Merge pull request #420 from h00die/get_policy_patch_systemsmanager__…

…rce_ec2 Add error handling to get_policy in systemsmanager__rce_ec2
RhinoSecurityLabs · May 17, 2024 · 75370ef · 75370ef
2 parents 06983a8 + 722aa4a
commit 75370ef
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/pacu/modules/systemsmanager__rce_ec2/main.py b/pacu/modules/systemsmanager__rce_ec2/main.py
@@ -39,7 +39,7 @@
 parser.add_argument('--all-instances', required=False, default=False, action='store_true', help='Skip vulnerable operating system check and just target every instance')
 parser.add_argument('--target-instances', required=False, default=None, help='A comma-separated list of instances and regions to set as the attack targets in the format of instance-id@region,instance2-id@region...')
 parser.add_argument('--replace', required=False, default=False, action='store_true', help='For EC2 instances that already have an instance profile attached to them, this argument will replace those with the Systems Manager instance profile. WARNING: This can cause bad things to happen! You never know what negative side effects this may have on a server without further inspection, because you do not know what permissions you are removing/replacing that the instance already had')
-parser.add_argument('--ip-name', required=False, default=None, help='The name of an existing instance profile with an "EC2 Role for Simple Systems Manager" attached to it. This will skip the automatic role/instance profile enumeration and the searching for a Systems Manager role/instance profile')
+parser.add_argument('--ip-name', required=False, default=None, help='The name of an existing instance profile with an "EC2 Role for Simple Systems Manager" attached to it. This will skip the automatic role/instance profile enumeration and the searching for a Systems Manager role/instance profile. Example: "arn:aws:iam::1111111111111:user/example"')
 
 
 def main(args, pacu_main):
@@ -140,9 +140,13 @@ def main(args, pacu_main):
         # Begin Systems Manager role finder/creator
         client = pacu_main.get_boto3_client('iam')
 
-        ssm_policy = client.get_policy(
-            PolicyArn='arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'
-        )['Policy']
+        try:
+            ssm_policy = client.get_policy(
+                PolicyArn='arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'
+            )['Policy']
+        except ClientError as error:
+            print('  Unable to retrieve policy (arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM). Try specifying the ip-name manually. Error: {}\n'.format(str(error)))
+            return
 
         if ssm_policy['AttachmentCount'] > 0:
             if fetch_data(['IAM', 'Roles'], module_info['prerequisite_modules'][1], '--roles') is False: