diff --git a/collectors/alibaba/collector.js b/collectors/alibaba/collector.js index 6b7832e090..ae08d0cbe1 100644 --- a/collectors/alibaba/collector.js +++ b/collectors/alibaba/collector.js @@ -77,7 +77,7 @@ var calls = { }, GetPasswordPolicy: { property: 'PasswordPolicy', - apiVersion: '2015-05-01', + apiVersion: '2015-05-01' } }, GBDB: { diff --git a/collectors/alibaba/oss/listBuckets.js b/collectors/alibaba/oss/listBuckets.js index 83c5b88446..abf928f856 100644 --- a/collectors/alibaba/oss/listBuckets.js +++ b/collectors/alibaba/oss/listBuckets.js @@ -18,11 +18,11 @@ module.exports = function(AlibabaConfig, collection, region, callback) { var callCB = function(err, data) { if (err) { collection.oss.listBuckets[region].err = err; - callback(); + return callback(); } collection.oss.listBuckets[region].data = collection.oss.listBuckets[region].data.concat(data.buckets); if (data.nextMarker) execute(data.nextMarker); - else callback(); + else return callback(); }; execute(); diff --git a/docs/gcp.md b/docs/gcp.md index 7fae8fa04a..e4d83fa102 100644 --- a/docs/gcp.md +++ b/docs/gcp.md @@ -1,19 +1,70 @@ # CloudSploit For Google Cloud Platform (GCP) -## Cloud Provider Configuration +## Create Security Audit Role + +1. Log into your Google Cloud console and "Activate" your Cloud Shell. +1. Create a new file called aqua-security-audit-role.yaml. You can use: ``nano aqua-security-audit-role.yaml``. +1. Copy and paste the following yaml code in the file on your Cloud Shell, press Ctrl + X and type "Y" to save the file. +``` +name: roles/AquaCSPMSecurityAudit +title: Aqua CSPM Security Audit + - includedPermissions: + - cloudkms.cryptoKeys.list + - cloudkms.keyRings.list + - cloudsql.instances.list + - cloudsql.users.list + - compute.autoscalers.list + - compute.backendServices.list + - compute.disks.list + - compute.firewalls.list + - compute.healthChecks.list + - compute.instanceGroups.list + - compute.instances.getIamPolicy + - compute.instances.list + - compute.networks.list + - compute.projects.get + - compute.securityPolicies.list + - compute.subnetworks.list + - compute.targetHttpProxies.list + - container.clusters.list + - dns.managedZones.list + - iam.serviceAccountKeys.list + - iam.serviceAccounts.list + - logging.logMetrics.list + - logging.sinks.list + - monitoring.alertPolicies.list + - resourcemanager.folders.get + - resourcemanager.folders.getIamPolicy + - resourcemanager.folders.list + - resourcemanager.hierarchyNodes.listTagBindings + - resourcemanager.organizations.get + - resourcemanager.organizations.getIamPolicy + - resourcemanager.projects.get + - resourcemanager.projects.getIamPolicy + - resourcemanager.projects.list + - resourcemanager.resourceTagBindings.list + - resourcemanager.tagKeys.get + - resourcemanager.tagKeys.getIamPolicy + - resourcemanager.tagKeys.list + - resourcemanager.tagValues.get + - resourcemanager.tagValues.getIamPolicy + - resourcemanager.tagValues.list + - storage.buckets.getIamPolicy + - storage.buckets.list +stage: GA +``` +4. Run the following command to create the role, use your Organization Id to create the Role at the Org Level: ``gcloud iam roles create AquaCSPMSecurityAudit --organization=YOUR_ORGANIZATION_ID --file=aqua-security-audit-role.yaml`` + +## Create Service Account 1. Log into your Google Cloud console and navigate to IAM Admin > Service Accounts. 1. Click on "Create Service Account". 1. Enter "CloudSploit" in the "Service account name", then enter "CloudSploit API Access" in the description. 1. Click on Continue. -1. Select the role: Project > Viewer. +1. Select the role: Custom > Aqua CSPM Security Audit. 1. Click on Continue. 1. Click on "Create Key". 1. Leave the default JSON selected. 1. Click on "Create". 1. The key will be downloaded to your machine. 1. Open the JSON key file, in a text editor and copy the Project Id, Client Email and Private Key values into the `index.js` file or move the JSON key file to a safe location; you can reference it in your `config.js` file later. -1. Enter the APIs & Services category. -1. Select Enable APIS & SERVICES at the top of the page -1. Search for DNS, then Select the option that appears and Enable it. -1. Enable all the APIs used to run scans, they are as follows: Stackdriver Monitoring, Stackdriver Logging, Compute, Cloud Key Management, Cloud SQL Admin, Kubernetes, Service Management, and Service Networking. diff --git a/index.js b/index.js index f80c8f4f17..4d2e6ba969 100644 --- a/index.js +++ b/index.js @@ -71,8 +71,8 @@ parser.add_argument('--remediate', { action: 'append' }); parser.add_argument('--cloud', { - help: 'The name of cloud to run plugins for. If not provided, logic will assume cloud from config.js file based on provided credetials', - choices: ['aws', 'azure', 'github', 'google', 'oracle'], + help: 'The name of cloud to run plugins for. If not provided, logic will assume cloud from config.js file based on provided credentials', + choices: ['aws', 'azure', 'github', 'google', 'oracle','alibaba'], action: 'append' }); diff --git a/plugins/aws/es/esExposedDomain.js b/plugins/aws/es/esExposedDomain.js index 8085e078fe..260221c1c1 100644 --- a/plugins/aws/es/esExposedDomain.js +++ b/plugins/aws/es/esExposedDomain.js @@ -93,4 +93,4 @@ module.exports = { callback(null, results, source); }); } -}; +}; \ No newline at end of file