aws_recon 0.2.17 → 0.2.22

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 159d7d490c5b41da69cb442673e9f7786d1c357fa2468f5c921b25c9d4288601
-  data.tar.gz: cf0dd0209b158f601ed1c03238d6c5f3316ff53d140653ada4977dcbad6214b1
+  metadata.gz: 4a839969b01ed4fa02e233e6ad5a0f2ad6645459f2e714870abd296e7f214ed3
+  data.tar.gz: bb036b292e1575be7d13d1c2d037903f3bf923f7c5a61ebffbfff38fdea3cf91
 SHA512:
-  metadata.gz: e512e73eadfb67572ba726c652b174a2c819341afb29417b44d35faca7cf47def127df9f1dd01456e0f47cc5567f919f68940e72633f19051cdef544dbde83f6
-  data.tar.gz: bb31739580f8b14244a96319e8e952cf8ed51ee2bd1408a6942245ac4204ed5dae9dc1caa2a44ab83a36fdee9e21605a3c405b6b7f8c72884cb475577606e7c9
+  metadata.gz: 8114eda9813062479cd464d33a9fca5efb538a32aa255443262e30aee18b8141f986a5c53d5d0fdf0cc83a90554686e1bfea37e63fe708409c344858b7d15c2b
+  data.tar.gz: 8fa314c5aff5d87fe277031adedd407b88eb75879096a006e270c981dbd5f9641282752cf62f38b8d2393b9b9254490a871c2e0a0a940109b7ce75e938ed97b9

data/lib/aws_recon.rb

@@ -3,6 +3,9 @@
 module AwsRecon
 end
 
+require 'aws_recon/lib/patch.rb'
+String.include PolicyStringParser
+
 require 'parallel'
 require 'ostruct'
 require 'optparse'

data/lib/aws_recon/collectors/applicationautoscaling.rb

@@ -0,0 +1,25 @@
+class ApplicationAutoScaling < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # DynamoDB auto-scaling policies
+    #
+    @client.describe_scaling_policies({ service_namespace: 'dynamodb' }).each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      response.scaling_policies.each do |policy|
+        struct = OpenStruct.new(policy.to_h)
+        struct.type = 'auto_scaling_policy'
+        struct.arn = policy.policy_arn
+
+        resources.push(struct.to_h)
+      end
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/backup.rb

@@ -0,0 +1,25 @@
+class Backup < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # list_backup_plans
+    #
+    @client.list_protected_resources.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      response.results.each do |resource|
+        struct = OpenStruct.new(resource.to_h)
+        struct.type = 'protected_resource'
+        struct.arn = resource.resource_arn
+
+        resources.push(struct.to_h)
+      end
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/dynamodb.rb

@@ -5,6 +5,19 @@ class DynamoDB < Mapper
   def collect
     resources = []
 
+    #
+    # describe_limits
+    #
+    @client.describe_limits.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      struct = OpenStruct.new(response)
+      struct.type = 'limits'
+      struct.arn = "arn:aws:dynamodb:#{@region}:#{@account}:limits"
+
+      resources.push(struct.to_h)
+    end
+
     #
     # list_tables
     #
@@ -16,6 +29,7 @@ class DynamoDB < Mapper
         struct = OpenStruct.new(@client.describe_table({ table_name: table_name }).table.to_h)
         struct.type = 'table'
         struct.arn = struct.table_arn
+        struct.continuous_backups_description = @client.describe_continuous_backups({ table_name: table_name }).continuous_backups_description.to_h
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/ec2.rb

@@ -130,6 +130,21 @@ class EC2 < Mapper
         end
       end
 
+      #
+      # describe_network_acls
+      #
+      @client.describe_network_acls.each_with_index do |response, page|
+        log(response.context.operation_name, page)
+
+        response.network_acls.each do |network_acl|
+          struct = OpenStruct.new(network_acl.to_h)
+          struct.type = 'network_acl'
+          struct.arn = network_acl.network_acl_id # no true ARN
+
+          resources.push(struct.to_h)
+        end
+      end
+
       #
       # describe_subnets
       #
@@ -175,6 +190,21 @@ class EC2 < Mapper
         end
       end
 
+      #
+      # describe_internet_gateways
+      #
+      @client.describe_internet_gateways.each_with_index do |response, page|
+        log(response.context.operation_name, page)
+
+        response.internet_gateways.each do |gateway|
+          struct = OpenStruct.new(gateway.to_h)
+          struct.type = 'internet_gateway'
+          struct.arn = gateway.internet_gateway_id # no true ARN
+
+          resources.push(struct.to_h)
+        end
+      end
+
       #
       # describe_route_tables
       #

data/lib/aws_recon/collectors/ecr.rb

@@ -16,7 +16,7 @@ class ECR < Mapper
         struct.type = 'repository'
         struct.arn = repo.repository_arn
         struct.policy = @client
-                        .get_repository_policy({ repository_name: repo.repository_name }).to_h
+                        .get_repository_policy({ repository_name: repo.repository_name }).policy_text.parse_policy
 
       rescue Aws::ECR::Errors::ServiceError => e
         raise e unless suppressed_errors.include?(e.code)

data/lib/aws_recon/collectors/emr.rb

@@ -0,0 +1,39 @@
+class EMR < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # get_block_public_access_configuration
+    #
+    @client.get_block_public_access_configuration.each do |response|
+      log(response.context.operation_name)
+
+      struct = OpenStruct.new(response.block_public_access_configuration.to_h)
+      struct.type = 'configuration'
+
+      resources.push(struct.to_h)
+    end
+
+    #
+    # list_clusters
+    #
+    @client.list_clusters.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      response.clusters.each do |cluster|
+        log(response.context.operation_name, cluster.id)
+
+        struct = OpenStruct.new(@client.describe_cluster({ cluster_id: cluster.id }).cluster.to_h)
+        struct.type = 'cluster'
+        struct.arn = cluster.cluster_arn
+
+        resources.push(struct.to_h)
+      end
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/guardduty.rb

@@ -21,8 +21,21 @@ class GuardDuty < Mapper
         struct.type = 'detector'
         struct.arn = "arn:aws:guardduty:#{@region}:detector/#{detector}"
 
+        # get_findings_statistics (only active findings)
+        struct.findings_statistics = @client.get_findings_statistics({
+                                                                       detector_id: detector,
+                                                                       finding_statistic_types: ['COUNT_BY_SEVERITY'],
+                                                                       finding_criteria: {
+                                                                         criterion: {
+                                                                           'service.archived': {
+                                                                             eq: ['false']
+                                                                           }
+                                                                         }
+                                                                       }
+                                                                     }).finding_statistics.to_h
+
         # get_master_account
-        struct.master_account = @client.get_master_account({ detector_id: detector }).to_h
+        struct.master_account = @client.get_master_account({ detector_id: detector }).master.to_h
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/iam.rb

@@ -26,7 +26,7 @@ class IAM < Mapper
                                     user.user_policy_list.map do |p|
                                       {
                                         policy_name: p.policy_name,
-                                        policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                        policy_document: p.policy_document.parse_policy
                                       }
                                     end
                                   end
@@ -42,7 +42,7 @@ class IAM < Mapper
                                      group.group_policy_list.map do |p|
                                        {
                                          policy_name: p.policy_name,
-                                         policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                         policy_document: p.policy_document.parse_policy
                                        }
                                      end
                                     end
@@ -54,12 +54,12 @@ class IAM < Mapper
       response.role_detail_list.each do |role|
         struct = OpenStruct.new(role.to_h)
         struct.type = 'role'
-        struct.assume_role_policy_document = JSON.parse(CGI.unescape(role.assume_role_policy_document))
+        struct.assume_role_policy_document = role.assume_role_policy_document.parse_policy
         struct.role_policy_list = if role.role_policy_list
                                     role.role_policy_list.map do |p|
                                       {
                                         policy_name: p.policy_name,
-                                        policy_document: JSON.parse(CGI.unescape(p.policy_document))
+                                        policy_document: p.policy_document.parse_policy
                                       }
                                     end
                                   end
@@ -75,7 +75,7 @@ class IAM < Mapper
                                        policy.policy_version_list.map do |p|
                                          {
                                            version_id: p.version_id,
-                                           document: JSON.parse(CGI.unescape(p.document)),
+                                           document: p.document.parse_policy,
                                            is_default_version: p.is_default_version,
                                            create_date: p.create_date
                                          }

data/lib/aws_recon/collectors/lambda.rb

@@ -12,7 +12,11 @@ class Lambda < Mapper
         struct = OpenStruct.new(function)
         struct.type = 'function'
         struct.arn = function.function_arn
+        struct.policy = @client.get_policy({ function_name: function.function_name }).policy.parse_policy
 
+      rescue Aws::Lambda::Errors::ResourceNotFoundException => e
+        log_error(e.code)
+      ensure
         resources.push(struct.to_h)
       end
     end

data/lib/aws_recon/collectors/organizations.rb

@@ -40,7 +40,7 @@ class Organizations < Mapper
       response.policies.each do |policy|
         struct = OpenStruct.new(policy.to_h)
         struct.type = 'service_control_policy'
-        struct.content = JSON.parse(CGI.unescape(@client.describe_policy({ policy_id: policy.id }).policy.content))
+        struct.content = @client.describe_policy({ policy_id: policy.id }).policy.content.parse_policy
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/s3.rb

@@ -29,16 +29,20 @@ class S3 < Mapper
         # to create a bucket, you must set the location_constraint
         # bucket parameter to the same region. (https://docs.aws.amazon.com/general/latest/gr/s3.html)
         client = if location.empty?
+                   struct.location = 'us-east-1'
                    @client
                  else
+                   struct.location = location
                    Aws::S3::Client.new({ region: location })
                  end
 
         operations = [
           { func: 'get_bucket_acl', key: 'acl', field: nil },
           { func: 'get_bucket_encryption', key: 'encryption', field: 'server_side_encryption_configuration' },
+          { func: 'get_bucket_replication', key: 'replication', field: 'replication_configuration' },
           { func: 'get_bucket_policy', key: 'policy', field: 'policy' },
           { func: 'get_bucket_policy_status', key: 'public', field: 'policy_status' },
+          { func: 'get_public_access_block', key: 'public_access_block', field: 'public_access_block_configuration' },
           { func: 'get_bucket_tagging', key: 'tagging', field: nil },
           { func: 'get_bucket_logging', key: 'logging', field: 'logging_enabled' },
           { func: 'get_bucket_versioning', key: 'versioning', field: nil },
@@ -51,7 +55,7 @@ class S3 < Mapper
           resp = client.send(op.func, { bucket: bucket.name })
 
           struct[op.key] = if op.key == 'policy'
-                             resp.policy.string
+                             resp.policy.string.parse_policy
                            else
                              op.field ? resp.send(op.field).to_h : resp.to_h
                            end
@@ -77,6 +81,8 @@ class S3 < Mapper
       NoSuchBucketPolicy
       NoSuchTagSet
       NoSuchWebsiteConfiguration
+      ReplicationConfigurationNotFoundError
+      NoSuchPublicAccessBlockConfiguration
     ]
   end
 end

data/lib/aws_recon/collectors/secretsmanager.rb

@@ -0,0 +1,26 @@
+class SecretsManager < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # describe_auto_scaling_groups
+    #
+    @client.list_secrets.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      response.secret_list.each_with_index do |secret, i|
+        log(response.context.operation_name, i)
+
+        struct = OpenStruct.new(secret.to_h)
+        struct.type = 'secret'
+
+        resources.push(struct.to_h)
+      end
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/securityhub.rb

@@ -0,0 +1,23 @@
+class SecurityHub < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # describe_hub
+    #
+    @client.describe_hub.each do |response|
+      log(response.context.operation_name)
+
+      struct = OpenStruct.new(response.to_h)
+      struct.type = 'hub'
+      struct.arn = response.hub_arn
+
+      resources.push(struct.to_h)
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/sns.rb

@@ -18,6 +18,8 @@ class SNS < Mapper
         struct = OpenStruct.new(@client.get_topic_attributes({ topic_arn: topic.topic_arn }).attributes.to_h)
         struct.type = 'topic'
         struct.arn = topic.topic_arn
+        struct.policy = struct.delete_field('Policy').parse_policy
+        struct.effective_delivery_policy = struct.delete_field('EffectiveDeliveryPolicy').parse_policy
         struct.subscriptions = []
 
         # list_subscriptions_by_topic

data/lib/aws_recon/collectors/sqs.rb

@@ -18,7 +18,7 @@ class SQS < Mapper
         struct = OpenStruct.new(@client.get_queue_attributes({ queue_url: queue, attribute_names: ['All'] }).attributes.to_h)
         struct.type = 'queue'
         struct.arn = struct.QueueArn
-        struct.Policy = JSON.parse(CGI.unescape(struct.Policy))
+        struct.policy = struct.delete_field('Policy').parse_policy
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/ssm.rb

@@ -30,7 +30,7 @@ class SSM < Mapper
         struct = OpenStruct.new(parameter.to_h)
         struct.string_type = parameter.type
         struct.type = 'parameter'
-        struct.arn = "arn:aws:#{@service}:#{@region}::parameter/#{parameter.name}"
+        struct.arn = "arn:aws:#{@service}:#{@region}::parameter:#{parameter.name}"
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/lib/patch.rb

@@ -0,0 +1,10 @@
+#
+# Parse and unescape AWS policy document string
+#
+module PolicyStringParser
+  def parse_policy
+    JSON.parse(CGI.unescape(self))
+  rescue StandardError
+    nil
+  end
+end

data/lib/aws_recon/services.yaml

@@ -4,6 +4,10 @@
   alias: organizations
 - name: AccessAnalyzer
   alias: aa
+- name: ApplicationAutoScaling
+  alias: aas
+- name: Backup
+  alias: backup
 - name: ConfigService
   alias: config
 - name: CodeBuild
@@ -35,6 +39,8 @@
     - ap-southeast-1
 - name: ElastiCache
   alias: elasticache
+- name: EMR
+  alias: emr
 - name: IAM
   global: true
   alias: iam
@@ -89,6 +95,10 @@
   alias: cloudwatchlogs
 - name: Kafka
   alias: kafka
+- name: SecretsManager
+  alias: sm
+- name: SecurityHub
+  alias: sh
 - name: Support
   global: true
   alias: support

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.2.17"
+  VERSION = "0.2.22"
 end

data/readme.md

@@ -1,5 +1,5 @@
 [![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)](https://github.com/darkbitio/aws-recon/actions?query=branch%3Amain)
-[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
+[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://rubygems.org/gems/aws_recon)
 
 # AWS Recon
 
@@ -224,7 +224,9 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 
 - [x] AccessAnalyzer
 - [x] AdvancedShield
+- [x] ApplicationAutoScaling
 - [x] Athena
+- [x] Backup
 - [x] GuardDuty
 - [ ] Macie
 - [x] Systems Manager
@@ -248,8 +250,9 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 - [x] ECR
 - [x] ECS
 - [x] EFS
-- [x] ELB
 - [x] EKS
+- [x] ELB
+- [x] EMR
 - [x] Elasticsearch
 - [x] ElastiCache
 - [x] Firehose
@@ -269,6 +272,8 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 - [x] S3
 - [x] SageMaker
 - [x] SES
+- [x] SecretsManager
+- [x] SecurityHub
 - [x] ServiceQuotas
 - [x] Shield
 - [x] SNS

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.2.17
+  version: 0.2.22
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-24 00:00:00.000000000 Z
+date: 2020-11-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -184,8 +184,10 @@ files:
 - lib/aws_recon/collectors/acm.rb
 - lib/aws_recon/collectors/apigateway.rb
 - lib/aws_recon/collectors/apigatewayv2.rb
+- lib/aws_recon/collectors/applicationautoscaling.rb
 - lib/aws_recon/collectors/athena.rb
 - lib/aws_recon/collectors/autoscaling.rb
+- lib/aws_recon/collectors/backup.rb
 - lib/aws_recon/collectors/cloudformation.rb
 - lib/aws_recon/collectors/cloudfront.rb
 - lib/aws_recon/collectors/cloudtrail.rb
@@ -207,6 +209,7 @@ files:
 - lib/aws_recon/collectors/elasticloadbalancing.rb
 - lib/aws_recon/collectors/elasticloadbalancingv2.rb
 - lib/aws_recon/collectors/elasticsearch.rb
+- lib/aws_recon/collectors/emr.rb
 - lib/aws_recon/collectors/firehose.rb
 - lib/aws_recon/collectors/guardduty.rb
 - lib/aws_recon/collectors/iam.rb
@@ -222,6 +225,8 @@ files:
 - lib/aws_recon/collectors/route53domains.rb
 - lib/aws_recon/collectors/s3.rb
 - lib/aws_recon/collectors/sagemaker.rb
+- lib/aws_recon/collectors/secretsmanager.rb
+- lib/aws_recon/collectors/securityhub.rb
 - lib/aws_recon/collectors/servicequotas.rb
 - lib/aws_recon/collectors/ses.rb
 - lib/aws_recon/collectors/shield.rb
@@ -235,6 +240,7 @@ files:
 - lib/aws_recon/collectors/xray.rb
 - lib/aws_recon/lib/formatter.rb
 - lib/aws_recon/lib/mapper.rb
+- lib/aws_recon/lib/patch.rb
 - lib/aws_recon/options.rb
 - lib/aws_recon/services.yaml
 - lib/aws_recon/version.rb