Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add role assumption for s3 source #1477

Merged
merged 32 commits into from
Aug 18, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
58f9205
add role assumption for s3 source
Jul 11, 2023
75d5dc9
refactor role assumption to repeatable string
Jul 11, 2023
192568d
Merge branch 'main' into add-assume-role-aws
Jul 20, 2023
1151a9f
refactor s3 chunks to handle passed roleARNs
Jul 21, 2023
e77ac46
add role-session name
Jul 22, 2023
35ad811
Merge branch 'main' into add-assume-role-aws
Jul 24, 2023
4da1ac2
add docstring for rolearn strings()
Jul 24, 2023
6684732
make sure role ars are passed into source
Jul 25, 2023
bc30433
refactor role assumption functionality
Jul 26, 2023
07d14ed
add log check on assume role
Jul 26, 2023
111c955
fix role iteration
Jul 28, 2023
f6bcd4e
add comment
Jul 28, 2023
9ea7140
protobuf revert for merge
Jul 28, 2023
3055580
Merge branch 'main' into add-assume-role-aws
Jul 28, 2023
4156884
re-run make proto
Jul 28, 2023
6b6c0db
lint cleanup
Jul 28, 2023
8361dc1
cleanup TODOs
Jul 31, 2023
5f9506f
drop redundant switch case in assumerole client
Jul 31, 2023
36da074
use less verbose 'ctx' designator
Jul 31, 2023
e111a09
breakout functionality from Chunks
Aug 1, 2023
c7d4545
Merge branch 'main' into add-assume-role-aws
Aug 2, 2023
ffa9354
remake protobuf defs
Aug 2, 2023
b871baa
Merge branch 'main' into add-assume-role-aws
Aug 2, 2023
414ec9d
allow scan to continue on single bucket err
Aug 7, 2023
3756beb
Merge branch 'main' into add-assume-role-aws
Aug 7, 2023
6df9ae1
Merge branch 'main' into add-assume-role-aws
Aug 9, 2023
238428e
Merge branch 'main' into add-assume-role-aws
Aug 9, 2023
266238c
Merge branch 'main' into add-assume-role-aws
Aug 14, 2023
b35c531
Merge branch 'main' into add-assume-role-aws
Aug 16, 2023
8a0e106
add readme docs
Aug 17, 2023
80f4319
minor fixups
Aug 17, 2023
4163069
Merge branch 'main' into add-assume-role-aws
Aug 17, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 34 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,25 +116,31 @@ Expected output:
trufflehog s3 --bucket=<bucket name> --only-verified
```

## 5: Scan a Github Repo using SSH authentication in docker
## 5: Scan S3 buckets using IAM Roles

```bash
trufflehog s3 --role-arn=<iam role arn>
codevbus marked this conversation as resolved.
Show resolved Hide resolved
```

## 6: Scan a Github Repo using SSH authentication in docker

```bash
docker run --rm -v "$HOME/.ssh:/root/.ssh:ro" trufflesecurity/trufflehog:latest git ssh://github.com/trufflesecurity/test_keys
```

## 6: Scan individual files or directories
## 7: Scan individual files or directories

```bash
trufflehog filesystem path/to/file1.txt path/to/file2.txt path/to/dir
```

## 7: Scan GCS buckets for verified secrets.
## 8: Scan GCS buckets for verified secrets.

```bash
trufflehog gcs --project-id=<project-ID> --cloud-environment --only-verified
```

# 8: Scan a Docker image for verified secrets.
## 9: Scan a Docker image for verified secrets.

Use the `--image` flag multiple times to scan multiple images.

Expand Down Expand Up @@ -218,6 +224,30 @@ For example, to scan a `git` repository, start with
$ trufflehog git https://github.com/trufflesecurity/trufflehog.git
```

## S3

The S3 source supports assuming IAM roles for scanning in addition to IAM users. This makes it easier for users to scan multiple AWS accounts without needing to rely on hardcoded credentials for each account.

The IAM identity that TruffleHog uses initially will need to have `AssumeRole` privileges as a principal in the [trust policy](https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/) of each IAM role to assume.

To scan a specific bucket using locally set credentials or instance metadata if on an EC2 instance:

```bash
trufflehog s3 --bucket=<bucket-name>
```

To scan a specific bucket using an assumed role:

```bash
trufflehog s3 --bucket=<bucket-name> --role-arn=<iam-role-arn>
```

Multiple roles can be passed as separate arguments. The following command will attempt to scan every bucket each role has permissions to list in the S3 API:

```bash
trufflehog s3 --role-arn=<iam-role-arn-1> --role-arn=<iam-role-arn-2>
```

Exit Codes:
- 0: No errors and no results were found.
- 1: An error was encountered. Sources may not have completed scans.
Expand Down
10 changes: 6 additions & 4 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,10 +105,11 @@ var (
filesystemScanIncludePaths = filesystemScan.Flag("include-paths", "Path to file with newline separated regexes for files to include in scan.").Short('i').String()
filesystemScanExcludePaths = filesystemScan.Flag("exclude-paths", "Path to file with newline separated regexes for files to exclude in scan.").Short('x').String()

s3Scan = cli.Command("s3", "Find credentials in S3 buckets.")
s3ScanKey = s3Scan.Flag("key", "S3 key used to authenticate. Can be provided with environment variable AWS_ACCESS_KEY_ID.").Envar("AWS_ACCESS_KEY_ID").String()
s3ScanSecret = s3Scan.Flag("secret", "S3 secret used to authenticate. Can be provided with environment variable AWS_SECRET_ACCESS_KEY.").Envar("AWS_SECRET_ACCESS_KEY").String()
s3ScanSessionToken = s3Scan.Flag("session-token", "S3 session token used to authenticate temporary credentials. Can be provided with environment variable AWS_SESSION_TOKEN.").Envar("AWS_SESSION_TOKEN").String()
s3Scan = cli.Command("s3", "Find credentials in S3 buckets.")
s3ScanKey = s3Scan.Flag("key", "S3 key used to authenticate. Can be provided with environment variable AWS_ACCESS_KEY_ID.").Envar("AWS_ACCESS_KEY_ID").String()
s3ScanRoleArns = s3Scan.Flag("role-arn", "Specify the ARN of an IAM role to assume for scanning. You can repeat this flag.").Strings()
s3ScanSecret = s3Scan.Flag("secret", "S3 secret used to authenticate. Can be provided with environment variable AWS_SECRET_ACCESS_KEY.").Envar("AWS_SECRET_ACCESS_KEY").String()
s3ScanSessionToken = s3Scan.Flag("session-token", "S3 session token used to authenticate temporary credentials. Can be provided with environment variable AWS_SESSION_TOKEN.").Envar("AWS_SESSION_TOKEN").String()
s3ScanCloudEnv = s3Scan.Flag("cloud-environment", "Use IAM credentials in cloud environment.").Bool()
s3ScanBuckets = s3Scan.Flag("bucket", "Name of S3 bucket to scan. You can repeat this flag.").Strings()
s3ScanMaxObjectSize = s3Scan.Flag("max-object-size", "Maximum size of objects to scan. Objects larger than this will be skipped. (Byte units eg. 512B, 2KB, 4MB)").Default("250MB").Bytes()
Expand Down Expand Up @@ -468,6 +469,7 @@ func run(state overseer.State) {
Secret: *s3ScanSecret,
SessionToken: *s3ScanSessionToken,
Buckets: *s3ScanBuckets,
Roles: *s3ScanRoleArns,
CloudCred: *s3ScanCloudEnv,
MaxObjectSize: int64(*s3ScanMaxObjectSize),
}
Expand Down
5 changes: 5 additions & 0 deletions pkg/engine/s3.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,11 @@ func (e *Engine) ScanS3(ctx context.Context, c sources.S3Config) error {
if len(c.Buckets) > 0 {
connection.Buckets = c.Buckets
}

if len(c.Roles) > 0 {
connection.Roles = c.Roles
}

var conn anypb.Any
err := anypb.MarshalFrom(&conn, connection, proto.MarshalOptions{})
if err != nil {
Expand Down
Loading
Loading