aws_recon 0.2.14 → 0.2.19

Sign up to get free protection for your applications and to get access to all the features.
Files changed (18) hide show
  1. checksums.yaml +4 -4
  2. data/lib/aws_recon.rb +3 -0
  3. data/lib/aws_recon/collectors/applicationautoscaling.rb +25 -0
  4. data/lib/aws_recon/collectors/cloudtrail.rb +1 -0
  5. data/lib/aws_recon/collectors/dynamodb.rb +13 -0
  6. data/lib/aws_recon/collectors/ec2.rb +34 -0
  7. data/lib/aws_recon/collectors/iam.rb +5 -5
  8. data/lib/aws_recon/collectors/lambda.rb +4 -0
  9. data/lib/aws_recon/collectors/organizations.rb +1 -1
  10. data/lib/aws_recon/collectors/s3.rb +7 -1
  11. data/lib/aws_recon/collectors/sns.rb +2 -0
  12. data/lib/aws_recon/collectors/sqs.rb +1 -1
  13. data/lib/aws_recon/collectors/ssm.rb +1 -1
  14. data/lib/aws_recon/lib/patch.rb +10 -0
  15. data/lib/aws_recon/services.yaml +2 -0
  16. data/lib/aws_recon/version.rb +1 -1
  17. data/readme.md +4 -2
  18. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9a778dc405cb41606bd79f7f49fb40f71ac1ad403084a3708bd7910ae60904c1
4
- data.tar.gz: d719d81f1b14c208f3b182054408ffc4cd1b6a808806fae15e33ee2dfb569b9e
3
+ metadata.gz: aceb7412370bc6945f910f6579dcc9f7a188070fd35f7ec3325300d544f01d12
4
+ data.tar.gz: f35b334bead563849a2a1bce8623076c7d23237c21eb85409b7371d93ebc9f9d
5
5
  SHA512:
6
- metadata.gz: 52809bcee06bcf81182ce52ac4e8acfcef5a77cb21ec2fd1c82b2fbfd16b704b63f1381c1fb43fb116e94711a541e39286a635e736faf2d1a34ff71c3ae65984
7
- data.tar.gz: 14781d182dae5b639863a1b2ec388358a04e86d8bc4680faa30494057d6941f3b8fe821021dfdc2f88100db49bd5ad634885bed670920e1498e8d7d0f9567b5c
6
+ metadata.gz: 9f31da81396ac07fee4d331a05cbe5706fde48bc9c0617a5bc5640c61e68b56f499b4be8b659d6cdf61335665c898f638f20380968df68ad536c5114966d25bd
7
+ data.tar.gz: 958d528054caefa1c8d3e9b7d2a005f52ddaeaa0b89d566e5a3fddcfb81300e497a40e3fab039656fa2dc091d89d15535d76b863f4ded6c133118aea2fc59df9
data/lib/aws_recon.rb CHANGED
@@ -3,6 +3,9 @@
3
3
  module AwsRecon
4
4
  end
5
5
 
6
+ require 'aws_recon/lib/patch.rb'
7
+ String.include PolicyStringParser
8
+
6
9
  require 'parallel'
7
10
  require 'ostruct'
8
11
  require 'optparse'
data/lib/aws_recon/collectors/applicationautoscaling.rb ADDED
@@ -0,0 +1,25 @@
1
+ class ApplicationAutoScaling < Mapper
2
+ #
3
+ # Returns an array of resources.
4
+ #
5
+ def collect
6
+ resources = []
7
+
8
+ #
9
+ # DynamoDB auto-scaling policies
10
+ #
11
+ @client.describe_scaling_policies({ service_namespace: 'dynamodb' }).each_with_index do |response, page|
12
+ log(response.context.operation_name, page)
13
+
14
+ response.scaling_policies.each do |policy|
15
+ struct = OpenStruct.new(policy.to_h)
16
+ struct.type = 'auto_scaling_policy'
17
+ struct.arn = policy.policy_arn
18
+
19
+ resources.push(struct.to_h)
20
+ end
21
+ end
22
+
23
+ resources
24
+ end
25
+ end
data/lib/aws_recon/collectors/cloudtrail.rb CHANGED
@@ -21,6 +21,7 @@ class CloudTrail < Mapper
21
21
  struct = OpenStruct.new(trail.to_h)
22
22
  struct.tags = client.list_tags({ resource_id_list: [trail.trail_arn] }).resource_tag_list.first.tags_list
23
23
  struct.type = 'cloud_trail'
24
+ struct.event_selectors = client.get_event_selectors({ trail_name: trail.name }).to_h
24
25
  struct.status = client.get_trail_status({ name: trail.name }).to_h
25
26
  struct.arn = trail.trail_arn
26
27
 
data/lib/aws_recon/collectors/dynamodb.rb CHANGED
@@ -5,6 +5,19 @@ class DynamoDB < Mapper
5
5
  def collect
6
6
  resources = []
7
7
 
8
+ #
9
+ # describe_limits
10
+ #
11
+ @client.describe_limits.each_with_index do |response, page|
12
+ log(response.context.operation_name, page)
13
+
14
+ struct = OpenStruct.new(response)
15
+ struct.type = 'limits'
16
+ struct.arn = "arn:aws:dynamodb:#{@region}:#{@account}:limits"
17
+
18
+ resources.push(struct.to_h)
19
+ end
20
+
8
21
  #
9
22
  # list_tables
10
23
  #
data/lib/aws_recon/collectors/ec2.rb CHANGED
@@ -130,6 +130,21 @@ class EC2 < Mapper
130
130
  end
131
131
  end
132
132
 
133
+ #
134
+ # describe_network_acls
135
+ #
136
+ @client.describe_network_acls.each_with_index do |response, page|
137
+ log(response.context.operation_name, page)
138
+
139
+ response.network_acls.each do |network_acl|
140
+ struct = OpenStruct.new(network_acl.to_h)
141
+ struct.type = 'network_acl'
142
+ struct.arn = network_acl.network_acl_id # no true ARN
143
+
144
+ resources.push(struct.to_h)
145
+ end
146
+ end
147
+
133
148
  #
134
149
  # describe_subnets
135
150
  #
@@ -175,6 +190,21 @@ class EC2 < Mapper
175
190
  end
176
191
  end
177
192
 
193
+ #
194
+ # describe_internet_gateways
195
+ #
196
+ @client.describe_internet_gateways.each_with_index do |response, page|
197
+ log(response.context.operation_name, page)
198
+
199
+ response.internet_gateways.each do |gateway|
200
+ struct = OpenStruct.new(gateway.to_h)
201
+ struct.type = 'internet_gateway'
202
+ struct.arn = gateway.internet_gateway_id # no true ARN
203
+
204
+ resources.push(struct.to_h)
205
+ end
206
+ end
207
+
178
208
  #
179
209
  # describe_route_tables
180
210
  #
@@ -215,6 +245,10 @@ class EC2 < Mapper
215
245
  struct = OpenStruct.new(snapshot.to_h)
216
246
  struct.type = 'snapshot'
217
247
  struct.arn = snapshot.snapshot_id # no true ARN
248
+ struct.create_volume_permissions = @client.describe_snapshot_attribute({
249
+ attribute: 'createVolumePermission',
250
+ snapshot_id: snapshot.snapshot_id
251
+ }).create_volume_permissions.map(&:to_h)
218
252
 
219
253
  resources.push(struct.to_h)
220
254
  end
data/lib/aws_recon/collectors/iam.rb CHANGED
@@ -26,7 +26,7 @@ class IAM < Mapper
26
26
  user.user_policy_list.map do |p|
27
27
  {
28
28
  policy_name: p.policy_name,
29
- policy_document: JSON.parse(CGI.unescape(p.policy_document))
29
+ policy_document: p.policy_document.parse_policy
30
30
  }
31
31
  end
32
32
  end
@@ -42,7 +42,7 @@ class IAM < Mapper
42
42
  group.group_policy_list.map do |p|
43
43
  {
44
44
  policy_name: p.policy_name,
45
- policy_document: JSON.parse(CGI.unescape(p.policy_document))
45
+ policy_document: p.policy_document.parse_policy
46
46
  }
47
47
  end
48
48
  end
@@ -54,12 +54,12 @@ class IAM < Mapper
54
54
  response.role_detail_list.each do |role|
55
55
  struct = OpenStruct.new(role.to_h)
56
56
  struct.type = 'role'
57
- struct.assume_role_policy_document = JSON.parse(CGI.unescape(role.assume_role_policy_document))
57
+ struct.assume_role_policy_document = role.assume_role_policy_document.parse_policy
58
58
  struct.role_policy_list = if role.role_policy_list
59
59
  role.role_policy_list.map do |p|
60
60
  {
61
61
  policy_name: p.policy_name,
62
- policy_document: JSON.parse(CGI.unescape(p.policy_document))
62
+ policy_document: p.policy_document.parse_policy
63
63
  }
64
64
  end
65
65
  end
@@ -75,7 +75,7 @@ class IAM < Mapper
75
75
  policy.policy_version_list.map do |p|
76
76
  {
77
77
  version_id: p.version_id,
78
- document: JSON.parse(CGI.unescape(p.document)),
78
+ document: p.document.parse_policy,
79
79
  is_default_version: p.is_default_version,
80
80
  create_date: p.create_date
81
81
  }
data/lib/aws_recon/collectors/lambda.rb CHANGED
@@ -12,7 +12,11 @@ class Lambda < Mapper
12
12
  struct = OpenStruct.new(function)
13
13
  struct.type = 'function'
14
14
  struct.arn = function.function_arn
15
+ struct.policy = @client.get_policy({ function_name: function.function_name }).policy.parse_policy
15
16
 
17
+ rescue Aws::Lambda::Errors::ResourceNotFoundException => e
18
+ log_error(e.code)
19
+ ensure
16
20
  resources.push(struct.to_h)
17
21
  end
18
22
  end
data/lib/aws_recon/collectors/organizations.rb CHANGED
@@ -40,7 +40,7 @@ class Organizations < Mapper
40
40
  response.policies.each do |policy|
41
41
  struct = OpenStruct.new(policy.to_h)
42
42
  struct.type = 'service_control_policy'
43
- struct.content = JSON.parse(CGI.unescape(@client.describe_policy({ policy_id: policy.id }).policy.content))
43
+ struct.content = @client.describe_policy({ policy_id: policy.id }).policy.content.parse_policy
44
44
 
45
45
  resources.push(struct.to_h)
46
46
  end
data/lib/aws_recon/collectors/s3.rb CHANGED
@@ -29,16 +29,20 @@ class S3 < Mapper
29
29
  # to create a bucket, you must set the location_constraint
30
30
  # bucket parameter to the same region. (https://docs.aws.amazon.com/general/latest/gr/s3.html)
31
31
  client = if location.empty?
32
+ struct.location = 'us-east-1'
32
33
  @client
33
34
  else
35
+ struct.location = location
34
36
  Aws::S3::Client.new({ region: location })
35
37
  end
36
38
 
37
39
  operations = [
38
40
  { func: 'get_bucket_acl', key: 'acl', field: nil },
39
41
  { func: 'get_bucket_encryption', key: 'encryption', field: 'server_side_encryption_configuration' },
42
+ { func: 'get_bucket_replication', key: 'replication', field: 'replication_configuration' },
40
43
  { func: 'get_bucket_policy', key: 'policy', field: 'policy' },
41
44
  { func: 'get_bucket_policy_status', key: 'public', field: 'policy_status' },
45
+ { func: 'get_public_access_block', key: 'public_access_block', field: 'public_access_block_configuration' },
42
46
  { func: 'get_bucket_tagging', key: 'tagging', field: nil },
43
47
  { func: 'get_bucket_logging', key: 'logging', field: 'logging_enabled' },
44
48
  { func: 'get_bucket_versioning', key: 'versioning', field: nil },
@@ -51,7 +55,7 @@ class S3 < Mapper
51
55
  resp = client.send(op.func, { bucket: bucket.name })
52
56
 
53
57
  struct[op.key] = if op.key == 'policy'
54
- resp.policy.string
58
+ resp.policy.string.parse_policy
55
59
  else
56
60
  op.field ? resp.send(op.field).to_h : resp.to_h
57
61
  end
@@ -77,6 +81,8 @@ class S3 < Mapper
77
81
  NoSuchBucketPolicy
78
82
  NoSuchTagSet
79
83
  NoSuchWebsiteConfiguration
84
+ ReplicationConfigurationNotFoundError
85
+ NoSuchPublicAccessBlockConfiguration
80
86
  ]
81
87
  end
82
88
  end
data/lib/aws_recon/collectors/sns.rb CHANGED
@@ -18,6 +18,8 @@ class SNS < Mapper
18
18
  struct = OpenStruct.new(@client.get_topic_attributes({ topic_arn: topic.topic_arn }).attributes.to_h)
19
19
  struct.type = 'topic'
20
20
  struct.arn = topic.topic_arn
21
+ struct.policy = struct.delete_field('Policy').parse_policy
22
+ struct.effective_delivery_policy = struct.delete_field('EffectiveDeliveryPolicy').parse_policy
21
23
  struct.subscriptions = []
22
24
 
23
25
  # list_subscriptions_by_topic
data/lib/aws_recon/collectors/sqs.rb CHANGED
@@ -18,7 +18,7 @@ class SQS < Mapper
18
18
  struct = OpenStruct.new(@client.get_queue_attributes({ queue_url: queue, attribute_names: ['All'] }).attributes.to_h)
19
19
  struct.type = 'queue'
20
20
  struct.arn = struct.QueueArn
21
- struct.Policy = JSON.parse(CGI.unescape(struct.Policy))
21
+ struct.policy = struct.delete_field('Policy').parse_policy
22
22
 
23
23
  resources.push(struct.to_h)
24
24
  end
data/lib/aws_recon/collectors/ssm.rb CHANGED
@@ -30,7 +30,7 @@ class SSM < Mapper
30
30
  struct = OpenStruct.new(parameter.to_h)
31
31
  struct.string_type = parameter.type
32
32
  struct.type = 'parameter'
33
- struct.arn = "arn:aws:#{@service}:#{@region}::parameter/#{parameter.name}"
33
+ struct.arn = "arn:aws:#{@service}:#{@region}::parameter:#{parameter.name}"
34
34
 
35
35
  resources.push(struct.to_h)
36
36
  end
data/lib/aws_recon/lib/patch.rb ADDED
@@ -0,0 +1,10 @@
1
+ #
2
+ # Parse and unescape AWS policy document string
3
+ #
4
+ module PolicyStringParser
5
+ def parse_policy
6
+ JSON.parse(CGI.unescape(self))
7
+ rescue StandardError
8
+ nil
9
+ end
10
+ end
data/lib/aws_recon/services.yaml CHANGED
@@ -4,6 +4,8 @@
4
4
  alias: organizations
5
5
  - name: AccessAnalyzer
6
6
  alias: aa
7
+ - name: ApplicationAutoScaling
8
+ alias: aas
7
9
  - name: ConfigService
8
10
  alias: config
9
11
  - name: CodeBuild
data/lib/aws_recon/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module AwsRecon
2
- VERSION = "0.2.14"
2
+ VERSION = "0.2.19"
3
3
  end
data/readme.md CHANGED
@@ -1,5 +1,5 @@
1
- ![smoke-test](https://github.com/darkbitio/aws-recon/workflows/smoke-test/badge.svg)
2
- [![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
1
+ [![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)](https://github.com/darkbitio/aws-recon/actions?query=branch%3Amain)
2
+ [![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://rubygems.org/gems/aws_recon)
3
3
 
4
4
  # AWS Recon
5
5
 
@@ -222,7 +222,9 @@ Current "coverage" by service is listed below. The services without coverage wil
222
222
 
223
223
  AWS Recon aims to collect all resources and metadata that are relevant in determining the security posture of your AWS account(s). However, it does not actually examine the resources for security posture - that is the job of other tools that take the output of AWS Recon as input.
224
224
 
225
+ - [x] AccessAnalyzer
225
226
  - [x] AdvancedShield
227
+ - [x] ApplicationAutoScaling
226
228
  - [x] Athena
227
229
  - [x] GuardDuty
228
230
  - [ ] Macie
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws_recon
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.14
4
+ version: 0.2.19
5
5
  platform: ruby
6
6
  authors:
7
7
  - Josh Larsen
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2020-11-18 00:00:00.000000000 Z
12
+ date: 2020-11-25 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: aws-sdk
@@ -184,6 +184,7 @@ files:
184
184
  - lib/aws_recon/collectors/acm.rb
185
185
  - lib/aws_recon/collectors/apigateway.rb
186
186
  - lib/aws_recon/collectors/apigatewayv2.rb
187
+ - lib/aws_recon/collectors/applicationautoscaling.rb
187
188
  - lib/aws_recon/collectors/athena.rb
188
189
  - lib/aws_recon/collectors/autoscaling.rb
189
190
  - lib/aws_recon/collectors/cloudformation.rb
@@ -235,6 +236,7 @@ files:
235
236
  - lib/aws_recon/collectors/xray.rb
236
237
  - lib/aws_recon/lib/formatter.rb
237
238
  - lib/aws_recon/lib/mapper.rb
239
+ - lib/aws_recon/lib/patch.rb
238
240
  - lib/aws_recon/options.rb
239
241
  - lib/aws_recon/services.yaml
240
242
  - lib/aws_recon/version.rb