cloudfoxable icon indicating copy to clipboard operation
cloudfoxable copied to clipboard

Published 20 hours ago verified publisher icon BishopFox

Fixed bug in Bastion that was preventing ctf-starting-user from ssm

Open sethsec opened this issue 1 year ago • 1 comments

Not sure when or how this started, but anonymous discord user reported bug where ctf-starting-user couldn't ssm into the bastion ec2 with the applied bastion-ssm policy. This updated fix seems to fix the issue.

sethsec avatar May 19 '24 02:05 sethsec

@sethsec Maybe my ignorance at play here, but bastion gets deployed and run from a single account right ? I think it would be much easier to use the aws_caller_identity data source then defining the account_id as a variable.

data "aws_caller_identity" "current" {}

then later you could do:

 Resource = [
          aws_instance.bastion.arn,
          "arn:aws:ssm:us-west-2:${data.aws_caller_identity.current.account_id}:document/SSM-SessionManagerRunShell",
          "arn:aws:ssm:us-west-2:${data.aws_caller_identity.current.account_id}:session/ctf-starting-user-*",
        ]

very similar to what I did at https://github.com/BishopFox/cloudfoxable/blob/c8ec6bf2b575cc7e76c03713895269944b4dd525/aws/main.tf#L49 in my last PR.

just .02 :)

pingpong71 avatar May 22 '24 05:05 pingpong71

That's so interesting. Yea it always just worked for me in the past. Not sure what this bug is/was, but thanks for digging into it @bf-singularity!

sethsec avatar May 26 '24 01:05 sethsec