Changes:

• Improved provider support:
  • AWS
    • Added 4 new ELB & ELBv2 findings (thanks to @goelaarushi04)
    • Added support for the "Amazon S3 Block Public Access" feature
    • Improved Lambda partial
    • Added support for RDS Aurora instances
  • Azure
    • Improved the authentication flow, and handling of subscriptions
  • GCP
    • Added support for Stackdriver Monitoring
    • Improved report content
    • Merged IAM & Resource Manager services
    • Added logic that validates if an API is enabled for a service & project prior to making additional API calls
• Updated the rule format, to allow remediation & compliance information, as well as external references
  • Added rationales for most rules
  • Improved rules' content, adding remediation and references for a number of rules
  • Added the class_suffix field to highlight multiple elements
  • Additional information in https://github.com/nccgroup/ScoutSuite/wiki/HowTo:-Create-a-new-rule
• Added an option in the report (top-right menu) to export a high level finding summary
• Added a tool/util to upload findings to AWS Security Hub (see https://github.com/nccgroup/ScoutSuite/tree/develop/tools#aws_security_hub_exportpy)
• Improved open source project public content
• Bug fixes

Release pre-requisites:

• [x] Test and update AWS minimal policy
• [x] Update AWS IPs

Describe the bug When running scout suite for a subscription for Azure scout stops responding after showing the information about Fetching resources for the App Services service.

I updated to the latest version of scout suite. Running scout suite on two different systems with the same user credentials I get two different errors but in both instances the system gets stuck in both instances -

1st instance RedHat linux -

This was on the previous version -

[[email protected] azure_test]# scout azure --user-account -u $u -p $PP --subscriptions xyz --debug 2020-04-02 15:58:25 ip-x.x.x.x.linux.internal scout[23057] INFO Launching Scout 2020-04-02 15:58:25 ip-x.x.x.x.linux.internal scout[23057] INFO Authenticating to cloud provider 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Running against 1 subscription(s) 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Gathering data from APIs 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Fetching resources for the AAD service 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Fetching resources for the ARM service 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Fetching resources for the Security Center service 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Fetching resources for the SQL Database service 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Fetching resources for the Storage Accounts service 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Fetching resources for the Key Vault service 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Fetching resources for the Network service 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Fetching resources for the Virtual Machines service 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] INFO Fetching resources for the App Services service 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] ERROR securitycenter.py L83: Failed to retrieve compliance results: 'SecurityCenter' object has no attribute 'compliance_results' Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/facade/securitycenter.py", line 83, in get_compliance_results lambda: list(client.compliance_results.list(scope=scope)) File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/utils.py", line 24, in run_concurrently return await run_function_concurrently(function) File "/usr/lib64/python3.7/concurrent/futures/thread.py", line 57, in run result = self.fn(*self.args, **self.kwargs) File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/facade/securitycenter.py", line 83, in lambda: list(client.compliance_results.list(scope=scope)) AttributeError: 'SecurityCenter' object has no attribute 'compliance_results' 2020-04-02 15:58:29 ip-x.x.x.x.linux.internal scout[23057] ERROR securitycenter.py L95: Failed to retrieve regulatory compliance standards: 'SecurityCenter' object has no attribute 'regulatory_compliance_standards' Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/facade/securitycenter.py", line 95, in get_regulatory_compliance_results lambda: list(client.regulatory_compliance_standards.list()) File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/utils.py", line 24, in run_concurrently return await run_function_concurrently(function) File "/usr/lib64/python3.7/concurrent/futures/thread.py", line 57, in run result = self.fn(*self.args, **self.kwargs) File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/facade/securitycenter.py", line 95, in lambda: list(client.regulatory_compliance_standards.list()) AttributeError: 'SecurityCenter' object has no attribute 'regulatory_compliance_standards'

After updating to the latest version -

Successfully installed azure-cli-core-2.3.1 azure-mgmt-compute-12.0.0 azure-mgmt-monitor-0.8.0 azure-mgmt-network-10.0.0 azure-mgmt-security-0.3.0 azure-mgmt-sql-0.18.0 azure-mgmt-storage-9.0.0 azure-mgmt-web-0.45.0 boto3-1.12.35 botocore-1.15.35 cryptography-2.9 google-auth-1.13.1 google-cloud-storage-1.27.0 httplib2-0.17.1 humanfriendly-8.1 importlib-metadata-1.6.0 knack-0.7.0rc1 oci-2.12.2 pkginfo-1.5.0.1 pytz-2019.3 pyyaml-5.3.1 rsa-4.0 scoutsuite-5.8.1 setuptools-46.1.3

[[email protected] azure_test]# scout azure --user-account -u $u -p $PP --subscriptions xyz --debug 2020-04-02 16:32:17 ip-x.x.x.x.linux.internal scout[27034] INFO Launching Scout 2020-04-02 16:32:17 ip-x.x.x.x.linux.internal scout[27034] INFO Authenticating to cloud provider 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Running against 1 subscription(s) 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Gathering data from APIs 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Fetching resources for the AAD service 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Fetching resources for the ARM service 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Fetching resources for the Security Center service 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Fetching resources for the SQL Database service 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Fetching resources for the Storage Accounts service 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Fetching resources for the Key Vault service 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Fetching resources for the Network service 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Fetching resources for the Virtual Machines service 2020-04-02 16:32:23 ip-x.x.x.x.linux.internal scout[27034] INFO Fetching resources for the App Services service

2nd Instance RedHat linux - On my Macbook I get the following -

scout azure --user-account -u $u -p $PP --subscriptions xyz --debug 2020-04-02 16:46:42 MACBOOK scout[24261] INFO Launching Scout 2020-04-02 16:46:42 MACBOOK scout[24261] INFO Authenticating to cloud provider 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Running against 1 subscription(s) 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Gathering data from APIs 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Fetching resources for the AAD service 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Fetching resources for the ARM service 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Fetching resources for the Security Center service 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Fetching resources for the SQL Database service 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Fetching resources for the Storage Accounts service 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Fetching resources for the Key Vault service 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Fetching resources for the Network service 2020-04-02 16:46:51 MACBOOK scout[24261] INFO Fetching resources for the Virtual Machines service 2020-04-02 16:46:52 MACBOOK asyncio[24261] ERROR Task exception was never retrieved future: <Task finished coro=<RoleAssignments.fetch_all() done, defined at /usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/resources/arm/role_assignments.py:11> exception=AttributeError("'RoleAssignment' object has no attribute 'principal_type'")> Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/resources/arm/role_assignments.py", line 13, in fetch_all id, role_assignment = self._parse_role_assignment(raw_role_assignment) File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/resources/arm/role_assignments.py", line 24, in _parse_role_assignment role_assignment_dict['principal_type'] = raw_role_assignment.principal_type AttributeError: 'RoleAssignment' object has no attribute 'principal_type' 2020-04-02 16:46:55 MACBOOK scout[24261] ERROR storageaccounts.py L61: Failed to retrieve activity logs: 'AzureCredentials' object has no attribute 'signed_session' Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/facade/storageaccounts.py", line 61, in _get_and_set_activity_logs lambda: list(client.activity_logs.list(filter=logs_filter, select="eventTimestamp, operationName")) File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/utils.py", line 24, in run_concurrently return await run_function_concurrently(function) File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/concurrent/futures/thread.py", line 57, in run result = self.fn(*self.args, **self.kwargs) File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/facade/storageaccounts.py", line 61, in lambda: list(client.activity_logs.list(filter=logs_filter, select="eventTimestamp, operationName")) File "/usr/local/lib/python3.7/site-packages/msrest/paging.py", line 143, in next self.advance_page() File "/usr/local/lib/python3.7/site-packages/msrest/paging.py", line 129, in advance_page self._response = self._get_next(self.next_link) File "/usr/local/lib/python3.7/site-packages/azure/mgmt/monitor/operations/activity_logs_operations.py", line 117, in internal_paging request, header_parameters, stream=False, **operation_config) File "/usr/local/lib/python3.7/site-packages/msrest/service_client.py", line 336, in send pipeline_response = self.config.pipeline.run(request, **kwargs) File "/usr/local/lib/python3.7/site-packages/msrest/pipeline/init.py", line 197, in run return first_node.send(pipeline_request, **kwargs) # type: ignore File "/usr/local/lib/python3.7/site-packages/msrest/pipeline/init.py", line 150, in send response = self.next.send(request, **kwargs) File "/usr/local/lib/python3.7/site-packages/msrest/pipeline/requests.py", line 65, in send self._creds.signed_session(session) AttributeError: 'AzureCredentials' object has no attribute 'signed_session' 2020-04-02 16:46:55 MACBOOK scout[24261] ERROR storageaccounts.py L35: Failed to retrieve blob containers: 'ListContainerItems' object is not iterable Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/facade/storageaccounts.py", line 35, in get_blob_containers lambda: list(client.blob_containers.list(resource_group_name, storage_account_name)) File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/utils.py", line 24, in run_concurrently return await run_function_concurrently(function) File "/usr/local/Cellar/python/3.7.7/Frameworks/Python.framework/Versions/3.7/lib/python3.7/concurrent/futures/thread.py", line 57, in run result = self.fn(*self.args, **self.kwargs) File "/usr/local/lib/python3.7/site-packages/ScoutSuite/providers/azure/facade/storageaccounts.py", line 35, in lambda: list(client.blob_containers.list(resource_group_name, storage_account_name)) TypeError: 'ListContainerItems' object is not iterable

Please provide:

• No JSON File was generated.
• These scripts are run behind a proxy environment the proxy variables were set before running the command in CLI.
• I have reader permissions on the subscription
• The permissions given to me are limited I think in the documents Directory.read was needed but I cannot get that is there a way to run the report partially incase it's a permissions error.

Please let me know if I am doing something wrong or if I need to provide any other details.

Description

Merging in the dockerhub image from rossja/ncc-scoutsuite. This PR is just a straight merge of that code to here. I created a new container/docker directory for this codebase, if that makes sense in some other directory structure instead, I'm all for that.

The docker image is self-documented, but we should probably work on merging that documentation into the main doc/wiki (there's some updated content in that documentation related to cloud provider permissions and configurations as well that should be reviewed.)

Fixes # 713

Type of change

Select the relevant option(s):

• [X] New feature (non-breaking change which adds functionality)
• [X] This change requires a documentation update

Checklist:

• [X] My code follows the style guidelines of this project
• [X] I have performed a self-review of my own code
• [X] I have commented my code, particularly in hard-to-understand areas
• [X] My changes generate no new warnings
• [X] New and existing unit tests pass locally with my changes

https://github.com/nccgroup/ScoutSuite/wiki/AWS-Minimal-Privileges-Policy

Based on above, If we add below lines into the above policy file to constrain scout to only accessing resources in a specific region, scout won't work, reporting many errors like below:

"Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "us-east-1"
                }
 }

Errors:

2020-04-24 10:01:45 ip-172-31-16-60.us-west-2.compute.internal scout[7969] ERROR services.py L55: Could not fetch ses configuration: An error occurred (UnauthorizedOperation) when calling the DescribeRegions operation: You are not authorized to perform this operation.
2020-04-24 10:01:45 ip-172-31-16-60.us-west-2.compute.internal scout[7969] ERROR services.py L55: Could not fetch sqs configuration: An error occurred (UnauthorizedOperation) when calling the DescribeRegions operation: You are not authorized to perform this operation.

Looks like Scout can only work by --region option. but how can we guarantee minimal privilege if we want to restrict Scout to a specific region by IAM privileges?

I am currently using assume role based cross account access across all my aws accounts.

My aws credentials file looks something like this :-

[some_profile]
role_arn=arn:aws:iam::XXXXXXXXXXXX:role/cross_role
credential_source = Ec2InstanceMetadata

The role does not require any external ID.

When run using aws cli with respective profile as argument, it honors the profile configuration and gives me output pertaining to the account which is mapped to respective profile.

However , when scoutsuite is run using --profile argument (same as what was used for aws cli) , it fetches info from the current host account from whose instance scoutsuite is being run and generates the output.

Couldnt figure out what could be the reason of the issue.

Other details that may help is given below :-

$ pip freeze
adal==1.2.2
antlr4-python3-runtime==4.7.2
applicationinsights==0.11.9
argcomplete==1.10.0
asn1crypto==0.24.0
azure-cli-core==2.0.70
azure-cli-nspkg==3.0.4
azure-cli-telemetry==1.0.3
azure-common==1.1.23
azure-mgmt-keyvault==2.0.0
azure-mgmt-monitor==0.7.0
azure-mgmt-network==4.0.0
azure-mgmt-redis==6.0.0
azure-mgmt-resource==2.2.0
azure-mgmt-security==0.3.0
azure-mgmt-sql==0.12.0
azure-mgmt-storage==4.0.0
azure-mgmt-web==0.42.0
azure-nspkg==3.0.2
backports.functools-lru-cache==1.5
bcrypt==3.1.7
boto3==1.9.204
botocore==1.12.204
cachetools==3.1.1
certifi==2019.6.16
cffi==1.12.3
chardet==3.0.4
cheroot==6.5.5
CherryPy==18.1.2
cherrypy-cors==1.6
colorama==0.4.1
coloredlogs==10.0
cryptography==2.7
docutils==0.14
google-api-core==1.14.2
google-api-python-client==1.7.10
google-auth==1.6.3
google-auth-httplib2==0.0.3
google-cloud-container==0.3.0
google-cloud-core==1.0.3
google-cloud-iam==0.2.0
google-cloud-kms==1.2.0
google-cloud-logging==1.12.1
google-cloud-monitoring==0.32.0
google-cloud-resource-manager==0.29.2
google-cloud-storage==1.18.0
google-resumable-media==0.3.2
googleapis-common-protos==1.6.0
grpc-google-iam-v1==0.12.3
grpcio==1.22.0
httpagentparser==1.8.2
httplib2==0.13.1
humanfriendly==4.18
iampoliciesgonewild==1.0.6.2
idna==2.8
isodate==0.6.0
jaraco.functools==2.0
jmespath==0.9.4
knack==0.6.3
more-itertools==7.2.0
msrest==0.6.9
msrestazure==0.6.1
netaddr==0.7.19
oauth2client==4.1.3
oauthlib==3.1.0
paramiko==2.6.0
portalocker==1.5.1
portend==2.5
protobuf==3.9.1
pyasn1==0.4.6
pyasn1-modules==0.2.6
pycparser==2.19
Pygments==2.4.2
PyJWT==1.7.1
PyNaCl==1.3.0
pyOpenSSL==19.0.0
python-dateutil==2.8.0
pytz==2019.2
PyYAML==5.1.2
requests==2.22.0
requests-oauthlib==1.2.0
rsa==4.0
s3transfer==0.2.1
six==1.12.0
sqlitedict==1.6.0
tabulate==0.8.3
tempora==1.14.1
uritemplate==3.0.0
urllib3==1.25.3
zc.lockfile==2.0

$ python scout.py --version
Scout Suite 5.2.0

$ aws --version
aws-cli/1.16.102 Python/2.7.16 Linux/4.14.123-111.109.amzn2.x86_64 botocore/1.12.92

$python --version
Python 3.7.3

However , it works when temporary credentials are updated in the credentials profile for the same assumed role. Seems little weird on why it acts this way.

Changes:

• Creates the new AWS CIS 1.2.0 json ruleset, the required new findings and updates the findings to the new output format
  • Including 23 new rules
• Adds support for AWS CloudWatch Metric Filters
• Adds support for AWS Peering Connections
• Adds support for AWS Flow Logs (Subnet & VPC)

This PR is for issue #434

Phases:

• [x] Create all the new AWS CIS 1.2.0 IAM rules and update the format of the old ones
• [x] Create all the new AWS CIS 1.2.0 Logging rules and update the format of the old ones
• [x] Create all the new AWS CIS 1.2.0 Monitoring rules and update the format of the old ones
• [x] Create all the new AWS CIS 1.2.0 Networking rules and update the format of the old ones

TODOs for @j4v:

• [x] Complete finding 1.14 of the cis-1-2-0.json ruleset This finding is already created in the rule iam-root-account-no-hardware-mfa.json. The resource iam/credentialreports.py is already set to fetch the VirtualMfaDevices and parse it. The parsing of the returned data should get the serial-number of the mfa device and also a boolean containing whether the MFA device is hardware based or not. To check if a MFA device is hardware or virtual, the serial-number should be checked. If the serial-number contains "arn", then the device is virtaul. Otherwise, the device is hardware. Once done, issue #681 can be closed.
• [x] Ensure there aren't any duplicate findings in pub/prop
  • [x] Compare EC2 SG findings as there might be duplicates
• [x] Ensure new findings are added to default ruleset (+prop) where appropriate
• [x] Ensure new findings are added to detailed ruleset where appropriate
  • [x] Review the arguments used in the detailed ruleset There are some findings that may have inappropriate arguments. For example, the iam-password-policy-minimum-length finding has the minimum length argument set to 8 when the CIS recommendation is 14.
• [x] Review peering connection implementation/partial
• [x] Review hidden flow logs implementation/partial
• [x] Fix findings 3.1 to 3.14 of cis-1-2-0.json ruleset not returning an empty list when clicked. Further information of this issue can be found here: https://github.com/nccgroup/ScoutSuite/pull/679#issuecomment-633639978

Hi,

Although various export are available and the html/js report offers an impressive user experience, a lack of easy to use, human readable csv export of scout2 findings is perhaps the one thing that keeps it from being, hands down, the best aws audit tool.

I may be missing something, even though i've spent many hours on the issue throwing myself at the export wiki entry. Or perhaps it was never the intention to make scout2 easy to use for mere mortals.

Regardless, i'd love to walk out of this experience a bit wiser. Enlighten me, would you kindly :) -A.G.

Describe the bug

Steps:

• downloaded the package using pip (or master branch on git)
• follow the basic steps to start the audit (using account browser since I have MFA)
• Get this error and scout is just stuck:

ERROR securitycenter.py L86: Failed to retrieve compliance results: Azure Error: MissingApiVersionParameter Message: The api-version query parameter (?api-version=) is required for all requests.

To Reproduce

Please provide:

• python3 scout.py azure --user-account-browser --tenant xxx-yyy-zzzz

Additional context

Same behaviour using git version or pip version

Changes:

• Improved support for AWS
  • Added support for KMS
  • Added basic support for Secrets Manager
  • Simplified evaluation of IAM policies in multiple rules
• Improved support for Azure
  • Added support for App Service Web Apps
  • Added support for Security Center Compliance Results
  • Added support for Security Center Regulatory Compliance Results
• Improved support for GCP
  • Improved partials and finding rationales
  • Scans should complete much faster
• Improved support for OCI
  • Improved error handing
  • Support for scanning arbitrary compartments
• Improved Open Source project's processes
  • Issue and PR templates
  • CI/CD deployment, with the addition of autopep8
• Added a --list-services option to list available services to scan
• A bunch of bug fixes

I'm using,

macOS 10.14.5 Python 3.7.3

with ScoutSuite installed via pip3: $ pip3 freeze | grep -i scout ScoutSuite==5.0.post3

and I tried as well the latest git checkout: $ git rev-parse HEAD 5a498fbd9fc558d63409123ab5aba19ad4e5097d

What did you do?

When I call:

$ aws s3 ls --profile security
Enter MFA code for arn:aws:iam::xxxx:mfa/username:
2018-04-12 16:20:13 foo
2018-04-20 14:43:42 bar
[...]

I can see all s3 buckets, but when I try fetch the buckets via Scout I end up with the following error:

$ python3 scout.py aws --profile security --services s3 --no-browser
2019-05-21 16:42:21 PinkRobin.localdomain scout[33071] INFO Launching Scout
2019-05-21 16:42:21 PinkRobin.localdomain scout[33071] INFO Authenticating to cloud provider
Enter MFA code for arn:aws:iam::xxxxx:mfa/username:
2019-05-21 16:42:29 PinkRobin.localdomain scout[33071] INFO Gathering data from APIs
2019-05-21 16:42:29 PinkRobin.localdomain scout[33071] INFO Fetching resources for the S3 service
2019-05-21 16:42:30 PinkRobin.localdomain scout[33071] ERROR s3.py L15: Failed to list buckets: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
2019-05-21 16:42:30 PinkRobin.localdomain scout[33071] INFO Running rule engine
2019-05-21 16:42:30 PinkRobin.localdomain scout[33071] INFO Applying display filters
2019-05-21 16:42:30 PinkRobin.localdomain scout[33071] INFO Saving data to scoutsuite-report/scoutsuite-results/scoutsuite_results_aws-security.js
2019-05-21 16:42:30 PinkRobin.localdomain scout[33071] INFO Saving data to scoutsuite-report/scoutsuite-results/scoutsuite_exceptions_aws-security.js
2019-05-21 16:42:30 PinkRobin.localdomain scout[33071] INFO Saving data to scoutsuite-report/scoutsuite-results/scoutsuite_errors_aws-security.json
2019-05-21 16:42:30 PinkRobin.localdomain scout[33071] INFO Creating scoutsuite-report/aws-security.html

What did you expect to see?

A generated report which includes the buckets.

What did you see instead?

AccessDenied error.

Some things I tried:

I followed from #28 to https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html and created my config and credentials how it is mentioned on that webpage without any success.

I also tried to add the role into my [default] configuration, that didn't work either.

Thoughts

I think it is not using the profile/role correctly. When I run scout fully I get error messages that look like this:

2019-05-21 16:57:11 PinkRobin.localdomain scout[33314] ERROR cloudtrail.py L13: Failed to describe CloutTrail trail: An error occurred (AccessDeniedException) when calling the DescribeTrails operation: User: arn:aws:iam::ACCOUNTID:user/ACCOUNT is not authorized to perform: cloudtrail:DescribeTrails

Those show that it is using the account instead of my role.

I am running into an issue where I am exceeding the service account quota limits for the Service Usage API. I get the following error in my logs.

2020-07-21 03:02:16 a3f49ed43909 scout[1] ERROR services.py L55: Could not fetch iam configuration: <HttpError 500 when requesting https://serviceusage.googleapis.com/v1/projects/<removed>/services?alt=json returned "Quota exceeded for quota metric 'Requests' and limit 'Requests per minute' of service 'servicemanagement.googleapis.com' for consumer 'project_number:<removed>.". Details: "[{'@type': 'type.googleapis.com/google.rpc.Help', 'links': [{'description': 'Google developer console API key', 'url': 'https://console.developers.google.com/project/<removed>/apiui/credential'}]}]">

It looks like good only allows 240 requests per minute. I have submitted a ticket with google to increase the limit but I haven't gotten a response back. I tried rate limiting the requests with "--max-rate 1 --max-workers 3", but I am still seeing issues.

Has anyone seen this issue or have recommendations to limit the rate that scoutsuite queries the GCP api?

Parameters when calling scoutsuite gcp --service-account /opt/creds/gcp.json --organization-id XXXXXXXXXX --all-projects --max-rate 1 --max-workers 3

trying to run scoutsuite on an azure environment, getting the following error:

main.py L212: Initialization failure: cannot import name 'ARMChallengeAuthenticationPolicy' from 'azure.mgmt.core.policies' (/home/assaf/.local/lib/python3.8/site-packages/azure/mgmt/core/policies/init.py)

the environment is ubuntu LTS 20.04.3 python3.9 --version Python 3.9.16

Is your feature request related to a problem? Please describe.

When running scoutsuite for aws, the report shows a containers tab. However no information ever populates it, even in accounts using ECS, EKS and ECR.

Describe the solution you'd like

To have security rules ran against those services.

Describe alternatives you've considered

N/A

Additional context

N/A

Describe the bug

In the wiki page here: https://github.com/nccgroup/ScoutSuite/wiki/AWS-Minimal-Privileges-Policy

The missing actions are:

"cloudfront:ListDistributions",
"codebuild:ListProjects",
"secretsmanager:GetResourcePolicy",

To Reproduce

Please provide:

Set up the policy in AWS per the wiki and run the tool. It should error out with warnings about missing policy actions.

Description

This change allows to use a new CLI argument wich wake up an existing pre-coded feature to allow a user to specify multiple custom rules folders.

Type of change

Select the relevant option(s):

• [ ] Bug fix (non-breaking change which fixes an issue)
• [x] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
• [X] This change requires a documentation update

Checklist:

• [x] My code follows the style guidelines of this project
• [x] I have performed a self-review of my own code
• [x] I have commented my code, particularly in hard-to-understand areas
• [x] My changes generate no new warnings
• [ ] I have added tests that prove my fix is effective or that my feature works (optional)
• [ ] New and existing unit tests pass locally with my changes

The report is noticing a HTTP vulnerability for ALB's, even though the Load Balancer makes HTTP redirection to HTTPS. There isn't more information in the report more than the Load Balancer's information, listeners, attributes and sgs.

Is this a bug?

i have run the command several ways on several machines and always the same result

main summary says 14 vms but when you go to the instance count its only showing 3 from 1 resource group

i have even tried to put the specific subscription in says its only running against the specific named id and it still only shows from different and main