id))

        finding = {
            "SchemaVersion": "2018-10-08",
@ -119,10 +123,10 @@ class AWSExporter(Exporter):
            else:
                return False
        except UnknownServiceError as e:
-            logger.warning('AWS exporter called but AWS-CLI securityhub service is not installed')
+            logger.warning('AWS exporter called but AWS-CLI securityhub service is not installed. Error: ' + e.message)
            return False
        except Exception as e:
-            logger.exception('AWS security hub findings failed to send.')
+            logger.exception('AWS security hub findings failed to send. Error: ' + e.message)
            return False

    @staticmethod
--- a/monkey/monkey_island/cc/services/config_schema.py
+++ b/monkey/monkey_island/cc/services/config_schema.py
@ -651,19 +651,7 @@ SCHEMA = {
                        'aws_account_id': {
                            'title': 'AWS account ID',
                            'type': 'string',
-                            'description': 'Your AWS account ID that is subscribed to security hub feeds',
-                            'default': ''
-                        },
-                        'aws_access_key_id': {
-                            'title': 'AWS access key ID',
-                            'type': 'string',
-                            'description': 'Your AWS public access key ID, can be found in the IAM user interface in the AWS console.',
-                            'default': ''
-                        },
-                        'aws_secret_access_key': {
-                            'title': 'AWS secret access key',
-                            'type': 'string',
-                            'description': 'Your AWS secret access key id, you can get this after creating a public access key in the console.',
+                            'description': 'Your AWS account ID that is subscribed to security hub feeds. If left empty, the island will try to automatically acquire this via the AWS metadata service.',
                            'default': ''
                        }
                    }