feat(aws): add confirm_instance to match original sechub int

Adds new config option for AWS backend to control whether or not to skip matching on instance region. Generally this is useful for non MSSPs or users that need to support multiple aws accounts to one sechub instance.
carlosmmatos · Nov 21, 2023 · fed23a3 · fed23a3
1 parent 78bfcb3
commit fed23a3
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 20 deletions.
diff --git a/config/config.ini b/config/config.ini
@@ -73,6 +73,9 @@
 # Uncomment to provide aws region. Alternatively, use AWS_REGION env variable
 #region = eu-west-1
 
+# Uncomment to manage whether or not to confirm instance in region. Alternatively, use AWS_CONFIRM_INSTANCE env variable.
+#confirm_instance = true
+
 [cloudtrail_lake]
 # AWS CloudTrail Lake section is applicable only when CLOUDTRAIL_LAKE backend is enabled in the [main] section.
 

diff --git a/config/defaults.ini b/config/defaults.ini
@@ -34,6 +34,7 @@ arc_autodiscovery = false
 
 [aws]
 region =
+confirm_instance = true
 
 [aws_sqs]
 region =

diff --git a/fig/backends/aws/__init__.py b/fig/backends/aws/__init__.py
@@ -10,6 +10,7 @@ class Submitter():
     def __init__(self, event):
         self.event = event
         self.region = config.get('aws', 'region')
+        self.confirm_instance = config.getboolean('aws', 'confirm_instance')
 
     def find_instance(self, instance_id, mac_address):
         # Instance IDs are unique to the region, not the account, so we have to check them all
@@ -65,26 +66,30 @@ def submit(self):
         log.info("Processing detection: %s", self.event.detect_description)
         det_region = self.region
         send = False
-        try:
-            if self.event.instance_id:
-                det_region, instance = self.find_instance(self.event.instance_id, self.event.device_details["mac_address"])
-                if instance is None:
-                    log.warning("Instance %s with MAC address %s not found in regions searched. Alert not processed.",
-                                self.event.instance_id, self.event.device_details["mac_address"])
-                    return
-                try:
-                    for _ in instance.network_interfaces:
-                        # Only send alerts for instances we can find
-                        send = True
-
-                except ClientError:
-                    # Not our instance
-                    i_id = self.event.instance_id
-                    mac = self.event.device_details["mac_address"]
-                    log.info("Instance %s with MAC address %s not found in regions searched. Alert not processed.", i_id, mac)
-        except AttributeError:
-            # Instance ID was not provided by the detection
-            log.info("Instance ID not provided by detection. Alert not processed.")
+        if self.confirm_instance:
+            try:
+                if self.event.instance_id:
+                    det_region, instance = self.find_instance(self.event.instance_id, self.event.device_details["mac_address"])
+                    if instance is None:
+                        log.warning("Instance %s with MAC address %s not found in regions searched. Alert not processed.",
+                                    self.event.instance_id, self.event.device_details["mac_address"])
+                        return
+                    try:
+                        for _ in instance.network_interfaces:
+                            # Only send alerts for instances we can find
+                            send = True
+
+                    except ClientError:
+                        # Not our instance
+                        i_id = self.event.instance_id
+                        mac = self.event.device_details["mac_address"]
+                        log.info("Instance %s with MAC address %s not found in regions searched. Alert not processed.", i_id, mac)
+            except AttributeError:
+                # Instance ID was not provided by the detection
+                log.info("Instance ID not provided by detection. Alert not processed.")
+        else:
+            # If we're not confirming the instance, we can just send the alert
+            send = True
 
         if send:
             sh_payload = self.create_payload(det_region)

diff --git a/fig/config/__init__.py b/fig/config/__init__.py
@@ -23,6 +23,7 @@ class FigConfig(configparser.ConfigParser):
         ['azure', 'primary_key', 'PRIMARY_KEY'],
         ['azure', 'arc_autodiscovery', 'ARC_AUTODISCOVERY'],
         ['aws', 'region', 'AWS_REGION'],
+        ['aws', 'confirm_instance', 'AWS_CONFIRM_INSTANCE'],
         ['aws_sqs', 'region', 'AWS_REGION'],
         ['aws_sqs', 'sqs_queue_name', 'AWS_SQS'],
         ['workspaceone', 'token', 'WORKSPACEONE_TOKEN'],
@@ -88,6 +89,8 @@ def validate_backends(self):
         if 'AWS' in self.backends:
             if len(self.get('aws', 'region')) == 0:
                 raise Exception('Malformed Configuration: expected aws.region to be non-empty')
+            if self.get('aws', 'confirm_instance') not in ['false', 'true']:
+                raise Exception('Malformed Configuration: expected aws.confirm_instance must be either true or false')
         if 'AWS_SQS' in self.backends:
             if len(self.get('aws_sqs', 'region')) == 0:
                 raise Exception('Malformed Configuration: expected aws_sqs.region to be non-empty')