Getting the AWS account ID programmatically

And configuration can override it
This commit is contained in:
Shay Nehmad 2019-04-23 18:09:06 +03:00
parent 1965180487
commit 7b6ff8b9c0
3 changed files with 31 additions and 18 deletions

View File

@ -1,25 +1,39 @@
import json
import re
import urllib2
__author__ = 'itay.mizeretz'
AWS_INSTANCE_METADATA_LOCAL_IP_ADDRESS = "169.254.169.254"
AWS_LATEST_METADATA_URI_PREFIX = 'http://{0}/latest/'.format(AWS_INSTANCE_METADATA_LOCAL_IP_ADDRESS)
ACCOUNT_ID_KEY = "accountId"
class AwsInstance(object):
"""
Class which gives useful information about the current instance you're on.
"""
def __init__(self):
try:
self.instance_id = urllib2.urlopen('http://169.254.169.254/latest/meta-data/instance-id', timeout=2).read()
self.instance_id = urllib2.urlopen(
AWS_LATEST_METADATA_URI_PREFIX + 'meta-data/instance-id', timeout=2).read()
self.region = self._parse_region(
urllib2.urlopen('http://169.254.169.254/latest/meta-data/placement/availability-zone').read())
urllib2.urlopen(AWS_LATEST_METADATA_URI_PREFIX + 'meta-data/placement/availability-zone').read())
except urllib2.URLError:
self.instance_id = None
self.region = None
try:
self.account_id = self._extract_account_id(
urllib2.urlopen(
AWS_LATEST_METADATA_URI_PREFIX + 'dynamic/instance-identity/document', timeout=2).read())
except urllib2.URLError:
self.account_id = None
@staticmethod
def _parse_region(region_url_response):
# For a list of regions: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
# For a list of regions, see:
# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html
# This regex will find any AWS region format string in the response.
re_phrase = r'((?:us|eu|ap|ca|cn|sa)-[a-z]*-[0-9])'
finding = re.findall(re_phrase, region_url_response, re.IGNORECASE)
@ -36,3 +50,10 @@ class AwsInstance(object):
def is_aws_instance(self):
return self.instance_id is not None
@staticmethod
def _extract_account_id(instance_identity_document_response):
return json.loads(instance_identity_document_response)[ACCOUNT_ID_KEY]
def get_account_id(self):
return self.account_id

View File

@ -86,6 +86,10 @@ class AWSExporter(Exporter):
product_arn = 'arn:aws:securityhub:{region}:{arn}'.format(region=region, arn=configured_product_arn)
instance_arn = 'arn:aws:ec2:' + str(region) + ':instance:{instance_id}'
account_id = AWSExporter._get_aws_keys().get('aws_account_id', '')
if account_id is '':
logger.debug("aws account id not manually configured - acquiring via AwsInstance")
account_id = AwsInstance().get_account_id()
logger.debug("aws account id acquired: {}".format(account_id))
finding = {
"SchemaVersion": "2018-10-08",
@ -119,10 +123,10 @@ class AWSExporter(Exporter):
else:
return False
except UnknownServiceError as e:
logger.warning('AWS exporter called but AWS-CLI securityhub service is not installed')
logger.warning('AWS exporter called but AWS-CLI securityhub service is not installed. Error: ' + e.message)
return False
except Exception as e:
logger.exception('AWS security hub findings failed to send.')
logger.exception('AWS security hub findings failed to send. Error: ' + e.message)
return False
@staticmethod

View File

@ -651,19 +651,7 @@ SCHEMA = {
'aws_account_id': {
'title': 'AWS account ID',
'type': 'string',
'description': 'Your AWS account ID that is subscribed to security hub feeds',
'default': ''
},
'aws_access_key_id': {
'title': 'AWS access key ID',
'type': 'string',
'description': 'Your AWS public access key ID, can be found in the IAM user interface in the AWS console.',
'default': ''
},
'aws_secret_access_key': {
'title': 'AWS secret access key',
'type': 'string',
'description': 'Your AWS secret access key id, you can get this after creating a public access key in the console.',
'description': 'Your AWS account ID that is subscribed to security hub feeds. If left empty, the island will try to automatically acquire this via the AWS metadata service.',
'default': ''
}
}