fix: Correct the aws_sts_region behavior (osquery#8184)

trailofbits · Dec 18, 2023 · e042cea · e042cea
1 parent 6f380fc
commit e042cea
Show file tree

Hide file tree

Showing 12 changed files with 366 additions and 194 deletions.
diff --git a/docs/wiki/deployment/aws-logging.md b/docs/wiki/deployment/aws-logging.md
@@ -27,7 +27,7 @@ Some configuration is shared between the two plugins:
 
 When working with AWS, osquery will look for credentials and region configuration in the following order:
 
-1. Configuration flags
+1. Configuration flags; for the region, the service specific flags first (sts, kinesis, firehose) and then `aws_region` as a fallback
 2. Profile from the [AWS config files](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) (only if `--aws_profile_name` is specified)
 3. Environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
 4. `default` profile in the AWS config files
@@ -43,12 +43,16 @@ Setting `aws_kinesis_random_partition_key` to `true` will use random partition k
 
 Custom endpoint for non-AWS Kinesis implementations can be specified with `aws_kinesis_endpoint`.
 
+If the region to be used is different from the default one present in `aws_region`, or the one in the profile file, then `aws_kinesis_region` can be used.
+
 ### Kinesis Firehose
 
 Similarly for Kinesis Firehose delivery streams, the stream name must be specified with `aws_firehose_stream`, and the period can be configured with `aws_firehose_period`.
 
 Custom endpoint for non-AWS Firehose implementations can be specified with `aws_firehose_endpoint`.
 
+If the region to be used is different from the default one present in `aws_region`, or the one in the profile file, then `aws_firehose_region` can be used.
+
 ### Sample Config File
 
 ```JSON

diff --git a/docs/wiki/installation/cli-flags.md b/docs/wiki/installation/cli-flags.md
@@ -669,3 +669,24 @@ Whether to disable support for IMDSv1 and fail if an IMDSv2 token could not be r
 Enforces that only FIPS endpoints can be used for the logger plugins (Kinesis, Firehose), the STS authentication and the EC2 tables.  
 Using a non compliant region for the logger plugins will cause osquery to fail to start; for other non compliant cases the specific service will fail to work.  
 In all non compliant cases, an error or warning message will be printed. In verbose mode an additional message will show if a certain service has FIPS enforced.
+
+`--aws_region`
+
+Configure the default region to use for the AWS services and tables. If not specified and a more specific region flag is not provided,
+a fallback mechanism will be used, which will try to read the local profile configuration and take the region from there.  
+If that fails too, the default region of `us-east-1` will be chosen.
+
+`--aws_sts_region`
+
+Configure the region to use when acquiring STS credentials. If not specified, the `--aws_region` flag value will be used if set,
+otherwise its fallback mechanism will be used.
+
+`--aws_firehose_region`
+
+Configure the region to use for the AWS Firehose logger plugin. If not specified, the `--aws_region` flag value will be used if set,
+otherwise its fallback mechanism will be used.
+
+`--aws_kinesis_region`
+
+Configure the region to use for the AWS Kinesis logger plugin. If not specified, the `--aws_region` flag value will be used if set,
+otherwise its fallback mechanism will be used.
diff --git a/osquery/tables/cloud/aws/ec2_instance_tags.cpp b/osquery/tables/cloud/aws/ec2_instance_tags.cpp
@@ -40,8 +40,16 @@ QueryData genEc2InstanceTags(QueryContext& context) {
     return results;
   }
 
+  auto aws_region_res = AWSRegion::make(region, false);
+
+  if (aws_region_res.isError()) {
+    LOG(WARNING) << "Invalid region used to get EC2 instance tag: "
+                 << aws_region_res.getError();
+    return results;
+  }
+
   std::shared_ptr<ec2::EC2Client> client;
-  Status s = makeAWSClient<ec2::EC2Client>(client, region, false);
+  Status s = makeAWSClient<ec2::EC2Client>(client, aws_region_res.get(), false);
   if (!s.ok()) {
     LOG(WARNING) << "Failed to create EC2 client: " << s.what();
     return results;