Merge pull request RhinoSecurityLabs#156 from manasmbellani/hotfix/aw…

…s_enum_account_error_handling Hotfix/aws enum account error handling
aaronrea · May 1, 2020 · adf43e3 · adf43e3
2 parents c9b9a73 + af6d6ec
commit adf43e3
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 27 deletions.
diff --git a/modules/aws__enum_account/main.py b/modules/aws__enum_account/main.py
@@ -51,11 +51,14 @@ def main(args, pacu_main):
     account_id = response['Account']
 
     iam_client = pacu_main.get_boto3_client('iam')
-    response = iam_client.list_account_aliases()
     try:
+        response = iam_client.list_account_aliases()
         account_iam_alias = response['AccountAliases'][0]
     except (KeyError, IndexError):
         account_iam_alias = "<No IAM Alias defined>"
+    except ClientError as e:
+        print("ClientError has occurred when getting AccountAliases: {}".format(e))
+        account_iam_alias = "<NotFound>"
 
     print('Enumerating Account: {}'.format(account_iam_alias))
     # All the billing seems to be in us-east-1. YMMV

diff --git a/modules/codebuild__enum/main.py b/modules/codebuild__enum/main.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python3
 import argparse
 from copy import deepcopy
+from botocore.exceptions import ClientError
 
 
 module_info = {
@@ -52,40 +53,68 @@ def main(args, pacu_main):
         # Projects
         if enum_all is True or args.projects is True:
             project_names = []
-            response = client.list_projects()
-            project_names.extend(response['projects'])
-            while 'nextToken' in response:
-                response = client.list_projects(
-                    nextToken=response['nextToken']
-                )
+            response = {}
+            try:
+                response = client.list_projects()
                 project_names.extend(response['projects'])
+                while 'nextToken' in response:
+                    response = client.list_projects(
+                        nextToken=response['nextToken']
+                    )
+                    project_names.extend(response['projects'])
+
+                if len(project_names) > 0:
+                    region_projects = client.batch_get_projects(
+                        names=project_names
+                    )['projects']
+                    print('Found {} projects'.format(len(region_projects)))
+                    summary_data[region]['Projects'] = len(region_projects)
+                    all_projects.extend(region_projects)
+            except ClientError as error:
+                if error.response['Error']['Code'] == 'AccessDeniedException':
+                    print('No projects got for region: {} - AccessDeniedException'.format(region))
+                    print('ClientError getting projects: {}'.format(error))
 
-            if len(project_names) > 0:
-                region_projects = client.batch_get_projects(
-                    names=project_names
-                )['projects']
-                print('  Found {} projects'.format(len(region_projects)))
-                summary_data[region]['Projects'] = len(region_projects)
-                all_projects.extend(region_projects)
 
         # Builds
         if enum_all is True or args.builds is True:
             build_ids = []
-            response = client.list_builds()
-            build_ids.extend(response['ids'])
-            while 'nextToken' in response:
-                response = client.list_builds(
-                    nextToken=response['nextToken']
-                )
+            response = {}
+            try:
+                response = client.list_builds()
                 build_ids.extend(response['ids'])
+            except ClientError as error:
+               if error.response['Error']['Code'] == 'AccessDeniedException':
+                   print('No code-builds builds got for region: {} - AccessDeniedException'.format(region))
+                   print('ClientError getting builds: {}'.format(error))
+
+
+            while 'nextToken' in response:
+                response = {}
+                try:
+                    response = client.list_builds(
+                        nextToken=response['nextToken']
+                    )
+                    build_ids.extend(response['ids'])
+                except ClientError as error:
+                    if error.response['Error']['Code'] == 'AccessDeniedException':
+                        print('No further code-builds builds for region: {} - AccessDeniedException'.format(region))
+                        print('ClientError getting further builds: {}'.format(error))
 
             if len(build_ids) > 0:
-                region_builds = client.batch_get_builds(
-                    ids=build_ids
-                )['builds']
-                print('  Found {} builds'.format(len(region_builds)))
-                summary_data[region]['Builds'] = len(region_builds)
-                all_builds.extend(region_builds)
+                region_builds = {}
+                try:
+                    region_builds = client.batch_get_builds(
+                        ids=build_ids
+                    )['builds']
+                    print('  Found {} builds'.format(len(region_builds)))
+                    summary_data[region]['Builds'] = len(region_builds)
+                    all_builds.extend(region_builds)
+                except ClientError as error:
+                    if error.response['Error']['Code'] == 'AccessDeniedException':
+                        print('No info retrieved about code-builds for region: {} - AccessDeniedException'.format(region))
+                        print('ClientError getting info about builds: {}'.format(error))
+
         if not summary_data[region]:
             del summary_data[region]
 
@@ -118,7 +147,6 @@ def main(args, pacu_main):
 
     return summary_data
 
-
 def summary(data, pacu_main):
     out = ''
     for region in sorted(data):