Creating and Using an Exceptions File
In addition to supporting custom rules and custom rulesets, Scout Suite enables users to flag certain resources as exceptions. For example, you may want to mark the S3 bucket that receives S3 access logs as an exception to the rule flagging S3 buckets for which access logs has not been enabled. This wiki page illustrates how one may generate a list of exceptions and use it when running the Scout Suite analysis.
The Scout Suite HTML report is the UI that may be used to create a list of exceptions. The following screenshot is from the IAM dashboard in an AWS account:
In this example, we will mark the first finding as an exception.
The first step is to click on this dashboard element to display the list of resources flagged by the rule. In this case, two roles are not compliant:
We will exclude the second one (test-role). After clicking on the trust policy details, we see that the flagged statement is hilighted:
Clicking on the element highlighted in red will cause a JavaScript box to be displayed, asking whether this resource should be added to the list of exceptions for this particular rule:
Clicking on the "OK" button will update the list of exceptions; however, the Scout Suite results have not been updated at this time. In order to take the list of exceptions in account, you must click on the "Help" drop down menu and select the "Export Exceptions" option.
This will make the browser download the exceptions file.
Once the exceptions file has been generated and downloaded, you can provide it to Scout. In order to update the report, you will need to re-run Scout. Because all the configuration has been fetched already, there is no need to re-run a full scan - a local run may be performed with the following command:
$ python scout.py aws --profile <profile-name> --local --exceptions /path/to/exceptions.json --no-browser
The --no-browser option means that Scout Suite will not open the report in a new browser window, this is optional. If you choose to do so, you then need to refresh the Scout Suite report in your browser. When navigating to the resources affected by the IAM issue, you will be able to confirm that the list of exceptions has been taken in account:
Note that, from here, if you choose to generate a new list of exception. The list of exceptions that you will generate will include the exceptions used during the last run, as well as the exceptions just set in the UI.