aws_recon 0.2.15 → 0.2.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c474979fa320276fa9605cf6e13fea26096c4cbb115a3287ffc9faae644cbd63
-  data.tar.gz: fad3786ed1a152f2437eafd33481cf4183b8453bcedfe7e2132b8a62ac37f552
+  metadata.gz: 6b945e5c44370658e13ee470fee26d7e0b46fb6102a661485be9513af305f45d
+  data.tar.gz: 969330b10b9a8264bdb5759b1c910b74ccf05e855f8f380cdebdac8b3694fb11
 SHA512:
-  metadata.gz: 51f4c2a2c33aff53a81bb36b757602080612bd6d304284d9439d4c4fa505a385de2194526056efb07286418fecf9520e965fb780f800a402071a7746d9f093f7
-  data.tar.gz: d45f606a06b3a9044ead0e1b2a7338107fe37a7eb7aeb81562b08783c815520426b96136e2566fe1e44ca5713fa3979ae25de999f2f8b06e8ed22af2d3e56915
+  metadata.gz: a7d26039b60a21370bd7000d7ccaca93cfc5efc7c0dba88ae5d7ea12d63d3a7b8f973b06d3a1a2633fb82804a716f163ffda23f96a00ee73251eb85956f14dfd
+  data.tar.gz: 61b1aa696e9ec44fd6b93d4ced975be8a2bb514537ed232db8a11cb840045bc52132a215a21a99e573f4df0b557b1612eb4dda458c249c0e5f86939b83049680

data/lib/aws_recon.rb

@@ -3,6 +3,9 @@
 module AwsRecon
 end
 
+require 'aws_recon/lib/patch.rb'
+String.include PolicyStringParser
+
 require 'parallel'
 require 'ostruct'
 require 'optparse'

data/lib/aws_recon/collectors/applicationautoscaling.rb

@@ -0,0 +1,25 @@
+class ApplicationAutoScaling < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # DynamoDB auto-scaling policies
+    #
+    @client.describe_scaling_policies({ service_namespace: 'dynamodb' }).each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      response.scaling_policies.each do |policy|
+        struct = OpenStruct.new(policy.to_h)
+        struct.type = 'auto_scaling_policy'
+        struct.arn = policy.policy_arn
+
+        resources.push(struct.to_h)
+      end
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/dynamodb.rb

@@ -5,6 +5,19 @@ class DynamoDB < Mapper
   def collect
     resources = []
 
+    #
+    # describe_limits
+    #
+    @client.describe_limits.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      struct = OpenStruct.new(response)
+      struct.type = 'limits'
+      struct.arn = "arn:aws:dynamodb:#{@region}:#{@account}:limits"
+
+      resources.push(struct.to_h)
+    end
+
     #
     # list_tables
     #

data/lib/aws_recon/collectors/ec2.rb

@@ -130,6 +130,21 @@ class EC2 < Mapper
         end
       end
 
+      #
+      # describe_network_acls
+      #
+      @client.describe_network_acls.each_with_index do |response, page|
+        log(response.context.operation_name, page)
+
+        response.network_acls.each do |network_acl|
+          struct = OpenStruct.new(network_acl.to_h)
+          struct.type = 'network_acl'
+          struct.arn = network_acl.network_acl_id # no true ARN
+
+          resources.push(struct.to_h)
+        end
+      end
+
       #
       # describe_subnets
       #
@@ -175,6 +190,21 @@ class EC2 < Mapper
         end
       end
 
+      #
+      # describe_internet_gateways
+      #
+      @client.describe_internet_gateways.each_with_index do |response, page|
+        log(response.context.operation_name, page)
+
+        response.internet_gateways.each do |gateway|
+          struct = OpenStruct.new(gateway.to_h)
+          struct.type = 'internet_gateway'
+          struct.arn = gateway.internet_gateway_id # no true ARN
+
+          resources.push(struct.to_h)
+        end
+      end
+
       #
       # describe_route_tables
       #
@@ -215,6 +245,10 @@ class EC2 < Mapper
           struct = OpenStruct.new(snapshot.to_h)
           struct.type = 'snapshot'
           struct.arn = snapshot.snapshot_id # no true ARN
+          struct.create_volume_permissions = @client.describe_snapshot_attribute({
+                                                                                   attribute: 'createVolumePermission',
+                                                                                   snapshot_id: snapshot.snapshot_id
+                                                                                 }).create_volume_permissions.map(&:to_h)
 
           resources.push(struct.to_h)
         end

data/lib/aws_recon/collectors/guardduty.rb

@@ -21,8 +21,21 @@ class GuardDuty < Mapper
         struct.type = 'detector'
         struct.arn = "arn:aws:guardduty:#{@region}:detector/#{detector}"
 
+        # get_findings_statistics (only active findings)
+        struct.findings_statistics = @client.get_findings_statistics({
+                                                                       detector_id: detector,
+                                                                       finding_statistic_types: ['COUNT_BY_SEVERITY'],
+                                                                       finding_criteria: {
+                                                                         criterion: {
+                                                                           'service.archived': {
+                                                                             eq: ['false']
+                                                                           }
+                                                                         }
+                                                                       }
+                                                                     }).finding_statistics.to_h
+
         # get_master_account
-        struct.master_account = @client.get_master_account({ detector_id: detector }).to_h
+        struct.master_account = @client.get_master_account({ detector_id: detector }).master.to_h
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/iam.rb

@@ -26,7 +26,7 @@ class IAM < Mapper
                                     user.user_policy_list.map do |p|
                                       {
                                         policy_name: p.policy_name,
-                                        policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                        policy_document: p.policy_document.parse_policy
                                       }
                                     end
                                   end
@@ -42,7 +42,7 @@ class IAM < Mapper
                                      group.group_policy_list.map do |p|
                                        {
                                          policy_name: p.policy_name,
-                                         policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                         policy_document: p.policy_document.parse_policy
                                        }
                                      end
                                     end
@@ -54,12 +54,12 @@ class IAM < Mapper
       response.role_detail_list.each do |role|
         struct = OpenStruct.new(role.to_h)
         struct.type = 'role'
-        struct.assume_role_policy_document = JSON.parse(CGI.unescape(role.assume_role_policy_document))
+        struct.assume_role_policy_document = role.assume_role_policy_document.parse_policy
         struct.role_policy_list = if role.role_policy_list
                                     role.role_policy_list.map do |p|
                                       {
                                         policy_name: p.policy_name,
-                                        policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                        policy_document: p.policy_document.parse_policy
                                       }
                                     end
                                   end
@@ -75,7 +75,7 @@ class IAM < Mapper
                                        policy.policy_version_list.map do |p|
                                          {
                                            version_id: p.version_id,
-                                           document: JSON.parse(CGI.unescape(p.document)),
+                                           document: p.document.parse_policy,
                                            is_default_version: p.is_default_version,
                                            create_date: p.create_date
                                          }

data/lib/aws_recon/collectors/lambda.rb

@@ -12,7 +12,11 @@ class Lambda < Mapper
         struct = OpenStruct.new(function)
         struct.type = 'function'
         struct.arn = function.function_arn
+        struct.policy = @client.get_policy({ function_name: function.function_name }).policy.parse_policy
 
+      rescue Aws::Lambda::Errors::ResourceNotFoundException => e
+        log_error(e.code)
+      ensure
         resources.push(struct.to_h)
       end
     end

data/lib/aws_recon/collectors/organizations.rb

@@ -40,7 +40,7 @@ class Organizations < Mapper
       response.policies.each do |policy|
         struct = OpenStruct.new(policy.to_h)
         struct.type = 'service_control_policy'
-        struct.content = JSON.parse(CGI.unescape(@client.describe_policy({ policy_id: policy.id }).policy.content))
+        struct.content = @client.describe_policy({ policy_id: policy.id }).policy.content.parse_policy
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/s3.rb

@@ -29,16 +29,20 @@ class S3 < Mapper
         # to create a bucket, you must set the location_constraint
         # bucket parameter to the same region. (https://docs.aws.amazon.com/general/latest/gr/s3.html)
         client = if location.empty?
+                   struct.location = 'us-east-1'
                    @client
                  else
+                   struct.location = location
                    Aws::S3::Client.new({ region: location })
                  end
 
         operations = [
           { func: 'get_bucket_acl', key: 'acl', field: nil },
           { func: 'get_bucket_encryption', key: 'encryption', field: 'server_side_encryption_configuration' },
+          { func: 'get_bucket_replication', key: 'replication', field: 'replication_configuration' },
           { func: 'get_bucket_policy', key: 'policy', field: 'policy' },
           { func: 'get_bucket_policy_status', key: 'public', field: 'policy_status' },
+          { func: 'get_public_access_block', key: 'public_access_block', field: 'public_access_block_configuration' },
           { func: 'get_bucket_tagging', key: 'tagging', field: nil },
           { func: 'get_bucket_logging', key: 'logging', field: 'logging_enabled' },
           { func: 'get_bucket_versioning', key: 'versioning', field: nil },
@@ -51,7 +55,7 @@ class S3 < Mapper
           resp = client.send(op.func, { bucket: bucket.name })
 
           struct[op.key] = if op.key == 'policy'
-                             resp.policy.string
+                             resp.policy.string.parse_policy
                            else
                              op.field ? resp.send(op.field).to_h : resp.to_h
                            end
@@ -77,6 +81,8 @@ class S3 < Mapper
       NoSuchBucketPolicy
       NoSuchTagSet
       NoSuchWebsiteConfiguration
+      ReplicationConfigurationNotFoundError
+      NoSuchPublicAccessBlockConfiguration
     ]
   end
 end

data/lib/aws_recon/collectors/secretsmanager.rb

@@ -0,0 +1,26 @@
+class SecretsManager < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # describe_auto_scaling_groups
+    #
+    @client.list_secrets.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      response.secret_list.each_with_index do |secret, i|
+        log(response.context.operation_name, i)
+
+        struct = OpenStruct.new(secret.to_h)
+        struct.type = 'secret'
+
+        resources.push(struct.to_h)
+      end
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/securityhub.rb

@@ -0,0 +1,23 @@
+class SecurityHub < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # describe_hub
+    #
+    @client.describe_hub.each do |response|
+      log(response.context.operation_name)
+
+      struct = OpenStruct.new(response.to_h)
+      struct.type = 'hub'
+      struct.arn = response.hub_arn
+
+      resources.push(struct.to_h)
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/sns.rb

@@ -18,6 +18,8 @@ class SNS < Mapper
         struct = OpenStruct.new(@client.get_topic_attributes({ topic_arn: topic.topic_arn }).attributes.to_h)
         struct.type = 'topic'
         struct.arn = topic.topic_arn
+        struct.policy = struct.delete_field('Policy').parse_policy
+        struct.effective_delivery_policy = struct.delete_field('EffectiveDeliveryPolicy').parse_policy
         struct.subscriptions = []
 
         # list_subscriptions_by_topic

data/lib/aws_recon/collectors/sqs.rb

@@ -18,7 +18,7 @@ class SQS < Mapper
         struct = OpenStruct.new(@client.get_queue_attributes({ queue_url: queue, attribute_names: ['All'] }).attributes.to_h)
         struct.type = 'queue'
         struct.arn = struct.QueueArn
-        struct.Policy = JSON.parse(CGI.unescape(struct.Policy))
+        struct.policy = struct.delete_field('Policy').parse_policy
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/ssm.rb

@@ -30,7 +30,7 @@ class SSM < Mapper
         struct = OpenStruct.new(parameter.to_h)
         struct.string_type = parameter.type
         struct.type = 'parameter'
-        struct.arn = "arn:aws:#{@service}:#{@region}::parameter/#{parameter.name}"
+        struct.arn = "arn:aws:#{@service}:#{@region}::parameter:#{parameter.name}"
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/lib/patch.rb

@@ -0,0 +1,10 @@
+#
+# Parse and unescape AWS policy document string
+#
+module PolicyStringParser
+  def parse_policy
+    JSON.parse(CGI.unescape(self))
+  rescue StandardError
+    nil
+  end
+end

data/lib/aws_recon/services.yaml

@@ -4,6 +4,8 @@
   alias: organizations
 - name: AccessAnalyzer
   alias: aa
+- name: ApplicationAutoScaling
+  alias: aas
 - name: ConfigService
   alias: config
 - name: CodeBuild
@@ -89,6 +91,10 @@
   alias: cloudwatchlogs
 - name: Kafka
   alias: kafka
+- name: SecretsManager
+  alias: sm
+- name: SecurityHub
+  alias: sh
 - name: Support
   global: true
   alias: support

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.2.15"
+  VERSION = "0.2.20"
 end

data/readme.md

@@ -1,5 +1,5 @@
-![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)
-[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
+[![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)](https://github.com/darkbitio/aws-recon/actions?query=branch%3Amain)
+[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://rubygems.org/gems/aws_recon)
 
 # AWS Recon
 
@@ -224,6 +224,7 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 
 - [x] AccessAnalyzer
 - [x] AdvancedShield
+- [x] ApplicationAutoScaling
 - [x] Athena
 - [x] GuardDuty
 - [ ] Macie
@@ -269,6 +270,8 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 - [x] S3
 - [x] SageMaker
 - [x] SES
+- [x] SecretsManager
+- [x] SecurityHub
 - [x] ServiceQuotas
 - [x] Shield
 - [x] SNS

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.2.15
+  version: 0.2.20
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-18 00:00:00.000000000 Z
+date: 2020-11-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -184,6 +184,7 @@ files:
 - lib/aws_recon/collectors/acm.rb
 - lib/aws_recon/collectors/apigateway.rb
 - lib/aws_recon/collectors/apigatewayv2.rb
+- lib/aws_recon/collectors/applicationautoscaling.rb
 - lib/aws_recon/collectors/athena.rb
 - lib/aws_recon/collectors/autoscaling.rb
 - lib/aws_recon/collectors/cloudformation.rb
@@ -222,6 +223,8 @@ files:
 - lib/aws_recon/collectors/route53domains.rb
 - lib/aws_recon/collectors/s3.rb
 - lib/aws_recon/collectors/sagemaker.rb
+- lib/aws_recon/collectors/secretsmanager.rb
+- lib/aws_recon/collectors/securityhub.rb
 - lib/aws_recon/collectors/servicequotas.rb
 - lib/aws_recon/collectors/ses.rb
 - lib/aws_recon/collectors/shield.rb
@@ -235,6 +238,7 @@ files:
 - lib/aws_recon/collectors/xray.rb
 - lib/aws_recon/lib/formatter.rb
 - lib/aws_recon/lib/mapper.rb
+- lib/aws_recon/lib/patch.rb
 - lib/aws_recon/options.rb
 - lib/aws_recon/services.yaml
 - lib/aws_recon/version.rb