From 4dd7a1972fc7729b73cc92cc588b444e7ee53f8f Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 12 May 2022 11:44:55 -0400 Subject: [PATCH] added specific logging, updated readme, bumped version Signed-off-by: Aaron Lippold --- .github/workflows/draft-release.yml | 1 - README.md | 30 ++++++++++++++++++++--------- inspec.yml | 17 ++++++++-------- libraries/concurrent_s3.rb | 7 +++++-- 4 files changed, 35 insertions(+), 20 deletions(-) diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index be8d4ef..a75b9a8 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -2,7 +2,6 @@ name: Draft Release on: push: - # branches to consider in the event; optional, defaults to all branches: - master diff --git a/README.md b/README.md index 18aaa8e..1e42d9e 100644 --- a/README.md +++ b/README.md @@ -2,26 +2,28 @@ A micro-baseline to check for insecure or public S3 buckets and bucket objects in your AWS Environment. This [InSpec](https://github.com/chef/inspec) compliance profile verifies that you do not have any insure or open to public S3 Bucket or Bucket Objects in your AWS Environment in an automated way. -### Required Gems: +### Required Gems This profile requires the following gems: - - `inspec` - - `inspec-bin` - - `aws-sdk-s3` - - `concurrent-ruby` +- `inspec` +- `inspec-bin` +- `aws-sdk-s3` +- `concurrent-ruby` (v1.1.0 or higher) -#### Warning: Large amounts of Bucket Objects +Please **install these gems** in the ruby environment that InSpec is using prior to executing the profile. -The `s3-objects-no-public-access` control iterates through and verifies every objects in each bucket in your AWS Environment, thus its runtime will depend on the number of objects in your S3 Buckets. +### Large Buckets and Profile Runtime -On average the profile can process around 500 - 1000 objects/sec. +The `s3-objects-no-public-access` control iterates through every object in each bucket in your AWS environment. The runtime will depend on the number of objects in your S3 Buckets. + +On average the profile can process around ~1000 objects/sec. If you have buckets with large numbers of objects, we suggest you script a loop and use the `single_bucket` input to parallelize the workload. To see the processing in more details use the `-l debug` flag to get verbose output. -Then you can load all your HDF JSON results into [Heimdall Lite](https://heimdall-lite.mitre.org) to easily review all your scan results. +Then you can load all your HDF JSON results into [Heimdall Lite](https://heimdall-lite.mitre.org) to easily review all your scan results from the multiple runs by loading them in Heimdall. ## Getting Started @@ -84,6 +86,16 @@ $ export AWS_SECRET_ACCESS_KEY=access-key $ export AWS_SESSION_TOKEN=session-token # if MFA is enabled ``` +## Installing the needed Gems + +### Plain Old Ruby Environment + +- `gem install concurrent-ruby` + +### Using a Chef or CINC Omnibus Installation + +- `chef gem install concurrent-ruby` + ## Running This Baseline Directly from Github ### Testing all your buckets except those defined in your `excluded buckets` diff --git a/inspec.yml b/inspec.yml index 2178529..649160c 100644 --- a/inspec.yml +++ b/inspec.yml @@ -4,10 +4,10 @@ maintainer: MITRE InSpec Team copyright: MITRE, 2022 copyright_email: inspec@mitre.org license: Apache-2.0 -summary: "InSpec validation example baseline profile for AWS S3 - to test if you have public buckets" -version: 1.5.1 +summary: "InSpec profile to test if you have public buckets or objects" +version: 1.5.2 -inspec_version: ">= 4" +inspec_version: ">= 4.0" supports: - platform: aws @@ -17,12 +17,13 @@ depends: url: https://github.com/inspec/inspec-aws/archive/main.tar.gz inputs: - - name: exception_bucket_list - description: "list of buckets exempted from inspection" - type: array - value: - - "" - name: single_bucket description: "The name of the single bucket you wish to scan" type: string value: "" + + - name: exception_bucket_list + description: "List of buckets that should be exempted from review" + type: array + value: + - "" diff --git a/libraries/concurrent_s3.rb b/libraries/concurrent_s3.rb index b382d87..59b0aa5 100644 --- a/libraries/concurrent_s3.rb +++ b/libraries/concurrent_s3.rb @@ -32,13 +32,16 @@ def objects(options = {}) end def get_public_objects(myBucket) - Inspec::Log.debug "Processing Bucket: #{myBucket}" myPublicKeys = [] s3 = Aws::S3::Resource.new pool = Concurrent::FixedThreadPool.new(56) mutex = Mutex.new + + if Inspec::Log.level == :debug + Inspec::Log.debug "### Processing Bucket ### : #{myBucket} with #{s3.bucket(myBucket).objects.count} objects" + end s3.bucket(myBucket).objects.each do |object| - Inspec::Log.debug "Examining Key: #{object.key}" + Inspec::Log.debug " Examining Key: #{object.key}" if Inspec::Log.level == :debug pool.post do grants = object.acl.grants if grants.map { |x| x.grantee.type }.any? { |x| x =~ /Group/ } && grants.map do |x|