* Added fallback case for urllib failure to get the region

* Added some safe checks for formatting and happy flows * Removed productARN from server_config.json - it will now be inserted in deb build. * Added the awscli lib to be installed via pip
2018-11-28 18:54:50 +02:00 · 2018-11-28 18:54:50 +02:00 · e24e9b90f7
parent 1c99636414
commit e24e9b90f7
4 changed files with 11 additions and 8 deletions
--- a/monkey/common/cloud/aws.py
+++ b/monkey/common/cloud/aws.py
@ -10,6 +10,7 @@ class AWS(object):
            self.region = urllib2.urlopen('http://169.254.169.254/latest/meta-data/placement/availability-zone').read()[:-1]
        except urllib2.URLError:
            self.instance_id = None
+            self.region = None

    def get_instance_id(self):
        return self.instance_id
--- a/monkey/monkey_island/cc/resources/aws_exporter.py
+++ b/monkey/monkey_island/cc/resources/aws_exporter.py
@ -77,8 +77,8 @@ class AWSExporter(Exporter):
        }

        configured_product_arn = load_server_configuration_from_file()['aws'].get('sec_hub_product_arn', '')
-        product_arn = 'arn:aws:securityhub:{region}:{arn}'.format(region='us-west-2', arn=configured_product_arn)
-        instance_arn = 'arn:aws:ec2:' + region + ':instance:{instance_id}'
+        product_arn = 'arn:aws:securityhub:{region}:{arn}'.format(region=region, arn=configured_product_arn)
+        instance_arn = 'arn:aws:ec2:' + str(region) + ':instance:{instance_id}'
        account_id = AWSExporter._get_aws_keys().get('aws_account_id', '')

        finding = {
@ -98,6 +98,10 @@ class AWSExporter(Exporter):
    @staticmethod
    def _send_findings(findings_list, creds_dict, region):
        try:
+            if not creds_dict:
+                logger.info('No AWS access credentials received in configuration')
+                return False
+
            securityhub = boto3.client('securityhub',
                                       aws_access_key_id=creds_dict.get('aws_access_key_id', ''),
                                       aws_secret_access_key=creds_dict.get('aws_secret_access_key', ''),
@ -109,10 +113,10 @@ class AWSExporter(Exporter):
            else:
                return False
        except UnknownServiceError as e:
-            logger.warning('AWS exporter called but AWS-CLI not installed')
+            logger.warning('AWS exporter called but AWS-CLI securityhub service is not installed')
            return False
        except Exception as e:
-            logger.error('AWS security hub findings failed to send.')
+            logger.exception('AWS security hub findings failed to send.')
            return False

    @staticmethod
--- a/monkey/monkey_island/cc/server_config.json
+++ b/monkey/monkey_island/cc/server_config.json
@ -1,6 +1,3 @@
 {
-  "server_config": "standard",
-  "aws": {
-    "sec_hub_product_arn": "324264561773:product/guardicore/aws-infection-monkey"
-  }
+  "server_config": "standard"
 }
--- a/monkey/monkey_island/deb-package/monkey_island_pip_requirements.txt
+++ b/monkey/monkey_island/deb-package/monkey_island_pip_requirements.txt
@ -15,4 +15,5 @@ ipaddress
 enum34
 PyCrypto
 boto3
+awscli
 virtualenv