aws_recon 0.2.10 → 0.2.15
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/docker-build.yml +38 -0
- data/.github/workflows/smoke-test.yml +23 -0
- data/Dockerfile +2 -1
- data/aws_recon.gemspec +1 -0
- data/lib/aws_recon/collectors/accessanalyzer.rb +24 -0
- data/lib/aws_recon/collectors/cloudtrail.rb +1 -0
- data/lib/aws_recon/collectors/ec2.rb +12 -0
- data/lib/aws_recon/collectors/iam.rb +18 -0
- data/lib/aws_recon/options.rb +7 -0
- data/lib/aws_recon/services.yaml +2 -0
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +2 -0
- metadata +19 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c474979fa320276fa9605cf6e13fea26096c4cbb115a3287ffc9faae644cbd63
|
4
|
+
data.tar.gz: fad3786ed1a152f2437eafd33481cf4183b8453bcedfe7e2132b8a62ac37f552
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 51f4c2a2c33aff53a81bb36b757602080612bd6d304284d9439d4c4fa505a385de2194526056efb07286418fecf9520e965fb780f800a402071a7746d9f093f7
|
7
|
+
data.tar.gz: d45f606a06b3a9044ead0e1b2a7338107fe37a7eb7aeb81562b08783c815520426b96136e2566fe1e44ca5713fa3979ae25de999f2f8b06e8ed22af2d3e56915
|
@@ -0,0 +1,38 @@
|
|
1
|
+
name: docker-build
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches: build
|
6
|
+
paths:
|
7
|
+
- 'lib/aws_recon/version.rb'
|
8
|
+
|
9
|
+
jobs:
|
10
|
+
docker-build:
|
11
|
+
runs-on: ubuntu-20.04
|
12
|
+
steps:
|
13
|
+
- name: Checkout
|
14
|
+
uses: actions/checkout@v2
|
15
|
+
with:
|
16
|
+
fetch-depth: 1
|
17
|
+
- name: Set up QEMU
|
18
|
+
uses: docker/setup-qemu-action@v1
|
19
|
+
- name: Set up Docker Buildx
|
20
|
+
uses: docker/setup-buildx-action@v1
|
21
|
+
- name: Login to DockerHub
|
22
|
+
uses: docker/login-action@v1
|
23
|
+
with:
|
24
|
+
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
25
|
+
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
26
|
+
- name: Set version tag
|
27
|
+
run: |
|
28
|
+
echo "VERSION_TAG=$(grep VERSION lib/aws_recon/version.rb | awk -F\" '{print $2}')" >> $GITHUB_ENV
|
29
|
+
- name: Build and push
|
30
|
+
id: docker_build
|
31
|
+
uses: docker/build-push-action@v2
|
32
|
+
with:
|
33
|
+
push: true
|
34
|
+
build-args: |
|
35
|
+
VERSION=${{ env.VERSION_TAG }}
|
36
|
+
tags: |
|
37
|
+
darkbitio/aws_recon:${{ env.VERSION_TAG }}
|
38
|
+
darkbitio/aws_recon:latest
|
@@ -0,0 +1,23 @@
|
|
1
|
+
name: smoke-test
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches: main
|
6
|
+
|
7
|
+
jobs:
|
8
|
+
smoke-test:
|
9
|
+
runs-on: ubuntu-20.04
|
10
|
+
steps:
|
11
|
+
- name: Checkout
|
12
|
+
uses: actions/checkout@v2
|
13
|
+
with:
|
14
|
+
fetch-depth: 1
|
15
|
+
- name: Set version tag
|
16
|
+
run: |
|
17
|
+
echo "VERSION_TAG=$(grep VERSION lib/aws_recon/version.rb | awk -F\" '{print $2}')" >> $GITHUB_ENV
|
18
|
+
- name: Smoke Test :${{ env.VERSION_TAG }}
|
19
|
+
run: |
|
20
|
+
docker run -t --rm darkbitio/aws_recon:${{ env.VERSION_TAG }} aws_recon
|
21
|
+
- name: Smoke Test :latest
|
22
|
+
run: |
|
23
|
+
docker run -t --rm darkbitio/aws_recon:latest aws_recon
|
data/Dockerfile
CHANGED
@@ -3,9 +3,10 @@ FROM ruby:${RUBY_VERSION}-alpine
|
|
3
3
|
|
4
4
|
LABEL maintainer="Darkbit <info@darkbit.io>"
|
5
5
|
|
6
|
+
# Supply AWS Recon version at build time
|
7
|
+
ARG VERSION
|
6
8
|
ARG USER=recon
|
7
9
|
ARG GEM=aws_recon
|
8
|
-
ARG VERSION=0.2.9
|
9
10
|
ARG BUNDLER_VERSION=2.1.4
|
10
11
|
|
11
12
|
# Install new Bundler version
|
data/aws_recon.gemspec
CHANGED
@@ -33,4 +33,5 @@ Gem::Specification.new do |spec|
|
|
33
33
|
spec.add_development_dependency 'solargraph', '~> 0.39.11'
|
34
34
|
spec.add_development_dependency 'rubocop', '~> 0.87.1'
|
35
35
|
spec.add_development_dependency 'pry', '~> 0.13.1'
|
36
|
+
spec.add_development_dependency 'byebug', '~> 11.1'
|
36
37
|
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
class AccessAnalyzer < Mapper
|
2
|
+
#
|
3
|
+
# Returns an array of resources.
|
4
|
+
#
|
5
|
+
def collect
|
6
|
+
resources = []
|
7
|
+
|
8
|
+
#
|
9
|
+
# list_analyzers
|
10
|
+
#
|
11
|
+
@client.list_analyzers.each_with_index do |response, page|
|
12
|
+
log(response.context.operation_name, page)
|
13
|
+
|
14
|
+
# analyzers
|
15
|
+
response.analyzers.each do |analyzer|
|
16
|
+
struct = OpenStruct.new(analyzer.to_h)
|
17
|
+
struct.type = 'analyzer'
|
18
|
+
resources.push(struct.to_h)
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
resources
|
23
|
+
end
|
24
|
+
end
|
@@ -21,6 +21,7 @@ class CloudTrail < Mapper
|
|
21
21
|
struct = OpenStruct.new(trail.to_h)
|
22
22
|
struct.tags = client.list_tags({ resource_id_list: [trail.trail_arn] }).resource_tag_list.first.tags_list
|
23
23
|
struct.type = 'cloud_trail'
|
24
|
+
struct.event_selectors = client.get_event_selectors({ trail_name: trail.name }).to_h
|
24
25
|
struct.status = client.get_trail_status({ name: trail.name }).to_h
|
25
26
|
struct.arn = trail.trail_arn
|
26
27
|
|
@@ -31,6 +31,18 @@ class EC2 < Mapper
|
|
31
31
|
|
32
32
|
# regional calls
|
33
33
|
if @region != 'global'
|
34
|
+
#
|
35
|
+
# get_ebs_encryption_by_default
|
36
|
+
#
|
37
|
+
@client.get_ebs_encryption_by_default.each do |response|
|
38
|
+
log(response.context.operation_name)
|
39
|
+
|
40
|
+
struct = OpenStruct.new(response.to_h)
|
41
|
+
struct.type = 'ebs_encryption_settings'
|
42
|
+
|
43
|
+
resources.push(struct.to_h)
|
44
|
+
end
|
45
|
+
|
34
46
|
#
|
35
47
|
# describe_instances
|
36
48
|
#
|
@@ -142,6 +142,24 @@ class IAM < Mapper
|
|
142
142
|
end
|
143
143
|
end
|
144
144
|
|
145
|
+
#
|
146
|
+
# generate_credential_report
|
147
|
+
#
|
148
|
+
unless @options.skip_credential_report
|
149
|
+
status = 'STARTED'
|
150
|
+
interval = 5
|
151
|
+
|
152
|
+
# wait for report to generate
|
153
|
+
while status != 'COMPLETE'
|
154
|
+
@client.generate_credential_report.each do |response|
|
155
|
+
log(response.context.operation_name)
|
156
|
+
status = response.state
|
157
|
+
end
|
158
|
+
|
159
|
+
sleep interval unless status == 'COMPLETE'
|
160
|
+
end
|
161
|
+
end
|
162
|
+
|
145
163
|
#
|
146
164
|
# get_credential_report
|
147
165
|
#
|
data/lib/aws_recon/options.rb
CHANGED
@@ -17,6 +17,7 @@ class Parser
|
|
17
17
|
:threads,
|
18
18
|
:collect_user_data,
|
19
19
|
:skip_slow,
|
20
|
+
:skip_credential_report,
|
20
21
|
:stream_output,
|
21
22
|
:verbose,
|
22
23
|
:debug
|
@@ -45,6 +46,7 @@ class Parser
|
|
45
46
|
false,
|
46
47
|
false,
|
47
48
|
false,
|
49
|
+
false,
|
48
50
|
false
|
49
51
|
)
|
50
52
|
|
@@ -115,6 +117,11 @@ class Parser
|
|
115
117
|
args.skip_slow = true
|
116
118
|
end
|
117
119
|
|
120
|
+
# skip generating IAM credential report
|
121
|
+
opts.on('-g', '--skip-credential-report', 'Skip generating IAM credential report (default: false)') do
|
122
|
+
args.skip_credential_report = true
|
123
|
+
end
|
124
|
+
|
118
125
|
# stream output (forces JSON lines, doesn't output handled warnings or errors )
|
119
126
|
opts.on('-j', '--stream-output', 'Stream JSON lines to stdout (default: false)') do
|
120
127
|
args.output_file = nil
|
data/lib/aws_recon/services.yaml
CHANGED
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)
|
1
2
|
[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
|
2
3
|
|
3
4
|
# AWS Recon
|
@@ -221,6 +222,7 @@ Current "coverage" by service is listed below. The services without coverage wil
|
|
221
222
|
|
222
223
|
AWS Recon aims to collect all resources and metadata that are relevant in determining the security posture of your AWS account(s). However, it does not actually examine the resources for security posture - that is the job of other tools that take the output of AWS Recon as input.
|
223
224
|
|
225
|
+
- [x] AccessAnalyzer
|
224
226
|
- [x] AdvancedShield
|
225
227
|
- [x] Athena
|
226
228
|
- [x] GuardDuty
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws_recon
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.15
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Josh Larsen
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2020-11-
|
12
|
+
date: 2020-11-18 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: aws-sdk
|
@@ -137,6 +137,20 @@ dependencies:
|
|
137
137
|
- - "~>"
|
138
138
|
- !ruby/object:Gem::Version
|
139
139
|
version: 0.13.1
|
140
|
+
- !ruby/object:Gem::Dependency
|
141
|
+
name: byebug
|
142
|
+
requirement: !ruby/object:Gem::Requirement
|
143
|
+
requirements:
|
144
|
+
- - "~>"
|
145
|
+
- !ruby/object:Gem::Version
|
146
|
+
version: '11.1'
|
147
|
+
type: :development
|
148
|
+
prerelease: false
|
149
|
+
version_requirements: !ruby/object:Gem::Requirement
|
150
|
+
requirements:
|
151
|
+
- - "~>"
|
152
|
+
- !ruby/object:Gem::Version
|
153
|
+
version: '11.1'
|
140
154
|
description: AWS Recon is a command line tool to collect resources from an Amazon
|
141
155
|
Web Services (AWS) account. The tool outputs JSON suitable for processing with other
|
142
156
|
tools.
|
@@ -149,6 +163,8 @@ extensions: []
|
|
149
163
|
extra_rdoc_files: []
|
150
164
|
files:
|
151
165
|
- ".github/stale.yml"
|
166
|
+
- ".github/workflows/docker-build.yml"
|
167
|
+
- ".github/workflows/smoke-test.yml"
|
152
168
|
- ".gitignore"
|
153
169
|
- ".rubocop.yml"
|
154
170
|
- ".travis.yml"
|
@@ -164,6 +180,7 @@ files:
|
|
164
180
|
- lib/aws_recon.rb
|
165
181
|
- lib/aws_recon/aws_recon.rb
|
166
182
|
- lib/aws_recon/collectors.rb
|
183
|
+
- lib/aws_recon/collectors/accessanalyzer.rb
|
167
184
|
- lib/aws_recon/collectors/acm.rb
|
168
185
|
- lib/aws_recon/collectors/apigateway.rb
|
169
186
|
- lib/aws_recon/collectors/apigatewayv2.rb
|