aws_recon 0.2.10 → 0.2.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9ed0fd50b4c2a0542194d2844f4e95c98e2f09ce3802878c0463f78cec8a8f92
-  data.tar.gz: 5112bb3ec8e07f61a4ba0f673044486f8423fb61710893650c11cc0e793bd9e1
+  metadata.gz: c474979fa320276fa9605cf6e13fea26096c4cbb115a3287ffc9faae644cbd63
+  data.tar.gz: fad3786ed1a152f2437eafd33481cf4183b8453bcedfe7e2132b8a62ac37f552
 SHA512:
-  metadata.gz: 2dc80a5605f4c8673efb9f026e7485a66f7d190fb57e9eb636fd67a8e31db39b857f1d2045b9e56b9ced86dd31f186290f94eac2ef87de3671e4709e604a2d20
-  data.tar.gz: a045657734baf60b898d8f78dc94eef3ae69645fcccae85288beddfb2cd46ed1d330edc773fd88e058b1ddaf5031e939df36523398c8b3cc8cdf42e17cb74e64
+  metadata.gz: 51f4c2a2c33aff53a81bb36b757602080612bd6d304284d9439d4c4fa505a385de2194526056efb07286418fecf9520e965fb780f800a402071a7746d9f093f7
+  data.tar.gz: d45f606a06b3a9044ead0e1b2a7338107fe37a7eb7aeb81562b08783c815520426b96136e2566fe1e44ca5713fa3979ae25de999f2f8b06e8ed22af2d3e56915

data/.github/workflows/docker-build.yml

@@ -0,0 +1,38 @@
+name: docker-build
+
+on:
+  push:
+    branches: build
+    paths:
+      - 'lib/aws_recon/version.rb'
+
+jobs:
+  docker-build:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set version tag
+        run: |
+          echo "VERSION_TAG=$(grep VERSION lib/aws_recon/version.rb | awk -F\" '{print $2}')" >> $GITHUB_ENV
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          build-args: |
+            VERSION=${{ env.VERSION_TAG }}
+          tags: |
+            darkbitio/aws_recon:${{ env.VERSION_TAG }}
+            darkbitio/aws_recon:latest

data/.github/workflows/smoke-test.yml

@@ -0,0 +1,23 @@
+name: smoke-test
+
+on:
+  push:
+    branches: main
+
+jobs:
+  smoke-test:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
+      - name: Set version tag
+        run: |
+          echo "VERSION_TAG=$(grep VERSION lib/aws_recon/version.rb | awk -F\" '{print $2}')" >> $GITHUB_ENV
+      - name: Smoke Test :${{ env.VERSION_TAG }}
+        run: |
+          docker run -t --rm darkbitio/aws_recon:${{ env.VERSION_TAG }} aws_recon
+      - name: Smoke Test :latest
+        run: |
+          docker run -t --rm darkbitio/aws_recon:latest aws_recon

data/Dockerfile

@@ -3,9 +3,10 @@ FROM ruby:${RUBY_VERSION}-alpine
 
 LABEL maintainer="Darkbit <info@darkbit.io>"
 
+# Supply AWS Recon version at build time
+ARG VERSION
 ARG USER=recon
 ARG GEM=aws_recon
-ARG VERSION=0.2.9
 ARG BUNDLER_VERSION=2.1.4
 
 # Install new Bundler version

data/aws_recon.gemspec

@@ -33,4 +33,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'solargraph', '~> 0.39.11'
   spec.add_development_dependency 'rubocop', '~> 0.87.1'
   spec.add_development_dependency 'pry', '~> 0.13.1'
+  spec.add_development_dependency 'byebug', '~> 11.1'
 end

data/lib/aws_recon/collectors/accessanalyzer.rb

@@ -0,0 +1,24 @@
+class AccessAnalyzer < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # list_analyzers
+    #
+    @client.list_analyzers.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      # analyzers
+      response.analyzers.each do |analyzer|
+        struct = OpenStruct.new(analyzer.to_h)
+        struct.type = 'analyzer'
+        resources.push(struct.to_h)
+      end
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/cloudtrail.rb

@@ -21,6 +21,7 @@ class CloudTrail < Mapper
         struct = OpenStruct.new(trail.to_h)
         struct.tags = client.list_tags({ resource_id_list: [trail.trail_arn] }).resource_tag_list.first.tags_list
         struct.type = 'cloud_trail'
+        struct.event_selectors = client.get_event_selectors({ trail_name: trail.name }).to_h
         struct.status = client.get_trail_status({ name: trail.name }).to_h
         struct.arn = trail.trail_arn
 

data/lib/aws_recon/collectors/ec2.rb

@@ -31,6 +31,18 @@ class EC2 < Mapper
 
     # regional calls
     if @region != 'global'
+      #
+      # get_ebs_encryption_by_default
+      #
+      @client.get_ebs_encryption_by_default.each do |response|
+        log(response.context.operation_name)
+
+        struct = OpenStruct.new(response.to_h)
+        struct.type = 'ebs_encryption_settings'
+
+        resources.push(struct.to_h)
+      end
+
       #
       # describe_instances
       #

data/lib/aws_recon/collectors/iam.rb

@@ -142,6 +142,24 @@ class IAM < Mapper
       end
     end
 
+    #
+    # generate_credential_report
+    #
+    unless @options.skip_credential_report
+      status = 'STARTED'
+      interval = 5
+
+      # wait for report to generate
+      while status != 'COMPLETE'
+        @client.generate_credential_report.each do |response|
+          log(response.context.operation_name)
+          status = response.state
+        end
+
+        sleep interval unless status == 'COMPLETE'
+      end
+    end
+
     #
     # get_credential_report
     #

data/lib/aws_recon/options.rb

@@ -17,6 +17,7 @@ class Parser
     :threads,
     :collect_user_data,
     :skip_slow,
+    :skip_credential_report,
     :stream_output,
     :verbose,
     :debug
@@ -45,6 +46,7 @@ class Parser
       false,
       false,
       false,
+      false,
       false
     )
 
@@ -115,6 +117,11 @@ class Parser
         args.skip_slow = true
       end
 
+      # skip generating IAM credential report
+      opts.on('-g', '--skip-credential-report', 'Skip generating IAM credential report (default: false)') do
+        args.skip_credential_report = true
+      end
+
       # stream output (forces JSON lines, doesn't output handled warnings or errors )
       opts.on('-j', '--stream-output', 'Stream JSON lines to stdout (default: false)') do
         args.output_file = nil

data/lib/aws_recon/services.yaml

@@ -2,6 +2,8 @@
 - name: Organizations
   global: true
   alias: organizations
+- name: AccessAnalyzer
+  alias: aa
 - name: ConfigService
   alias: config
 - name: CodeBuild

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.2.10"
+  VERSION = "0.2.15"
 end

data/readme.md

@@ -1,3 +1,4 @@
+![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)
 [![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
 
 # AWS Recon
@@ -221,6 +222,7 @@ Current "coverage" by service is listed below. The services without coverage wil
 
 AWS Recon aims to collect all resources and metadata that are relevant in determining the security posture of your AWS account(s). However, it does not actually examine the resources for security posture - that is the job of other tools that take the output of AWS Recon as input.
 
+- [x] AccessAnalyzer
 - [x] AdvancedShield
 - [x] Athena
 - [x] GuardDuty

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.2.10
+  version: 0.2.15
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-16 00:00:00.000000000 Z
+date: 2020-11-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -137,6 +137,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.13.1
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
 description: AWS Recon is a command line tool to collect resources from an Amazon
   Web Services (AWS) account. The tool outputs JSON suitable for processing with other
   tools.
@@ -149,6 +163,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".github/stale.yml"
+- ".github/workflows/docker-build.yml"
+- ".github/workflows/smoke-test.yml"
 - ".gitignore"
 - ".rubocop.yml"
 - ".travis.yml"
@@ -164,6 +180,7 @@ files:
 - lib/aws_recon.rb
 - lib/aws_recon/aws_recon.rb
 - lib/aws_recon/collectors.rb
+- lib/aws_recon/collectors/accessanalyzer.rb
 - lib/aws_recon/collectors/acm.rb
 - lib/aws_recon/collectors/apigateway.rb
 - lib/aws_recon/collectors/apigatewayv2.rb