diff --git a/aws/resource-trusts.go b/aws/resource-trusts.go index 0fe7e941..4efcb1f6 100644 --- a/aws/resource-trusts.go +++ b/aws/resource-trusts.go @@ -19,7 +19,8 @@ import ( ) type ResourceTrustsModule struct { - KMSClient sdk.KMSClientInterface + KMSClient *sdk.KMSClientInterface + APIGatewayClient *sdk.APIGatewayClientInterface // General configuration data Caller sts.GetCallerIdentityOutput @@ -76,10 +77,10 @@ func (m *ResourceTrustsModule) PrintResources(outputDirectory string, verbosity fmt.Printf("[%s][%s] Enumerating Resources with resource policies for account %s.\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub), aws.ToString(m.Caller.Account)) // if kms feature flag is enabled include kms in the supported services if includeKms { - fmt.Printf("[%s][%s] Supported Services: CodeBuild, ECR, EFS, Glue, KMS, Lambda, SecretsManager, S3, SNS, SQS\n", + fmt.Printf("[%s][%s] Supported Services: APIGateway, CodeBuild, ECR, EFS, Glue, KMS, Lambda, SecretsManager, S3, SNS, SQS\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub)) } else { - fmt.Printf("[%s][%s] Supported Services: CodeBuild, ECR, EFS, Glue, Lambda, SecretsManager, S3, SNS, "+ + fmt.Printf("[%s][%s] Supported Services: APIGateway, CodeBuild, ECR, EFS, Glue, Lambda, SecretsManager, S3, SNS, "+ "SQS (KMS requires --include-kms feature flag)\n", cyan(m.output.CallingModule), cyan(m.AWSProfileStub)) } @@ -244,6 +245,7 @@ func (m *ResourceTrustsModule) executeChecks(r string, wg *sync.WaitGroup, semap wg.Add(1) m.getCodeBuildResourcePoliciesPerRegion(r, wg, semaphore, dataReceiver) } + res, err = servicemap.IsServiceInRegion("lambda", r) if err != nil { m.modLog.Error(err) @@ -253,6 +255,7 @@ func (m *ResourceTrustsModule) executeChecks(r string, wg *sync.WaitGroup, semap wg.Add(1) m.getLambdaPolicyPerRegion(r, wg, semaphore, dataReceiver) } + res, err = servicemap.IsServiceInRegion("efs", r) if err != nil { m.modLog.Error(err) @@ -262,6 +265,7 @@ func (m *ResourceTrustsModule) executeChecks(r string, wg *sync.WaitGroup, semap wg.Add(1) m.getEFSfilesystemPoliciesPerRegion(r, wg, semaphore, dataReceiver) } + res, err = servicemap.IsServiceInRegion("secretsmanager", r) if err != nil { m.modLog.Error(err) @@ -271,6 +275,7 @@ func (m *ResourceTrustsModule) executeChecks(r string, wg *sync.WaitGroup, semap wg.Add(1) m.getSecretsManagerSecretsPoliciesPerRegion(r, wg, semaphore, dataReceiver) } + res, err = servicemap.IsServiceInRegion("glue", r) if err != nil { m.modLog.Error(err) @@ -281,7 +286,7 @@ func (m *ResourceTrustsModule) executeChecks(r string, wg *sync.WaitGroup, semap m.getGlueResourcePoliciesPerRegion(r, wg, semaphore, dataReceiver) } - if includeKms { + if includeKms && m.KMSClient != nil { res, err = servicemap.IsServiceInRegion("kms", r) if err != nil { m.modLog.Error(err) @@ -293,6 +298,17 @@ func (m *ResourceTrustsModule) executeChecks(r string, wg *sync.WaitGroup, semap } } + if m.APIGatewayClient != nil { + res, err = servicemap.IsServiceInRegion("apigateway", r) + if err != nil { + m.modLog.Error(err) + } + if res { + m.CommandCounter.Total++ + wg.Add(1) + m.getAPIGatewayPoliciesPerRegion(r, wg, semaphore, dataReceiver) + } + } } func (m *ResourceTrustsModule) Receiver(receiver chan Resource2, receiverDone chan bool) { @@ -881,7 +897,7 @@ func (m *ResourceTrustsModule) getKMSPoliciesPerRegion(r string, wg *sync.WaitGr semaphore <- struct{}{} defer func() { <-semaphore }() - listKeys, err := sdk.CachedKMSListKeys(m.KMSClient, aws.ToString(m.Caller.Account), r) + listKeys, err := sdk.CachedKMSListKeys(*m.KMSClient, aws.ToString(m.Caller.Account), r) if err != nil { sharedLogger.Error(err.Error()) return @@ -892,7 +908,7 @@ func (m *ResourceTrustsModule) getKMSPoliciesPerRegion(r string, wg *sync.WaitGr var statementSummaryInEnglish string var isInteresting = "No" - keyPolicy, err := sdk.CachedKMSGetKeyPolicy(m.KMSClient, aws.ToString(m.Caller.Account), r, aws.ToString(key.KeyId)) + keyPolicy, err := sdk.CachedKMSGetKeyPolicy(*m.KMSClient, aws.ToString(m.Caller.Account), r, aws.ToString(key.KeyId)) if err != nil { sharedLogger.Error(err.Error()) m.CommandCounter.Error++ @@ -936,6 +952,84 @@ func (m *ResourceTrustsModule) getKMSPoliciesPerRegion(r string, wg *sync.WaitGr } } +func (m *ResourceTrustsModule) getAPIGatewayPoliciesPerRegion(r string, wg *sync.WaitGroup, semaphore chan struct{}, dataReceiver chan Resource2) { + defer func() { + m.CommandCounter.Executing-- + m.CommandCounter.Complete++ + wg.Done() + }() + semaphore <- struct{}{} + defer func() { <-semaphore }() + + restAPIs, err := sdk.CachedApiGatewayGetRestAPIs(*m.APIGatewayClient, aws.ToString(m.Caller.Account), r) + if err != nil { + sharedLogger.Error(err.Error()) + return + } + + for _, restAPI := range restAPIs { + + if sdk.IsPublicApiGateway(&restAPI) { + continue + } + + var isPublic = "No" + var statementSummaryInEnglish string + var isInteresting = "No" + + if restAPI.Policy != nil && *restAPI.Policy != "" { + + // remove backslashes from the policy JSON + policyJson := strings.ReplaceAll(aws.ToString(restAPI.Policy), `\"`, `"`) + + restAPIPolicy, err := policy.ParseJSONPolicy([]byte(policyJson)) + if err != nil { + sharedLogger.Error(fmt.Errorf("parsing policy (%s) as JSON: %s", aws.ToString(restAPI.Name), err)) + m.CommandCounter.Error++ + continue + } + + if !restAPIPolicy.IsEmpty() { + for i, statement := range restAPIPolicy.Statement { + prefix := "" + if len(restAPIPolicy.Statement) > 1 { + prefix = fmt.Sprintf("Statement %d says: ", i) + statementSummaryInEnglish = prefix + statement.GetStatementSummaryInEnglish(*m.Caller.Account) + "\n" + } else { + statementSummaryInEnglish = statement.GetStatementSummaryInEnglish(*m.Caller.Account) + } + + statementSummaryInEnglish = strings.TrimSuffix(statementSummaryInEnglish, "\n") + if isResourcePolicyInteresting(statementSummaryInEnglish) { + //magenta(statementSummaryInEnglish) + isInteresting = magenta("Yes") + } + + dataReceiver <- Resource2{ + AccountID: aws.ToString(m.Caller.Account), + ARN: fmt.Sprintf("arn:aws:execute-api:%s:%s:%s/*", r, *m.Caller.Account, *restAPI.Id), + ResourcePolicySummary: statementSummaryInEnglish, + Public: isPublic, + Name: aws.ToString(restAPI.Name), + Region: r, + Interesting: isInteresting, + } + } + } + } else { + dataReceiver <- Resource2{ + AccountID: aws.ToString(m.Caller.Account), + ARN: fmt.Sprintf("arn:aws:execute-api:%s:%s:%s/*", r, *m.Caller.Account, *restAPI.Id), + ResourcePolicySummary: statementSummaryInEnglish, + Public: isPublic, + Name: aws.ToString(restAPI.Name), + Region: r, + Interesting: isInteresting, + } + } + } +} + func (m *ResourceTrustsModule) getGlueResourcePoliciesPerRegion(r string, wg *sync.WaitGroup, semaphore chan struct{}, dataReceiver chan Resource2) { defer func() { m.CommandCounter.Executing-- diff --git a/aws/resource-trusts_test.go b/aws/resource-trusts_test.go index 02d7cbcf..cfb00c32 100644 --- a/aws/resource-trusts_test.go +++ b/aws/resource-trusts_test.go @@ -46,6 +46,10 @@ func TestIsResourcePolicyInteresting(t *testing.T) { } func TestKMSResourceTrusts(t *testing.T) { + + mockedKMSClient := &sdk.MockedKMSClient{} + var kmsClient sdk.KMSClientInterface = mockedKMSClient + testCases := []struct { outputDirectory string verbosity int @@ -56,8 +60,9 @@ func TestKMSResourceTrusts(t *testing.T) { outputDirectory: ".", verbosity: 2, testModule: ResourceTrustsModule{ - KMSClient: &sdk.MockedKMSClient{}, - AWSRegions: []string{"us-west-2"}, + KMSClient: &kmsClient, + APIGatewayClient: nil, + AWSRegions: []string{"us-west-2"}, Caller: sts.GetCallerIdentityOutput{ Account: aws.String("123456789012"), Arn: aws.String("arn:aws:iam::123456789012:user/cloudfox_unit_tests"), @@ -80,7 +85,61 @@ func TestKMSResourceTrusts(t *testing.T) { t.Fatal("Resource name does not match expected value") } if expectedResource2.ARN != tc.testModule.Resources2[index].ARN { - t.Fatal("Resource ID does not match expected value") + t.Fatal("Resource ARN does not match expected value") + } + } + } +} + +func TestAPIGatewayResourceTrusts(t *testing.T) { + + mockedAPIGatewayClient := &sdk.MockedAWSAPIGatewayClient{} + var apiGatewayClient sdk.APIGatewayClientInterface = mockedAPIGatewayClient + + testCases := []struct { + outputDirectory string + verbosity int + testModule ResourceTrustsModule + expectedResult []Resource2 + }{ + { + outputDirectory: ".", + verbosity: 2, + testModule: ResourceTrustsModule{ + KMSClient: nil, + APIGatewayClient: &apiGatewayClient, + AWSRegions: []string{"us-west-2"}, + Caller: sts.GetCallerIdentityOutput{ + Account: aws.String("123456789012"), + Arn: aws.String("arn:aws:iam::123456789012:user/cloudfox_unit_tests"), + }, + Goroutines: 30, + }, + expectedResult: []Resource2{ + { + Name: "api1", + ARN: "arn:aws:execute-api:us-west-2:123456789012:abcdefg/*", + Public: "No", + Interesting: "Yes", + }, + }, + }, + } + + for _, tc := range testCases { + tc.testModule.PrintResources(tc.outputDirectory, tc.verbosity, false) + for index, expectedResource2 := range tc.expectedResult { + if expectedResource2.Name != tc.testModule.Resources2[index].Name { + t.Fatal("Resource name does not match expected value") + } + if expectedResource2.ARN != tc.testModule.Resources2[index].ARN { + t.Fatal("Resource ARN does not match expected value") + } + if expectedResource2.Public != tc.testModule.Resources2[index].Public { + t.Fatal("Resource Public does not match expected value") + } + if expectedResource2.Interesting != tc.testModule.Resources2[index].Interesting { + t.Fatal("Resource Interesting does not match expected value") } } } diff --git a/aws/sdk/apigateway.go b/aws/sdk/apigateway.go index 7ce368a3..f5e8c80d 100644 --- a/aws/sdk/apigateway.go +++ b/aws/sdk/apigateway.go @@ -53,7 +53,17 @@ func init() { gob.Register([]apiGatewayTypes.UsagePlanKey{}) } -// create a CachedApiGatewayGetRestAPIs function that accepts a client, account id, region. Make sure it handles caching, the region option and pagination +func IsPublicApiGateway(ra *apiGatewayTypes.RestApi) bool { + for _, endpointType := range ra.EndpointConfiguration.Types { + if endpointType == apiGatewayTypes.EndpointTypeRegional || endpointType == apiGatewayTypes.EndpointTypeEdge { + return true + } + } + + return false +} + +// CachedApiGatewayGetRestAPIs function that accepts a client, account id, region. Make sure it handles caching, the region option and pagination func CachedApiGatewayGetRestAPIs(client APIGatewayClientInterface, accountID string, region string) ([]apiGatewayTypes.RestApi, error) { var PaginationControl *string var restAPIs []apiGatewayTypes.RestApi diff --git a/aws/sdk/apigateway_mocks.go b/aws/sdk/apigateway_mocks.go index d4397c60..6981a522 100644 --- a/aws/sdk/apigateway_mocks.go +++ b/aws/sdk/apigateway_mocks.go @@ -22,6 +22,7 @@ func (m *MockedAWSAPIGatewayClient) GetRestApis(ctx context.Context, input *apig apiGatewayTypes.EndpointTypePrivate, }, }, + Policy: aws.String("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"execute-api:Invoke\",\"Resource\":\"arn:aws:execute-api:us-west-2:123456789012:abcdefg/*/*/*\"}]}"), }, { Id: aws.String("qwerty"), diff --git a/cli/aws.go b/cli/aws.go index 88522c37..e5f65cf3 100644 --- a/cli/aws.go +++ b/cli/aws.go @@ -2,6 +2,7 @@ package cli import ( "encoding/gob" + "errors" "fmt" "github.com/aws/aws-sdk-go-v2/service/kms" "log" @@ -635,7 +636,7 @@ func FindOrgMgmtAccountAndReorderAccounts(AWSProfiles []string, version string) cacheDirectory := filepath.Join(AWSOutputDirectory, "cached-data", "aws", ptr.ToString(caller.Account)) err = internal.LoadCacheFromGobFiles(cacheDirectory) if err != nil { - if err == internal.ErrDirectoryDoesNotExist { + if errors.Is(err, internal.ErrDirectoryDoesNotExist) { fmt.Printf("[%s][%s] No cache directory for %s. Skipping loading cached data.\n", cyan(emoji.Sprintf(":fox:cloudfox v%s :fox:", version)), cyan(profile), ptr.ToString(caller.Account)) } else { fmt.Printf("[%s][%s] No cache data for %s. Error: %v\n", cyan(emoji.Sprintf(":fox:cloudfox v%s :fox:", version)), cyan(profile), ptr.ToString(caller.Account), err) @@ -1614,27 +1615,35 @@ func runRAMCommand(cmd *cobra.Command, args []string) { func runResourceTrustsCommand(cmd *cobra.Command, args []string) { for _, profile := range AWSProfiles { - var AWSConfig = internal.AWSConfigFileLoader(profile, cmd.Root().Version, AWSMFAToken) - caller, err := internal.AWSWhoami(profile, cmd.Root().Version, AWSMFAToken) - if err != nil { - continue - } - m := aws.ResourceTrustsModule{ - KMSClient: kms.NewFromConfig(AWSConfig), - Caller: *caller, - AWSProfileProvided: profile, - Goroutines: Goroutines, - AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), - WrapTable: AWSWrapTable, - CloudFoxVersion: cmd.Root().Version, - AWSOutputType: AWSOutputType, - AWSTableCols: AWSTableCols, - AWSConfig: AWSConfig, - } - m.PrintResources(AWSOutputDirectory, Verbosity, ResourceTrustsIncludeKms) + runResourceTrustsCommandWithProfile(cmd, args, profile) } } +func runResourceTrustsCommandWithProfile(cmd *cobra.Command, args []string, profile string) { + var AWSConfig = internal.AWSConfigFileLoader(profile, cmd.Root().Version, AWSMFAToken) + caller, err := internal.AWSWhoami(profile, cmd.Root().Version, AWSMFAToken) + var KMSClient sdk.KMSClientInterface = kms.NewFromConfig(AWSConfig) + var APIGatewayClient sdk.APIGatewayClientInterface = apigateway.NewFromConfig(AWSConfig) + + if err != nil { + return + } + m := aws.ResourceTrustsModule{ + KMSClient: &KMSClient, + APIGatewayClient: &APIGatewayClient, + Caller: *caller, + AWSProfileProvided: profile, + Goroutines: Goroutines, + AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), + WrapTable: AWSWrapTable, + CloudFoxVersion: cmd.Root().Version, + AWSOutputType: AWSOutputType, + AWSTableCols: AWSTableCols, + AWSConfig: AWSConfig, + } + m.PrintResources(AWSOutputDirectory, Verbosity, ResourceTrustsIncludeKms) +} + func runRoleTrustCommand(cmd *cobra.Command, args []string) { for _, profile := range AWSProfiles { var AWSConfig = internal.AWSConfigFileLoader(profile, cmd.Root().Version, AWSMFAToken) @@ -1899,7 +1908,6 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { sqsClient := sqs.NewFromConfig(AWSConfig) ssmClient := ssm.NewFromConfig(AWSConfig) stepFunctionClient := sfn.NewFromConfig(AWSConfig) - kmsClient := kms.NewFromConfig(AWSConfig) fmt.Printf("[%s] %s\n", cyan(emoji.Sprintf(":fox:cloudfox :fox:")), green("Getting a lay of the land, aka \"What regions is this account using?\"")) inventory2 := aws.Inventory2Module{ @@ -1942,14 +1950,13 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { SQSClient: sqsClient, SSMClient: ssmClient, StepFunctionClient: stepFunctionClient, - - Caller: *caller, - AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), - AWSProfile: profile, - Goroutines: Goroutines, - WrapTable: AWSWrapTable, - AWSOutputType: AWSOutputType, - AWSTableCols: AWSTableCols, + Caller: *caller, + AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), + AWSProfile: profile, + Goroutines: Goroutines, + WrapTable: AWSWrapTable, + AWSOutputType: AWSOutputType, + AWSTableCols: AWSTableCols, } inventory2.PrintInventoryPerRegion(AWSOutputDirectory, Verbosity) @@ -1994,11 +2001,10 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { instances.Instances(InstancesFilter, AWSOutputDirectory, Verbosity) route53 := aws.Route53Module{ Route53Client: route53Client, - - Caller: *caller, - AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), - AWSProfile: profile, - Goroutines: Goroutines, + Caller: *caller, + AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), + AWSProfile: profile, + Goroutines: Goroutines, } lambdasMod := aws.LambdasModule{ @@ -2032,7 +2038,6 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { filesystems.PrintFilesystems(AWSOutputDirectory, Verbosity) endpoints := aws.EndpointsModule{ - EKSClient: eksClient, S3Client: s3Client, LambdaClient: lambdaClient, @@ -2048,14 +2053,13 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { CloudfrontClient: cloudfrontClient, AppRunnerClient: appRunnerClient, LightsailClient: lightsailClient, - - Caller: *caller, - AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), - AWSProfile: profile, - Goroutines: Goroutines, - WrapTable: AWSWrapTable, - AWSOutputType: AWSOutputType, - AWSTableCols: AWSTableCols, + Caller: *caller, + AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), + AWSProfile: profile, + Goroutines: Goroutines, + WrapTable: AWSWrapTable, + AWSOutputType: AWSOutputType, + AWSTableCols: AWSTableCols, } endpoints.PrintEndpoints(AWSOutputDirectory, Verbosity) @@ -2063,12 +2067,11 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { gateways := aws.ApiGwModule{ APIGatewayv2Client: apiGatewayv2Client, APIGatewayClient: apiGatewayClient, - - Caller: *caller, - AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), - AWSProfile: profile, - Goroutines: Goroutines, - WrapTable: AWSWrapTable, + Caller: *caller, + AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), + AWSProfile: profile, + Goroutines: Goroutines, + WrapTable: AWSWrapTable, } gateways.PrintApiGws(AWSOutputDirectory, Verbosity) @@ -2089,10 +2092,9 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { databases.PrintDatabases(AWSOutputDirectory, Verbosity) ecstasks := aws.ECSTasksModule{ - EC2Client: ec2Client, - ECSClient: ecsClient, - IAMClient: iamClient, - + EC2Client: ec2Client, + ECSClient: ecsClient, + IAMClient: iamClient, Caller: *caller, AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), AWSProfile: profile, @@ -2106,9 +2108,8 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { ecstasks.ECSTasks(AWSOutputDirectory, Verbosity) eksCommand := aws.EKSModule{ - EKSClient: eksClient, - IAMClient: iamClient, - + EKSClient: eksClient, + IAMClient: iamClient, Caller: *caller, AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), AWSProfile: profile, @@ -2136,11 +2137,10 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { fmt.Printf("[%s] %s\n", cyan(emoji.Sprintf(":fox:cloudfox :fox:")), green("Looking for secrets hidden between the seat cushions.")) ec2UserData := aws.InstancesModule{ - EC2Client: ec2Client, - IAMClient: iamClient, - Caller: *caller, - AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), - + EC2Client: ec2Client, + IAMClient: iamClient, + Caller: *caller, + AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), UserDataAttributesOnly: true, AWSProfile: profile, Goroutines: Goroutines, @@ -2150,7 +2150,6 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { } ec2UserData.Instances(InstancesFilter, AWSOutputDirectory, Verbosity) envsMod := aws.EnvsModule{ - Caller: *caller, AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), AWSProfile: profile, @@ -2216,14 +2215,13 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { secrets := aws.SecretsModule{ SecretsManagerClient: secretsManagerClient, SSMClient: ssmClient, - - Caller: *caller, - AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), - AWSProfile: profile, - Goroutines: Goroutines, - WrapTable: AWSWrapTable, - AWSOutputType: AWSOutputType, - AWSTableCols: AWSTableCols, + Caller: *caller, + AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), + AWSProfile: profile, + Goroutines: Goroutines, + WrapTable: AWSWrapTable, + AWSOutputType: AWSOutputType, + AWSTableCols: AWSTableCols, } secrets.PrintSecrets(AWSOutputDirectory, Verbosity) @@ -2257,10 +2255,8 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { networkPorts.PrintNetworkPorts(AWSOutputDirectory) sqsMod := aws.SQSModule{ - SQSClient: sqsClient, - + SQSClient: sqsClient, StorePolicies: StoreSQSAccessPolicies, - Caller: *caller, AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), AWSProfile: profile, @@ -2274,20 +2270,7 @@ func runAllChecksCommand(cmd *cobra.Command, args []string) { cloudFoxSNSClient := aws.InitCloudFoxSNSClient(*caller, profile, cmd.Root().Version, Goroutines, AWSWrapTable, AWSMFAToken) cloudFoxSNSClient.PrintSNS(AWSOutputDirectory, Verbosity) - resourceTrustsCommand := aws.ResourceTrustsModule{ - KMSClient: kmsClient, - Caller: *caller, - AWSProfileProvided: profile, - Goroutines: Goroutines, - AWSRegions: internal.GetEnabledRegions(profile, cmd.Root().Version, AWSMFAToken), - WrapTable: AWSWrapTable, - CloudFoxVersion: cmd.Root().Version, - AWSOutputType: AWSOutputType, - AWSTableCols: AWSTableCols, - AWSMFAToken: AWSMFAToken, - AWSConfig: AWSConfig, - } - resourceTrustsCommand.PrintResources(AWSOutputDirectory, Verbosity, ResourceTrustsIncludeKms) + runResourceTrustsCommandWithProfile(cmd, args, profile) codeBuildCommand := aws.CodeBuildModule{ CodeBuildClient: codeBuildClient,