Add better error handling when the default AWS region is not set

DataDog · Jan 24, 2022 · 299b031 · 299b031
1 parent fece828
commit 299b031
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 12 deletions.
diff --git a/docs/.DS_Store b/docs/.DS_Store
diff --git a/docs/attack-techniques/supported-platforms.md b/docs/attack-techniques/supported-platforms.md
@@ -2,10 +2,7 @@
 
 ## AWS
 
-In order to use Stratus Red Team attack techniques against AWS, you need to be authenticated prior to running it. 
-
-Before running an AWS attack technique, Stratus Red Team will attempt to call `sts:GetCallerIdentity` and raise an error if this fails.
-
+In order to use Stratus Red Team attack techniques against AWS, you need to be authenticated prior to running it. See: [Connecting to your cloud account](https://stratus-red-team.cloud/user-guide/getting-started/#connecting-to-your-cloud-account).
 ## Future Support for Additional Platforms
 
 We plan to add support for [Kubernetes](https://github.com/DataDog/stratus-red-team/issues/51), and one of [Azure](https://github.com/DataDog/stratus-red-team/issues/52) or [GCP](https://github.com/DataDog/stratus-red-team/issues/53) in the future.

diff --git a/docs/user-guide/getting-started.md b/docs/user-guide/getting-started.md
@@ -101,7 +101,4 @@ Stratus Red Team currently supports only AWS. In order to use Stratus attack tec
 
 - Using static credentials in `~/.aws/config`, and setting your desired AWS profile using `export AWS_PROFILE=my-profile`
 
-Before running an AWS attack technique, Stratus will attempt to call `sts:GetCallerIdentity` and raise an error if this fails.
-
-
 *[TTP]: Tactics, techniques and procedures
diff --git a/internal/providers/aws.go b/internal/providers/aws.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
-	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
 	"log"
 )
 
@@ -32,7 +32,11 @@ func (m *AWSProvider) GetConnection() aws.Config {
 
 func (m *AWSProvider) IsAuthenticatedAgainstAWS() bool {
 	m.GetConnection()
-	stsClient := sts.NewFromConfig(m.GetConnection())
-	_, err := stsClient.GetCallerIdentity(context.Background(), &sts.GetCallerIdentityInput{})
+
+	// We make a sample API call to AWS to ensure the user is authenticated
+	// Note: We use ec2:DescribeAccountAttributes as an arbitrary API call
+	// instead of sts:GetCallerIdentity, to ensure an AWS region was properly set
+	ec2Client := ec2.NewFromConfig(m.GetConnection())
+	_, err := ec2Client.DescribeAccountAttributes(context.Background(), &ec2.DescribeAccountAttributesInput{})
 	return err == nil
 }
diff --git a/pkg/stratus/runner/runner.go b/pkg/stratus/runner/runner.go
@@ -8,6 +8,7 @@ import (
 	"github.com/datadog/stratus-red-team/pkg/stratus"
 	"log"
 	"path/filepath"
+	"strings"
 )
 
 const StratusRunnerForce = true
@@ -77,7 +78,7 @@ func (m *Runner) WarmUp() (map[string]string, error) {
 	log.Println("Warming up " + m.Technique.ID)
 	outputs, err := m.TerraformManager.TerraformInitAndApply(m.TerraformDir)
 	if err != nil {
-		return nil, errors.New("Unable to run terraform apply on pre-requisite: " + err.Error())
+		return nil, buildErrorFromTerraformError(err)
 	}
 
 	// Persist outputs to disk
@@ -172,7 +173,9 @@ func (m *Runner) ValidatePlatformRequirements() {
 	case stratus.AWS:
 		log.Println("Checking your authentication against the AWS API")
 		if !providers.AWS().IsAuthenticatedAgainstAWS() {
-			log.Fatal("You are not authenticated against AWS, or you have not set your region.")
+			log.Fatal("You are not authenticated against AWS, or you have not set your region. " +
+				"Make sure you are authenticated against AWS, and you have a default region set in your AWS config or environment" +
+				" (export AWS_DEFAULT_REGION=us-east-1)")
 		}
 	}
 }
@@ -188,3 +191,15 @@ func (m *Runner) setState(state stratus.AttackTechniqueState) {
 	}
 	m.TechniqueState = state
 }
+
+// Utility function to display better error messages than the Terraform ones
+func buildErrorFromTerraformError(err error) error {
+	const MissingRegionErrorMessage = "The argument \"region\" is required, but no definition was found"
+
+	if strings.Contains(err.Error(), MissingRegionErrorMessage) {
+		return errors.New("unable to create attack technique pre-requisites. Ensure you are authenticated against AWS and have the right permissions to run Stratus Red Team.\n" +
+			"Stratus Red Team will display below the error that Terraform returned:\n" + err.Error())
+	}
+
+	return errors.New("Unable to run terraform apply on pre-requisite: " + err.Error())
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -101,7 +101,4 @@ Stratus Red Team currently supports only AWS. In order to use Stratus attack tec

		- Using static credentials in `~/.aws/config`, and setting your desired AWS profile using `export AWS_PROFILE=my-profile`

		Before running an AWS attack technique, Stratus will attempt to call `sts:GetCallerIdentity` and raise an error if this fails.


		*[TTP]: Tactics, techniques and procedures