Comments (7)
Hi @thejazzid, can you describe your environment a little more? Specifically, can you describe the steps you are taking to authenticate and assume the role? We will try to reproduce it to test.
from aws-recon.
Hi @joshlarsen sorry it took some time.
First of all thanks a lot for a tool.
Environment is little bit tricky.
But for aws_recon tool it should be not much complicated. aws_recon called from python script with specific environment variables for credentials. Here a sample of code:
temp_env = os.environ.copy()
temp_env['AWS_ACCESS_KEY_ID'] = credentials.access_key
temp_env['AWS_SECRET_ACCESS_KEY'] = credentials.secret_key
temp_env['AWS_SESSION_TOKEN'] = credentials.token
temp_env['AWS_DEFAULT_REGION'] = master_reg
subprocess.run(['/Users/{USERNAME}/.rvm/gems/ruby-2.6.5/bin/aws_recon', '-v', '-o', file_name, '-x',
'IAM,CloudTrail,Support,CodePipeline,KMS'], env=temp_env)
Those credentials are result of assume role operation for specific role inside of specific account, with AWS managed readonly policy attached to that role.
As you can see I had to exclude some of the services, as they are failing. In general tool runs fine across most of resources and able to collect, but not all. It could be question of permissions, but errors I'm getting not specific on type of access. could be due to AWS SDK itself. But mostly strange thing about wrong account ID ARN, which I have not figured yet out.
I will continue researching with permissions and will report if any findings.
from aws-recon.
I am separating these into two different issues. The IAM
issue is now in #66.
from aws-recon.
@thejazzid is the trail an organizational trail? Multi-region?
from aws-recon.
Hi @joshlarsen yes, cloudtrail is global Organization level cloudtrail.
from aws-recon.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from aws-recon.
I've ran into this exact issue - for reference this seems to be an inherent thing with the AWS SDK/CLI.
An account in an organisation (with the relevant CloudTrail read permissions) can call describe_trails without issue which will return whatever trail that that account logs to, but it will return errors complaining that the trail is in another account when calling specific methods like list_tags, get_event_selectors, get_trail_status etc.
There might be a workaround for this if the permissions for those are manually assigned on the org account with the trail in it, but I've worked around this in a hacky way by modifying https://github.com/joshlarsen/aws-recon/blob/main/lib/aws_recon/collectors/cloudtrail.rb to skip these additional methods if the account ID in the trail arn mismatches the current calling account ID
from aws-recon.
Related Issues (20)
- [s3] bucket_logging not captured HOT 1
- [s3] get_object_lock_configuration
- [terraform] optional external ID HOT 2
- [IAM] strip old policy documents HOT 2
- [ecr] collect image scan findings HOT 4
- ARN isn't valid | WAFV2 HOT 7
- Skip errors HOT 5
- [ec2] Invalid action DescribeManagedPrefixList HOT 3
- error describing resources with SCP explicit deny HOT 3
- Handle AccessDeniedException error in applicationautoscaling.rb HOT 3
- AWS Organizations support? HOT 5
- leverage AWS Cloud Control API HOT 3
- Aws::S3::Errors::MethodNotAllowed in aws-sdk-core HOT 4
- Service inclusion/exclusion should be case insensitive HOT 3
- Only finds ECS clusters named "default" HOT 1
- [EC2] record a synthetic ARN for the AWS account HOT 1
- [EC2] describe_iam_instance_profile_associations HOT 1
- [IAM] list_instance_profiles
- [ECR] describe_image_scan_findings HOT 1
- [Inspector] list_findings, describe_findings HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-recon.