RubyGems - aws_recon - Versions diffs - 0.2.16 → 0.2.21 - Mend

aws_recon 0.2.16 → 0.2.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

checksums.yaml +4 -4
data/lib/aws_recon.rb +3 -0
data/lib/aws_recon/collectors/applicationautoscaling.rb +25 -0
data/lib/aws_recon/collectors/backup.rb +25 -0
data/lib/aws_recon/collectors/dynamodb.rb +13 -0
data/lib/aws_recon/collectors/ec2.rb +34 -0
data/lib/aws_recon/collectors/ecr.rb +1 -1
data/lib/aws_recon/collectors/guardduty.rb +14 -1
data/lib/aws_recon/collectors/iam.rb +5 -5
data/lib/aws_recon/collectors/lambda.rb +4 -0
data/lib/aws_recon/collectors/organizations.rb +1 -1
data/lib/aws_recon/collectors/s3.rb +7 -1
data/lib/aws_recon/collectors/secretsmanager.rb +26 -0
data/lib/aws_recon/collectors/securityhub.rb +23 -0
data/lib/aws_recon/collectors/sns.rb +2 -0
data/lib/aws_recon/collectors/sqs.rb +1 -1
data/lib/aws_recon/collectors/ssm.rb +1 -1
data/lib/aws_recon/lib/patch.rb +10 -0
data/lib/aws_recon/services.yaml +8 -0
data/lib/aws_recon/version.rb +1 -1
data/readme.md +6 -2
metadata +7 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: af7cd78c7eed6c8f3c0679561e0c8831f5839545daa75b3579c670ad5ed342b5
-  data.tar.gz: 8eae0b3544a30f71e8fea38a00326bb4b40cd44bdfc38bf6e4f330fe2c96b7e0
+  metadata.gz: f284896f9397e44d7662775c85b1f4363bcbc284420a248bc936b80ddef6d5e8
+  data.tar.gz: 572b909d6d5bce44d908f70204e3d511cbfae1d5ed8574a99ffe0d7559f836b3
 SHA512:
-  metadata.gz: 746f85c95fa41ed06b63a95f16196d8fb04be14627d6121813f5ba0eefd4c5920f6ad3dc664ffb59e0d06fe6ce09232789aea81cf6dad73a96ea32272e66724e
-  data.tar.gz: 22a3823f86304c6dd28ec9ff02c78f1142571b53263ea055543fe353d95226856fef00e64975a5fd856b0f462bc60bf8206bd6f09ae034c32fa71608396a59e4
+  metadata.gz: dc68e292ca1d346e8313117d6f93ebe0587fdf61b735b445ec6b90bd6d4c5c4d2a0165f2a47d6bcf57cb046b7a8e1dee769120f0ff569fe613f3930afdad9dac
+  data.tar.gz: 3f67fa10f1286a1eb9f5d5a1d56bc2ccb6dc5b6a9e7a9324b991e1f468f2fd41000081d1aa9f20a723ae17471b3e3a41463bc870e8e94dcd6e21bfb02fdcb0e6

data/lib/aws_recon.rb CHANGED

@@ -3,6 +3,9 @@
 module AwsRecon
 end
+require 'aws_recon/lib/patch.rb'
+String.include PolicyStringParser
 require 'parallel'
 require 'ostruct'
 require 'optparse'

data/lib/aws_recon/collectors/applicationautoscaling.rb ADDED

@@ -0,0 +1,25 @@
+class ApplicationAutoScaling < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+    #
+    # DynamoDB auto-scaling policies
+    #
+    @client.describe_scaling_policies({ service_namespace: 'dynamodb' }).each_with_index do |response, page|
+      log(response.context.operation_name, page)
+      response.scaling_policies.each do |policy|
+        struct = OpenStruct.new(policy.to_h)
+        struct.type = 'auto_scaling_policy'
+        struct.arn = policy.policy_arn
+        resources.push(struct.to_h)
+      end
+    end
+    resources
+  end
+end

data/lib/aws_recon/collectors/backup.rb ADDED

@@ -0,0 +1,25 @@
+class Backup < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+    #
+    # list_backup_plans
+    #
+    @client.list_protected_resources.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+      response.results.each do |resource|
+        struct = OpenStruct.new(resource.to_h)
+        struct.type = 'protected_resource'
+        struct.arn = resource.resource_arn
+        resources.push(struct.to_h)
+      end
+    end
+    resources
+  end
+end

data/lib/aws_recon/collectors/dynamodb.rb CHANGED

@@ -5,6 +5,19 @@ class DynamoDB < Mapper
   def collect
     resources = []
+    #
+    # describe_limits
+    #
+    @client.describe_limits.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+      struct = OpenStruct.new(response)
+      struct.type = 'limits'
+      struct.arn = "arn:aws:dynamodb:#{@region}:#{@account}:limits"
+      resources.push(struct.to_h)
+    end
     #
     # list_tables
     #

data/lib/aws_recon/collectors/ec2.rb CHANGED

@@ -130,6 +130,21 @@ class EC2 < Mapper
         end
       end
+      #
+      # describe_network_acls
+      #
+      @client.describe_network_acls.each_with_index do |response, page|
+        log(response.context.operation_name, page)
+        response.network_acls.each do |network_acl|
+          struct = OpenStruct.new(network_acl.to_h)
+          struct.type = 'network_acl'
+          struct.arn = network_acl.network_acl_id # no true ARN
+          resources.push(struct.to_h)
+        end
+      end
       #
       # describe_subnets
       #
@@ -175,6 +190,21 @@ class EC2 < Mapper
         end
       end
+      #
+      # describe_internet_gateways
+      #
+      @client.describe_internet_gateways.each_with_index do |response, page|
+        log(response.context.operation_name, page)
+        response.internet_gateways.each do |gateway|
+          struct = OpenStruct.new(gateway.to_h)
+          struct.type = 'internet_gateway'
+          struct.arn = gateway.internet_gateway_id # no true ARN
+          resources.push(struct.to_h)
+        end
+      end
       #
       # describe_route_tables
       #
@@ -215,6 +245,10 @@ class EC2 < Mapper
           struct = OpenStruct.new(snapshot.to_h)
           struct.type = 'snapshot'
           struct.arn = snapshot.snapshot_id # no true ARN
+          struct.create_volume_permissions = @client.describe_snapshot_attribute({
+                                                                                   attribute: 'createVolumePermission',
+                                                                                   snapshot_id: snapshot.snapshot_id
+                                                                                 }).create_volume_permissions.map(&:to_h)
           resources.push(struct.to_h)
         end

data/lib/aws_recon/collectors/ecr.rb CHANGED

@@ -16,7 +16,7 @@ class ECR < Mapper
         struct.type = 'repository'
         struct.arn = repo.repository_arn
         struct.policy = @client
-                        .get_repository_policy({ repository_name: repo.repository_name }).to_h
+                        .get_repository_policy({ repository_name: repo.repository_name }).policy_text.parse_policy
       rescue Aws::ECR::Errors::ServiceError => e
         raise e unless suppressed_errors.include?(e.code)

data/lib/aws_recon/collectors/guardduty.rb CHANGED

@@ -21,8 +21,21 @@ class GuardDuty < Mapper
         struct.type = 'detector'
         struct.arn = "arn:aws:guardduty:#{@region}:detector/#{detector}"
+        # get_findings_statistics (only active findings)
+        struct.findings_statistics = @client.get_findings_statistics({
+                                                                       detector_id: detector,
+                                                                       finding_statistic_types: ['COUNT_BY_SEVERITY'],
+                                                                       finding_criteria: {
+                                                                         criterion: {
+                                                                           'service.archived': {
+                                                                             eq: ['false']
+                                                                           }
+                                                                         }
+                                                                       }
+                                                                     }).finding_statistics.to_h
         # get_master_account
-        struct.master_account = @client.get_master_account({ detector_id: detector }).to_h
+        struct.master_account = @client.get_master_account({ detector_id: detector }).master.to_h
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/iam.rb CHANGED

@@ -26,7 +26,7 @@ class IAM < Mapper
                                     user.user_policy_list.map do |p|
                                       {
                                         policy_name: p.policy_name,
-                                        policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                        policy_document: p.policy_document.parse_policy
                                       }
                                     end
                                   end
@@ -42,7 +42,7 @@ class IAM < Mapper
                                      group.group_policy_list.map do |p|
                                        {
                                          policy_name: p.policy_name,
-                                         policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                         policy_document: p.policy_document.parse_policy
                                        }
                                      end
                                     end
@@ -54,12 +54,12 @@ class IAM < Mapper
       response.role_detail_list.each do |role|
         struct = OpenStruct.new(role.to_h)
         struct.type = 'role'
-        struct.assume_role_policy_document = JSON.parse(CGI.unescape(role.assume_role_policy_document))
+        struct.assume_role_policy_document = role.assume_role_policy_document.parse_policy
         struct.role_policy_list = if role.role_policy_list
                                     role.role_policy_list.map do |p|
                                       {
                                         policy_name: p.policy_name,
-                                        policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                        policy_document: p.policy_document.parse_policy
                                       }
                                     end
                                   end
@@ -75,7 +75,7 @@ class IAM < Mapper
                                        policy.policy_version_list.map do |p|
                                          {
                                            version_id: p.version_id,
-                                           document: JSON.parse(CGI.unescape(p.document)),
+                                           document: p.document.parse_policy,
                                            is_default_version: p.is_default_version,
                                            create_date: p.create_date
                                          }

data/lib/aws_recon/collectors/lambda.rb CHANGED

@@ -12,7 +12,11 @@ class Lambda < Mapper
         struct = OpenStruct.new(function)
         struct.type = 'function'
         struct.arn = function.function_arn
+        struct.policy = @client.get_policy({ function_name: function.function_name }).policy.parse_policy
+      rescue Aws::Lambda::Errors::ResourceNotFoundException => e
+        log_error(e.code)
+      ensure
         resources.push(struct.to_h)
       end
     end

data/lib/aws_recon/collectors/organizations.rb CHANGED

@@ -40,7 +40,7 @@ class Organizations < Mapper
       response.policies.each do |policy|
         struct = OpenStruct.new(policy.to_h)
         struct.type = 'service_control_policy'
-        struct.content = JSON.parse(CGI.unescape(@client.describe_policy({ policy_id: policy.id }).policy.content))
+        struct.content = @client.describe_policy({ policy_id: policy.id }).policy.content.parse_policy
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/s3.rb CHANGED

@@ -29,16 +29,20 @@ class S3 < Mapper
         # to create a bucket, you must set the location_constraint
         # bucket parameter to the same region. (https://docs.aws.amazon.com/general/latest/gr/s3.html)
         client = if location.empty?
+                   struct.location = 'us-east-1'
                    @client
                  else
+                   struct.location = location
                    Aws::S3::Client.new({ region: location })
                  end
         operations = [
           { func: 'get_bucket_acl', key: 'acl', field: nil },
           { func: 'get_bucket_encryption', key: 'encryption', field: 'server_side_encryption_configuration' },
+          { func: 'get_bucket_replication', key: 'replication', field: 'replication_configuration' },
           { func: 'get_bucket_policy', key: 'policy', field: 'policy' },
           { func: 'get_bucket_policy_status', key: 'public', field: 'policy_status' },
+          { func: 'get_public_access_block', key: 'public_access_block', field: 'public_access_block_configuration' },
           { func: 'get_bucket_tagging', key: 'tagging', field: nil },
           { func: 'get_bucket_logging', key: 'logging', field: 'logging_enabled' },
           { func: 'get_bucket_versioning', key: 'versioning', field: nil },
@@ -51,7 +55,7 @@ class S3 < Mapper
           resp = client.send(op.func, { bucket: bucket.name })
           struct[op.key] = if op.key == 'policy'
-                             resp.policy.string
+                             resp.policy.string.parse_policy
                            else
                              op.field ? resp.send(op.field).to_h : resp.to_h
                            end
@@ -77,6 +81,8 @@ class S3 < Mapper
       NoSuchBucketPolicy
       NoSuchTagSet
       NoSuchWebsiteConfiguration
+      ReplicationConfigurationNotFoundError
+      NoSuchPublicAccessBlockConfiguration
     ]
   end
 end

data/lib/aws_recon/collectors/secretsmanager.rb ADDED

@@ -0,0 +1,26 @@
+class SecretsManager < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+    #
+    # describe_auto_scaling_groups
+    #
+    @client.list_secrets.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+      response.secret_list.each_with_index do |secret, i|
+        log(response.context.operation_name, i)
+        struct = OpenStruct.new(secret.to_h)
+        struct.type = 'secret'
+        resources.push(struct.to_h)
+      end
+    end
+    resources
+  end
+end

data/lib/aws_recon/collectors/securityhub.rb ADDED

@@ -0,0 +1,23 @@
+class SecurityHub < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+    #
+    # describe_hub
+    #
+    @client.describe_hub.each do |response|
+      log(response.context.operation_name)
+      struct = OpenStruct.new(response.to_h)
+      struct.type = 'hub'
+      struct.arn = response.hub_arn
+      resources.push(struct.to_h)
+    end
+    resources
+  end
+end

data/lib/aws_recon/collectors/sns.rb CHANGED

@@ -18,6 +18,8 @@ class SNS < Mapper
         struct = OpenStruct.new(@client.get_topic_attributes({ topic_arn: topic.topic_arn }).attributes.to_h)
         struct.type = 'topic'
         struct.arn = topic.topic_arn
+        struct.policy = struct.delete_field('Policy').parse_policy
+        struct.effective_delivery_policy = struct.delete_field('EffectiveDeliveryPolicy').parse_policy
         struct.subscriptions = []
         # list_subscriptions_by_topic

data/lib/aws_recon/collectors/sqs.rb CHANGED

@@ -18,7 +18,7 @@ class SQS < Mapper
         struct = OpenStruct.new(@client.get_queue_attributes({ queue_url: queue, attribute_names: ['All'] }).attributes.to_h)
         struct.type = 'queue'
         struct.arn = struct.QueueArn
-        struct.Policy = JSON.parse(CGI.unescape(struct.Policy))
+        struct.policy = struct.delete_field('Policy').parse_policy
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/ssm.rb CHANGED

@@ -30,7 +30,7 @@ class SSM < Mapper
         struct = OpenStruct.new(parameter.to_h)
         struct.string_type = parameter.type
         struct.type = 'parameter'
-        struct.arn = "arn:aws:#{@service}:#{@region}::parameter/#{parameter.name}"
+        struct.arn = "arn:aws:#{@service}:#{@region}::parameter:#{parameter.name}"
         resources.push(struct.to_h)
       end

data/lib/aws_recon/lib/patch.rb ADDED

@@ -0,0 +1,10 @@
+#
+# Parse and unescape AWS policy document string
+#
+module PolicyStringParser
+  def parse_policy
+    JSON.parse(CGI.unescape(self))
+  rescue StandardError
+    nil
+  end
+end

data/lib/aws_recon/services.yaml CHANGED

@@ -4,6 +4,10 @@
   alias: organizations
 - name: AccessAnalyzer
   alias: aa
+- name: ApplicationAutoScaling
+  alias: aas
+- name: Backup
+  alias: backup
 - name: ConfigService
   alias: config
 - name: CodeBuild
@@ -89,6 +93,10 @@
   alias: cloudwatchlogs
 - name: Kafka
   alias: kafka
+- name: SecretsManager
+  alias: sm
+- name: SecurityHub
+  alias: sh
 - name: Support
   global: true
   alias: support

data/lib/aws_recon/version.rb CHANGED

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.2.16"
+  VERSION = "0.2.21"
 end

data/readme.md CHANGED

@@ -1,5 +1,5 @@
-![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)
-[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
+[![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)](https://github.com/darkbitio/aws-recon/actions?query=branch%3Amain)
+[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://rubygems.org/gems/aws_recon)
 # AWS Recon
@@ -224,7 +224,9 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 - [x] AccessAnalyzer
 - [x] AdvancedShield
+- [x] ApplicationAutoScaling
 - [x] Athena
+- [x] Backup
 - [x] GuardDuty
 - [ ] Macie
 - [x] Systems Manager
@@ -269,6 +271,8 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 - [x] S3
 - [x] SageMaker
 - [x] SES
+- [x] SecretsManager
+- [x] SecurityHub
 - [x] ServiceQuotas
 - [x] Shield
 - [x] SNS

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.2.16
+  version: 0.2.21
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-18 00:00:00.000000000 Z
+date: 2020-11-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -184,8 +184,10 @@ files:
 - lib/aws_recon/collectors/acm.rb
 - lib/aws_recon/collectors/apigateway.rb
 - lib/aws_recon/collectors/apigatewayv2.rb
+- lib/aws_recon/collectors/applicationautoscaling.rb
 - lib/aws_recon/collectors/athena.rb
 - lib/aws_recon/collectors/autoscaling.rb
+- lib/aws_recon/collectors/backup.rb
 - lib/aws_recon/collectors/cloudformation.rb
 - lib/aws_recon/collectors/cloudfront.rb
 - lib/aws_recon/collectors/cloudtrail.rb
@@ -222,6 +224,8 @@ files:
 - lib/aws_recon/collectors/route53domains.rb
 - lib/aws_recon/collectors/s3.rb
 - lib/aws_recon/collectors/sagemaker.rb
+- lib/aws_recon/collectors/secretsmanager.rb
+- lib/aws_recon/collectors/securityhub.rb
 - lib/aws_recon/collectors/servicequotas.rb
 - lib/aws_recon/collectors/ses.rb
 - lib/aws_recon/collectors/shield.rb
@@ -235,6 +239,7 @@ files:
 - lib/aws_recon/collectors/xray.rb
 - lib/aws_recon/lib/formatter.rb
 - lib/aws_recon/lib/mapper.rb
+- lib/aws_recon/lib/patch.rb
 - lib/aws_recon/options.rb
 - lib/aws_recon/services.yaml
 - lib/aws_recon/version.rb