From fed23a38687bc2fa87f2bb3e5fc3f1235a9b0d2a Mon Sep 17 00:00:00 2001
From: Carlos Matos <carlos.matos@crowdstrike.com>
Date: Tue, 21 Nov 2023 18:32:10 -0500
Subject: [PATCH 1/2] feat(aws): add confirm_instance to match original sechub
 int

Adds new config option for AWS backend to control whether or not to skip
matching on instance region. Generally this is useful for non MSSPs or
users that need to support multiple aws accounts to one sechub instance.
---
 config/config.ini            |  3 +++
 config/defaults.ini          |  1 +
 fig/backends/aws/__init__.py | 45 ++++++++++++++++++++----------------
 fig/config/__init__.py       |  3 +++
 4 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/config/config.ini b/config/config.ini
index b5c3ae9..56d2807 100644
--- a/config/config.ini
+++ b/config/config.ini
@@ -73,6 +73,9 @@
 # Uncomment to provide aws region. Alternatively, use AWS_REGION env variable
 #region = eu-west-1
 
+# Uncomment to manage whether or not to confirm instance in region. Alternatively, use AWS_CONFIRM_INSTANCE env variable.
+#confirm_instance = true
+
 [cloudtrail_lake]
 # AWS CloudTrail Lake section is applicable only when CLOUDTRAIL_LAKE backend is enabled in the [main] section.
 
diff --git a/config/defaults.ini b/config/defaults.ini
index 61fccfe..26f8c42 100644
--- a/config/defaults.ini
+++ b/config/defaults.ini
@@ -34,6 +34,7 @@ arc_autodiscovery = false
 
 [aws]
 region =
+confirm_instance = true
 
 [aws_sqs]
 region =
diff --git a/fig/backends/aws/__init__.py b/fig/backends/aws/__init__.py
index 3fe6dee..2829ed9 100644
--- a/fig/backends/aws/__init__.py
+++ b/fig/backends/aws/__init__.py
@@ -10,6 +10,7 @@ class Submitter():
     def __init__(self, event):
         self.event = event
         self.region = config.get('aws', 'region')
+        self.confirm_instance = config.getboolean('aws', 'confirm_instance')
 
     def find_instance(self, instance_id, mac_address):
         # Instance IDs are unique to the region, not the account, so we have to check them all
@@ -65,26 +66,30 @@ def submit(self):
         log.info("Processing detection: %s", self.event.detect_description)
         det_region = self.region
         send = False
-        try:
-            if self.event.instance_id:
-                det_region, instance = self.find_instance(self.event.instance_id, self.event.device_details["mac_address"])
-                if instance is None:
-                    log.warning("Instance %s with MAC address %s not found in regions searched. Alert not processed.",
-                                self.event.instance_id, self.event.device_details["mac_address"])
-                    return
-                try:
-                    for _ in instance.network_interfaces:
-                        # Only send alerts for instances we can find
-                        send = True
-
-                except ClientError:
-                    # Not our instance
-                    i_id = self.event.instance_id
-                    mac = self.event.device_details["mac_address"]
-                    log.info("Instance %s with MAC address %s not found in regions searched. Alert not processed.", i_id, mac)
-        except AttributeError:
-            # Instance ID was not provided by the detection
-            log.info("Instance ID not provided by detection. Alert not processed.")
+        if self.confirm_instance:
+            try:
+                if self.event.instance_id:
+                    det_region, instance = self.find_instance(self.event.instance_id, self.event.device_details["mac_address"])
+                    if instance is None:
+                        log.warning("Instance %s with MAC address %s not found in regions searched. Alert not processed.",
+                                    self.event.instance_id, self.event.device_details["mac_address"])
+                        return
+                    try:
+                        for _ in instance.network_interfaces:
+                            # Only send alerts for instances we can find
+                            send = True
+
+                    except ClientError:
+                        # Not our instance
+                        i_id = self.event.instance_id
+                        mac = self.event.device_details["mac_address"]
+                        log.info("Instance %s with MAC address %s not found in regions searched. Alert not processed.", i_id, mac)
+            except AttributeError:
+                # Instance ID was not provided by the detection
+                log.info("Instance ID not provided by detection. Alert not processed.")
+        else:
+            # If we're not confirming the instance, we can just send the alert
+            send = True
 
         if send:
             sh_payload = self.create_payload(det_region)
diff --git a/fig/config/__init__.py b/fig/config/__init__.py
index 4bc1415..9ea4d21 100644
--- a/fig/config/__init__.py
+++ b/fig/config/__init__.py
@@ -23,6 +23,7 @@ class FigConfig(configparser.ConfigParser):
         ['azure', 'primary_key', 'PRIMARY_KEY'],
         ['azure', 'arc_autodiscovery', 'ARC_AUTODISCOVERY'],
         ['aws', 'region', 'AWS_REGION'],
+        ['aws', 'confirm_instance', 'AWS_CONFIRM_INSTANCE'],
         ['aws_sqs', 'region', 'AWS_REGION'],
         ['aws_sqs', 'sqs_queue_name', 'AWS_SQS'],
         ['workspaceone', 'token', 'WORKSPACEONE_TOKEN'],
@@ -88,6 +89,8 @@ def validate_backends(self):
         if 'AWS' in self.backends:
             if len(self.get('aws', 'region')) == 0:
                 raise Exception('Malformed Configuration: expected aws.region to be non-empty')
+            if self.get('aws', 'confirm_instance') not in ['false', 'true']:
+                raise Exception('Malformed Configuration: expected aws.confirm_instance must be either true or false')
         if 'AWS_SQS' in self.backends:
             if len(self.get('aws_sqs', 'region')) == 0:
                 raise Exception('Malformed Configuration: expected aws_sqs.region to be non-empty')

From f3db2c26a4f1e4cd925bca4a07c76286e00dd22e Mon Sep 17 00:00:00 2001
From: Carlos Matos <carlos.matos@crowdstrike.com>
Date: Tue, 21 Nov 2023 18:44:35 -0500
Subject: [PATCH 2/2] doc(aws): update supporting docs for changes

---
 config/config.ini         | 3 ++-
 docs/aws/manual/README.md | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/config/config.ini b/config/config.ini
index 56d2807..56bf0ab 100644
--- a/config/config.ini
+++ b/config/config.ini
@@ -73,7 +73,8 @@
 # Uncomment to provide aws region. Alternatively, use AWS_REGION env variable
 #region = eu-west-1
 
-# Uncomment to manage whether or not to confirm instance in region. Alternatively, use AWS_CONFIRM_INSTANCE env variable.
+# Uncomment to manage whether or not to confirm instance in AWS account supported region.
+# Alternatively, use AWS_CONFIRM_INSTANCE env variable.
 #confirm_instance = true
 
 [cloudtrail_lake]
diff --git a/docs/aws/manual/README.md b/docs/aws/manual/README.md
index 992a515..2b7b220 100644
--- a/docs/aws/manual/README.md
+++ b/docs/aws/manual/README.md
@@ -143,6 +143,12 @@ You can either use the `config/config.ini` file or you can use environment varia
 
 ##### 3.2.1 Configure the FIG using the `config/config.ini` file
 
+> [!NOTE]
+> Instance existence confirmation can be disabled using the `confirm_instance` config.ini in
+> the `[aws]` section or by setting the `AWS_CONFIRM_INSTANCE` environment variable. This option is
+> available for scenarios where the account that is running the service application does not have
+> access to the AWS account where the instance with the detection resides.
+
 1. Modify the `config/config.ini` file and set the following minimum values:
 
     ```ini