diff --git a/lambda_code/scan/scan.py b/lambda_code/scan/scan.py index 291cb2d0..98c247b2 100644 --- a/lambda_code/scan/scan.py +++ b/lambda_code/scan/scan.py @@ -2,6 +2,7 @@ import json import os +from utils.utils_aws import assume_role from utils.utils_aws import eb_susceptible from utils.utils_aws import get_cloudfront_s3_origin_takeover from utils.utils_aws import list_domains @@ -290,12 +291,18 @@ def lambda_handler(event, context): # pylint:disable=unused-argument account_id = event["Id"] account_name = event["Name"] - hosted_zones = list_hosted_zones(event) + aws_session = assume_role(account_id) + try: + r53client = aws_session.client("route53") + except Exception: + print(f"ERROR: unable to assume role in {account_name} account {account_id}") + + hosted_zones = list_hosted_zones(r53client, event) for hosted_zone in hosted_zones: print(f"Searching for vulnerable domain records in hosted zone {hosted_zone['Name']}") - record_sets = list_resource_record_sets(account_id, account_name, hosted_zone["Id"]) + record_sets = list_resource_record_sets(r53client, account_name, hosted_zone["Id"]) record_sets = sanitise_wildcards(record_sets) alias_cloudfront_s3(account_name, record_sets, account_id) diff --git a/lambda_code/scan_ips/scan_ips.py b/lambda_code/scan_ips/scan_ips.py index e208e0a5..15661348 100644 --- a/lambda_code/scan_ips/scan_ips.py +++ b/lambda_code/scan_ips/scan_ips.py @@ -2,6 +2,7 @@ import json import os +from utils.utils_aws import assume_role from utils.utils_aws import list_hosted_zones from utils.utils_aws import list_resource_record_sets from utils.utils_aws import publish_to_sns @@ -166,13 +167,19 @@ def lambda_handler(event, context): # pylint:disable=unused-argument get_ips(account_id, account_name) - hosted_zones = list_hosted_zones(event) + aws_session = assume_role(account_id) + try: + r53client = aws_session.client("route53") + except Exception: + print(f"ERROR: unable to assume role in {account_name} account {account_id}") + + hosted_zones = list_hosted_zones(r53client, event) if item_count > 0: # don't test for vulnerabilities until DynamoDB table is populated across organisation for hosted_zone in hosted_zones: print(f"Searching for vulnerable A records in hosted zone {hosted_zone['Name']}") - record_sets = list_resource_record_sets(account_id, account_name, hosted_zone["Id"]) + record_sets = list_resource_record_sets(r53client, account_name, hosted_zone["Id"]) record_sets = sanitise_wildcards(record_sets) a_record(account_name, record_sets, ip_prefixes) diff --git a/utils/utils_aws.py b/utils/utils_aws.py index 61ff20df..44b62be6 100644 --- a/utils/utils_aws.py +++ b/utils/utils_aws.py @@ -86,70 +86,53 @@ def list_accounts(): return [] -def list_hosted_zones(account): +def list_hosted_zones(route53, account): - account_id = account["Id"] account_name = account["Name"] - try: - boto3_session = assume_role(account_id) - route53 = boto3_session.client("route53") - - hosted_zones_list = [] - - try: - paginator_zones = route53.get_paginator("list_hosted_zones") - pages_zones = paginator_zones.paginate() - for page_zones in pages_zones: - hosted_zones = [h for h in page_zones["HostedZones"] if not h["Config"]["PrivateZone"]] + hosted_zones_list = [] - hosted_zones_list = hosted_zones_list + hosted_zones + try: + paginator_zones = route53.get_paginator("list_hosted_zones") + pages_zones = paginator_zones.paginate() + for page_zones in pages_zones: + hosted_zones = [h for h in page_zones["HostedZones"] if not h["Config"]["PrivateZone"]] - return hosted_zones_list + hosted_zones_list = hosted_zones_list + hosted_zones - except Exception: - logging.error( - "ERROR: Lambda execution role requires route53:ListHostedZones permission in %a account", - account_name, - ) + return hosted_zones_list except Exception: - logging.error("ERROR: unable to assume role in %a account %s", account_name, account_id) + logging.error( + "ERROR: Lambda execution role requires route53:ListHostedZones permission in %a account", + account_name, + ) return [] -def list_resource_record_sets(account_id, account_name, hosted_zone_id): +def list_resource_record_sets(route53, account_name, hosted_zone_id): try: - boto3_session = assume_role(account_id) - route53 = boto3_session.client("route53") - - record_set_list = [] - - try: - paginator_records = route53.get_paginator("list_resource_record_sets") - pages_records = paginator_records.paginate( - HostedZoneId=hosted_zone_id, - StartRecordName="_", - StartRecordType="NS", - ) + paginator_records = route53.get_paginator("list_resource_record_sets") + pages_records = paginator_records.paginate( + HostedZoneId=hosted_zone_id, + StartRecordName="_", + StartRecordType="NS", + ) - for page_records in pages_records: - record_sets = page_records["ResourceRecordSets"] + for page_records in pages_records: + record_sets = page_records["ResourceRecordSets"] - record_set_list = record_set_list + record_sets + record_set_list = record_set_list + record_sets - return record_set_list - - except Exception: - logging.exception( - "ERROR: Lambda execution role requires route53:ListResourceRecordSets permission in %a account", - account_name, - ) + return record_set_list except Exception: - logging.error("ERROR: unable to assume role in %a account %s", account_name, account_id) + logging.exception( + "ERROR: Lambda execution role requires route53:ListResourceRecordSets permission in %a account", + account_name, + ) return []