RubyGems - aws_recon - Versions diffs - 0.2.15 → 0.2.20 - Mend

aws_recon 0.2.15 → 0.2.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

checksums.yaml +4 -4
data/lib/aws_recon.rb +3 -0
data/lib/aws_recon/collectors/applicationautoscaling.rb +25 -0
data/lib/aws_recon/collectors/dynamodb.rb +13 -0
data/lib/aws_recon/collectors/ec2.rb +34 -0
data/lib/aws_recon/collectors/guardduty.rb +14 -1
data/lib/aws_recon/collectors/iam.rb +5 -5
data/lib/aws_recon/collectors/lambda.rb +4 -0
data/lib/aws_recon/collectors/organizations.rb +1 -1
data/lib/aws_recon/collectors/s3.rb +7 -1
data/lib/aws_recon/collectors/secretsmanager.rb +26 -0
data/lib/aws_recon/collectors/securityhub.rb +23 -0
data/lib/aws_recon/collectors/sns.rb +2 -0
data/lib/aws_recon/collectors/sqs.rb +1 -1
data/lib/aws_recon/collectors/ssm.rb +1 -1
data/lib/aws_recon/lib/patch.rb +10 -0
data/lib/aws_recon/services.yaml +6 -0
data/lib/aws_recon/version.rb +1 -1
data/readme.md +5 -2
metadata +6 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c474979fa320276fa9605cf6e13fea26096c4cbb115a3287ffc9faae644cbd63
-  data.tar.gz: fad3786ed1a152f2437eafd33481cf4183b8453bcedfe7e2132b8a62ac37f552
+  metadata.gz: 6b945e5c44370658e13ee470fee26d7e0b46fb6102a661485be9513af305f45d
+  data.tar.gz: 969330b10b9a8264bdb5759b1c910b74ccf05e855f8f380cdebdac8b3694fb11
 SHA512:
-  metadata.gz: 51f4c2a2c33aff53a81bb36b757602080612bd6d304284d9439d4c4fa505a385de2194526056efb07286418fecf9520e965fb780f800a402071a7746d9f093f7
-  data.tar.gz: d45f606a06b3a9044ead0e1b2a7338107fe37a7eb7aeb81562b08783c815520426b96136e2566fe1e44ca5713fa3979ae25de999f2f8b06e8ed22af2d3e56915
+  metadata.gz: a7d26039b60a21370bd7000d7ccaca93cfc5efc7c0dba88ae5d7ea12d63d3a7b8f973b06d3a1a2633fb82804a716f163ffda23f96a00ee73251eb85956f14dfd
+  data.tar.gz: 61b1aa696e9ec44fd6b93d4ced975be8a2bb514537ed232db8a11cb840045bc52132a215a21a99e573f4df0b557b1612eb4dda458c249c0e5f86939b83049680

data/lib/aws_recon.rb CHANGED

@@ -3,6 +3,9 @@
 module AwsRecon
 end
+require 'aws_recon/lib/patch.rb'
+String.include PolicyStringParser
 require 'parallel'
 require 'ostruct'
 require 'optparse'

data/lib/aws_recon/collectors/applicationautoscaling.rb ADDED

@@ -0,0 +1,25 @@
+class ApplicationAutoScaling < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+    #
+    # DynamoDB auto-scaling policies
+    #
+    @client.describe_scaling_policies({ service_namespace: 'dynamodb' }).each_with_index do |response, page|
+      log(response.context.operation_name, page)
+      response.scaling_policies.each do |policy|
+        struct = OpenStruct.new(policy.to_h)
+        struct.type = 'auto_scaling_policy'
+        struct.arn = policy.policy_arn
+        resources.push(struct.to_h)
+      end
+    end
+    resources
+  end
+end

data/lib/aws_recon/collectors/dynamodb.rb CHANGED

@@ -5,6 +5,19 @@ class DynamoDB < Mapper
   def collect
     resources = []
+    #
+    # describe_limits
+    #
+    @client.describe_limits.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+      struct = OpenStruct.new(response)
+      struct.type = 'limits'
+      struct.arn = "arn:aws:dynamodb:#{@region}:#{@account}:limits"
+      resources.push(struct.to_h)
+    end
     #
     # list_tables
     #

data/lib/aws_recon/collectors/ec2.rb CHANGED

@@ -130,6 +130,21 @@ class EC2 < Mapper
         end
       end
+      #
+      # describe_network_acls
+      #
+      @client.describe_network_acls.each_with_index do |response, page|
+        log(response.context.operation_name, page)
+        response.network_acls.each do |network_acl|
+          struct = OpenStruct.new(network_acl.to_h)
+          struct.type = 'network_acl'
+          struct.arn = network_acl.network_acl_id # no true ARN
+          resources.push(struct.to_h)
+        end
+      end
       #
       # describe_subnets
       #
@@ -175,6 +190,21 @@ class EC2 < Mapper
         end
       end
+      #
+      # describe_internet_gateways
+      #
+      @client.describe_internet_gateways.each_with_index do |response, page|
+        log(response.context.operation_name, page)
+        response.internet_gateways.each do |gateway|
+          struct = OpenStruct.new(gateway.to_h)
+          struct.type = 'internet_gateway'
+          struct.arn = gateway.internet_gateway_id # no true ARN
+          resources.push(struct.to_h)
+        end
+      end
       #
       # describe_route_tables
       #
@@ -215,6 +245,10 @@ class EC2 < Mapper
           struct = OpenStruct.new(snapshot.to_h)
           struct.type = 'snapshot'
           struct.arn = snapshot.snapshot_id # no true ARN
+          struct.create_volume_permissions = @client.describe_snapshot_attribute({
+                                                                                   attribute: 'createVolumePermission',
+                                                                                   snapshot_id: snapshot.snapshot_id
+                                                                                 }).create_volume_permissions.map(&:to_h)
           resources.push(struct.to_h)
         end

data/lib/aws_recon/collectors/guardduty.rb CHANGED

@@ -21,8 +21,21 @@ class GuardDuty < Mapper
         struct.type = 'detector'
         struct.arn = "arn:aws:guardduty:#{@region}:detector/#{detector}"
+        # get_findings_statistics (only active findings)
+        struct.findings_statistics = @client.get_findings_statistics({
+                                                                       detector_id: detector,
+                                                                       finding_statistic_types: ['COUNT_BY_SEVERITY'],
+                                                                       finding_criteria: {
+                                                                         criterion: {
+                                                                           'service.archived': {
+                                                                             eq: ['false']
+                                                                           }
+                                                                         }
+                                                                       }
+                                                                     }).finding_statistics.to_h
         # get_master_account
-        struct.master_account = @client.get_master_account({ detector_id: detector }).to_h
+        struct.master_account = @client.get_master_account({ detector_id: detector }).master.to_h
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/iam.rb CHANGED

@@ -26,7 +26,7 @@ class IAM < Mapper
                                     user.user_policy_list.map do |p|
                                       {
                                         policy_name: p.policy_name,
-                                        policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                        policy_document: p.policy_document.parse_policy
                                       }
                                     end
                                   end
@@ -42,7 +42,7 @@ class IAM < Mapper
                                      group.group_policy_list.map do |p|
                                        {
                                          policy_name: p.policy_name,
-                                         policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                         policy_document: p.policy_document.parse_policy
                                        }
                                      end
                                     end
@@ -54,12 +54,12 @@ class IAM < Mapper
       response.role_detail_list.each do |role|
         struct = OpenStruct.new(role.to_h)
         struct.type = 'role'
-        struct.assume_role_policy_document = JSON.parse(CGI.unescape(role.assume_role_policy_document))
+        struct.assume_role_policy_document = role.assume_role_policy_document.parse_policy
         struct.role_policy_list = if role.role_policy_list
                                     role.role_policy_list.map do |p|
                                       {
                                         policy_name: p.policy_name,
-                                        policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                        policy_document: p.policy_document.parse_policy
                                       }
                                     end
                                   end
@@ -75,7 +75,7 @@ class IAM < Mapper
                                        policy.policy_version_list.map do |p|
                                          {
                                            version_id: p.version_id,
-                                           document: JSON.parse(CGI.unescape(p.document)),
+                                           document: p.document.parse_policy,
                                            is_default_version: p.is_default_version,
                                            create_date: p.create_date
                                          }

data/lib/aws_recon/collectors/lambda.rb CHANGED

@@ -12,7 +12,11 @@ class Lambda < Mapper
         struct = OpenStruct.new(function)
         struct.type = 'function'
         struct.arn = function.function_arn
+        struct.policy = @client.get_policy({ function_name: function.function_name }).policy.parse_policy
+      rescue Aws::Lambda::Errors::ResourceNotFoundException => e
+        log_error(e.code)
+      ensure
         resources.push(struct.to_h)
       end
     end

data/lib/aws_recon/collectors/organizations.rb CHANGED

@@ -40,7 +40,7 @@ class Organizations < Mapper
       response.policies.each do |policy|
         struct = OpenStruct.new(policy.to_h)
         struct.type = 'service_control_policy'
-        struct.content = JSON.parse(CGI.unescape(@client.describe_policy({ policy_id: policy.id }).policy.content))
+        struct.content = @client.describe_policy({ policy_id: policy.id }).policy.content.parse_policy
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/s3.rb CHANGED

@@ -29,16 +29,20 @@ class S3 < Mapper
         # to create a bucket, you must set the location_constraint
         # bucket parameter to the same region. (https://docs.aws.amazon.com/general/latest/gr/s3.html)
         client = if location.empty?
+                   struct.location = 'us-east-1'
                    @client
                  else
+                   struct.location = location
                    Aws::S3::Client.new({ region: location })
                  end
         operations = [
           { func: 'get_bucket_acl', key: 'acl', field: nil },
           { func: 'get_bucket_encryption', key: 'encryption', field: 'server_side_encryption_configuration' },
+          { func: 'get_bucket_replication', key: 'replication', field: 'replication_configuration' },
           { func: 'get_bucket_policy', key: 'policy', field: 'policy' },
           { func: 'get_bucket_policy_status', key: 'public', field: 'policy_status' },
+          { func: 'get_public_access_block', key: 'public_access_block', field: 'public_access_block_configuration' },
           { func: 'get_bucket_tagging', key: 'tagging', field: nil },
           { func: 'get_bucket_logging', key: 'logging', field: 'logging_enabled' },
           { func: 'get_bucket_versioning', key: 'versioning', field: nil },
@@ -51,7 +55,7 @@ class S3 < Mapper
           resp = client.send(op.func, { bucket: bucket.name })
           struct[op.key] = if op.key == 'policy'
-                             resp.policy.string
+                             resp.policy.string.parse_policy
                            else
                              op.field ? resp.send(op.field).to_h : resp.to_h
                            end
@@ -77,6 +81,8 @@ class S3 < Mapper
       NoSuchBucketPolicy
       NoSuchTagSet
       NoSuchWebsiteConfiguration
+      ReplicationConfigurationNotFoundError
+      NoSuchPublicAccessBlockConfiguration
     ]
   end
 end

data/lib/aws_recon/collectors/secretsmanager.rb ADDED

@@ -0,0 +1,26 @@
+class SecretsManager < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+    #
+    # describe_auto_scaling_groups
+    #
+    @client.list_secrets.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+      response.secret_list.each_with_index do |secret, i|
+        log(response.context.operation_name, i)
+        struct = OpenStruct.new(secret.to_h)
+        struct.type = 'secret'
+        resources.push(struct.to_h)
+      end
+    end
+    resources
+  end
+end

data/lib/aws_recon/collectors/securityhub.rb ADDED

@@ -0,0 +1,23 @@
+class SecurityHub < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+    #
+    # describe_hub
+    #
+    @client.describe_hub.each do |response|
+      log(response.context.operation_name)
+      struct = OpenStruct.new(response.to_h)
+      struct.type = 'hub'
+      struct.arn = response.hub_arn
+      resources.push(struct.to_h)
+    end
+    resources
+  end
+end

data/lib/aws_recon/collectors/sns.rb CHANGED

@@ -18,6 +18,8 @@ class SNS < Mapper
         struct = OpenStruct.new(@client.get_topic_attributes({ topic_arn: topic.topic_arn }).attributes.to_h)
         struct.type = 'topic'
         struct.arn = topic.topic_arn
+        struct.policy = struct.delete_field('Policy').parse_policy
+        struct.effective_delivery_policy = struct.delete_field('EffectiveDeliveryPolicy').parse_policy
         struct.subscriptions = []
         # list_subscriptions_by_topic

data/lib/aws_recon/collectors/sqs.rb CHANGED

@@ -18,7 +18,7 @@ class SQS < Mapper
         struct = OpenStruct.new(@client.get_queue_attributes({ queue_url: queue, attribute_names: ['All'] }).attributes.to_h)
         struct.type = 'queue'
         struct.arn = struct.QueueArn
-        struct.Policy = JSON.parse(CGI.unescape(struct.Policy))
+        struct.policy = struct.delete_field('Policy').parse_policy
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/ssm.rb CHANGED

@@ -30,7 +30,7 @@ class SSM < Mapper
         struct = OpenStruct.new(parameter.to_h)
         struct.string_type = parameter.type
         struct.type = 'parameter'
-        struct.arn = "arn:aws:#{@service}:#{@region}::parameter/#{parameter.name}"
+        struct.arn = "arn:aws:#{@service}:#{@region}::parameter:#{parameter.name}"
         resources.push(struct.to_h)
       end

data/lib/aws_recon/lib/patch.rb ADDED

@@ -0,0 +1,10 @@
+#
+# Parse and unescape AWS policy document string
+#
+module PolicyStringParser
+  def parse_policy
+    JSON.parse(CGI.unescape(self))
+  rescue StandardError
+    nil
+  end
+end

data/lib/aws_recon/services.yaml CHANGED

@@ -4,6 +4,8 @@
   alias: organizations
 - name: AccessAnalyzer
   alias: aa
+- name: ApplicationAutoScaling
+  alias: aas
 - name: ConfigService
   alias: config
 - name: CodeBuild
@@ -89,6 +91,10 @@
   alias: cloudwatchlogs
 - name: Kafka
   alias: kafka
+- name: SecretsManager
+  alias: sm
+- name: SecurityHub
+  alias: sh
 - name: Support
   global: true
   alias: support

data/lib/aws_recon/version.rb CHANGED

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.2.15"
+  VERSION = "0.2.20"
 end

data/readme.md CHANGED

@@ -1,5 +1,5 @@
-![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)
-[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
+[![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)](https://github.com/darkbitio/aws-recon/actions?query=branch%3Amain)
+[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://rubygems.org/gems/aws_recon)
 # AWS Recon
@@ -224,6 +224,7 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 - [x] AccessAnalyzer
 - [x] AdvancedShield
+- [x] ApplicationAutoScaling
 - [x] Athena
 - [x] GuardDuty
 - [ ] Macie
@@ -269,6 +270,8 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 - [x] S3
 - [x] SageMaker
 - [x] SES
+- [x] SecretsManager
+- [x] SecurityHub
 - [x] ServiceQuotas
 - [x] Shield
 - [x] SNS

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.2.15
+  version: 0.2.20
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-18 00:00:00.000000000 Z
+date: 2020-11-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -184,6 +184,7 @@ files:
 - lib/aws_recon/collectors/acm.rb
 - lib/aws_recon/collectors/apigateway.rb
 - lib/aws_recon/collectors/apigatewayv2.rb
+- lib/aws_recon/collectors/applicationautoscaling.rb
 - lib/aws_recon/collectors/athena.rb
 - lib/aws_recon/collectors/autoscaling.rb
 - lib/aws_recon/collectors/cloudformation.rb
@@ -222,6 +223,8 @@ files:
 - lib/aws_recon/collectors/route53domains.rb
 - lib/aws_recon/collectors/s3.rb
 - lib/aws_recon/collectors/sagemaker.rb
+- lib/aws_recon/collectors/secretsmanager.rb
+- lib/aws_recon/collectors/securityhub.rb
 - lib/aws_recon/collectors/servicequotas.rb
 - lib/aws_recon/collectors/ses.rb
 - lib/aws_recon/collectors/shield.rb
@@ -235,6 +238,7 @@ files:
 - lib/aws_recon/collectors/xray.rb
 - lib/aws_recon/lib/formatter.rb
 - lib/aws_recon/lib/mapper.rb
+- lib/aws_recon/lib/patch.rb
 - lib/aws_recon/options.rb
 - lib/aws_recon/services.yaml
 - lib/aws_recon/version.rb