Merge pull request CrowdStrike#172 from carlosmmatos/aws-confirm-inst…

…ance
carlosmmatos · Nov 21, 2023 · e5cf70f · e5cf70f
2 parents 78bfcb3 + f3db2c2
commit e5cf70f
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 20 deletions.
diff --git a/config/config.ini b/config/config.ini
@@ -73,6 +73,10 @@
 # Uncomment to provide aws region. Alternatively, use AWS_REGION env variable
 #region = eu-west-1
 
+# Uncomment to manage whether or not to confirm instance in AWS account supported region.
+# Alternatively, use AWS_CONFIRM_INSTANCE env variable.
+#confirm_instance = true
+
 [cloudtrail_lake]
 # AWS CloudTrail Lake section is applicable only when CLOUDTRAIL_LAKE backend is enabled in the [main] section.
 

diff --git a/config/defaults.ini b/config/defaults.ini
@@ -34,6 +34,7 @@ arc_autodiscovery = false
 
 [aws]
 region =
+confirm_instance = true
 
 [aws_sqs]
 region =

diff --git a/docs/aws/manual/README.md b/docs/aws/manual/README.md
@@ -143,6 +143,12 @@ You can either use the `config/config.ini` file or you can use environment varia
 
 ##### 3.2.1 Configure the FIG using the `config/config.ini` file
 
+> [!NOTE]
+> Instance existence confirmation can be disabled using the `confirm_instance` config.ini in
+> the `[aws]` section or by setting the `AWS_CONFIRM_INSTANCE` environment variable. This option is
+> available for scenarios where the account that is running the service application does not have
+> access to the AWS account where the instance with the detection resides.
+
 1. Modify the `config/config.ini` file and set the following minimum values:
 
     ```ini

diff --git a/fig/backends/aws/__init__.py b/fig/backends/aws/__init__.py
@@ -10,6 +10,7 @@ class Submitter():
     def __init__(self, event):
         self.event = event
         self.region = config.get('aws', 'region')
+        self.confirm_instance = config.getboolean('aws', 'confirm_instance')
 
     def find_instance(self, instance_id, mac_address):
         # Instance IDs are unique to the region, not the account, so we have to check them all
@@ -65,26 +66,30 @@ def submit(self):
         log.info("Processing detection: %s", self.event.detect_description)
         det_region = self.region
         send = False
-        try:
-            if self.event.instance_id:
-                det_region, instance = self.find_instance(self.event.instance_id, self.event.device_details["mac_address"])
-                if instance is None:
-                    log.warning("Instance %s with MAC address %s not found in regions searched. Alert not processed.",
-                                self.event.instance_id, self.event.device_details["mac_address"])
-                    return
-                try:
-                    for _ in instance.network_interfaces:
-                        # Only send alerts for instances we can find
-                        send = True
-
-                except ClientError:
-                    # Not our instance
-                    i_id = self.event.instance_id
-                    mac = self.event.device_details["mac_address"]
-                    log.info("Instance %s with MAC address %s not found in regions searched. Alert not processed.", i_id, mac)
-        except AttributeError:
-            # Instance ID was not provided by the detection
-            log.info("Instance ID not provided by detection. Alert not processed.")
+        if self.confirm_instance:
+            try:
+                if self.event.instance_id:
+                    det_region, instance = self.find_instance(self.event.instance_id, self.event.device_details["mac_address"])
+                    if instance is None:
+                        log.warning("Instance %s with MAC address %s not found in regions searched. Alert not processed.",
+                                    self.event.instance_id, self.event.device_details["mac_address"])
+                        return
+                    try:
+                        for _ in instance.network_interfaces:
+                            # Only send alerts for instances we can find
+                            send = True
+
+                    except ClientError:
+                        # Not our instance
+                        i_id = self.event.instance_id
+                        mac = self.event.device_details["mac_address"]
+                        log.info("Instance %s with MAC address %s not found in regions searched. Alert not processed.", i_id, mac)
+            except AttributeError:
+                # Instance ID was not provided by the detection
+                log.info("Instance ID not provided by detection. Alert not processed.")
+        else:
+            # If we're not confirming the instance, we can just send the alert
+            send = True
 
         if send:
             sh_payload = self.create_payload(det_region)

diff --git a/fig/config/__init__.py b/fig/config/__init__.py
@@ -23,6 +23,7 @@ class FigConfig(configparser.ConfigParser):
         ['azure', 'primary_key', 'PRIMARY_KEY'],
         ['azure', 'arc_autodiscovery', 'ARC_AUTODISCOVERY'],
         ['aws', 'region', 'AWS_REGION'],
+        ['aws', 'confirm_instance', 'AWS_CONFIRM_INSTANCE'],
         ['aws_sqs', 'region', 'AWS_REGION'],
         ['aws_sqs', 'sqs_queue_name', 'AWS_SQS'],
         ['workspaceone', 'token', 'WORKSPACEONE_TOKEN'],
@@ -88,6 +89,8 @@ def validate_backends(self):
         if 'AWS' in self.backends:
             if len(self.get('aws', 'region')) == 0:
                 raise Exception('Malformed Configuration: expected aws.region to be non-empty')
+            if self.get('aws', 'confirm_instance') not in ['false', 'true']:
+                raise Exception('Malformed Configuration: expected aws.confirm_instance must be either true or false')
         if 'AWS_SQS' in self.backends:
             if len(self.get('aws_sqs', 'region')) == 0:
                 raise Exception('Malformed Configuration: expected aws_sqs.region to be non-empty')