Seeing a problem with shared VPCs when running against AWS

[roboweaver]

Describe the bug

Please provide:

• A clear and concise description of what the bug is. Error displays on shared VPCs in the target account. We use shared VPCs so that the connection between accounts is consistent, so the actual VPC and subnets are in a separate account.

• Console output using the --debug argument.

• If possible, the errors JSON file generated at the end of execution (the CLI output will provide the path to this file). The file can be sent to [email protected] to avoid including sensitive content in the GitHub issue.

2020-08-24 17:52:03 Robs-Mac-Pro.local scout[27831] ERROR provider.py L375: 'subnet-05422aa9d2310fb34'
2020-08-24 17:52:03 Robs-Mac-Pro.local scout[27831] ERROR provider.py L375: 'subnet-00505b9e38117f64d'
2020-08-24 17:52:03 Robs-Mac-Pro.local scout[27831] INFO Running rule engine
2020-08-24 17:52:03 Robs-Mac-Pro.local scout[27831] ERROR browser.py L107: Unable to get "network_acl" from target object {'AvailabilityZone': 'us-east-1a', 'AvailabilityZoneId': 'use1-az2', 'AvailableIpAddressCount': 4074, 'CidrBlock': '10.114.48.0/20', 'DefaultForAz': False, 'MapPublicIpOnLaunch': True, 'MapCustomerOwnedIpOnLaunch': False, 'State': 'available', 'VpcId': 'vpc-04aae897ab297d296', 'OwnerId': '977454857655', 'AssignIpv6AddressOnCreation': False, 'Ipv6CidrBlockAssociationSet': [], 'SubnetArn': 'arn:aws:ec2:us-east-1:xxxxx:subnet/subnet-03a3d4612f0399522', 'flow_logs': [], 'id': 'subnet-03a3d4612f0399522', 'name': 'subnet-03a3d4612f0399522', 'CidrBlockv6': None}: 'network_acl'
2020-08-24 17:52:03 Robs-Mac-Pro.local scout[27831] ERROR processingengine.py L52: Failed to process rule defined in vpc-subnet-with-bad-acls.json: replace() argument 2 must be str, not None
2020-08-24 17:52:04 Robs-Mac-Pro.local scout[27831] ERROR browser.py L107: Unable to get "network_acl" from target object {'AvailabilityZone': 'us-east-1a', 'AvailabilityZoneId': 'use1-az2', 'AvailableIpAddressCount': 4074, 'CidrBlock': '10.114.48.0/20', 'DefaultForAz': False, 'MapPublicIpOnLaunch': True, 'MapCustomerOwnedIpOnLaunch': False, 'State': 'available', 'VpcId': 'vpc-04aae897ab297d296', 'OwnerId': '977454857655', 'AssignIpv6AddressOnCreation': False, 'Ipv6CidrBlockAssociationSet': [], 'SubnetArn': 'arn:aws:ec2:us-east-1:xxxxx:subnet/subnet-03a3d4612f0399522', 'flow_logs': [], 'id': 'subnet-03a3d4612f0399522', 'name': 'subnet-03a3d4612f0399522', 'CidrBlockv6': None}: 'network_acl'
2020-08-24 17:52:04 Robs-Mac-Pro.local scout[27831] ERROR processingengine.py L52: Failed to process rule defined in vpc-subnet-with-bad-acls.json: replace() argument 2 must be str, not None

To Reproduce Add a shared VPC from another account into the account you are running scoutsuite against.

Please provide:

• The exact CLI parameters used to run Scout Suite.

scout aws --regions us-west-1 us-west-2 us-east-1 us-east-2 eu-west-1 eu-central-1

• Any specific configuration within the cloud account which might have lead to the issue. The shared VPC is in a different account.

Additional context

Add any other context about the problem here.

[x4v13r64]

Add a shared VPC from another account into the account you are running scoutsuite against.

This is likely the issue, since that VPC isn't included in the report (and hence the values aren't set).

[chargraves85]

Can we revisit this issue?