aws_recon 0.2.18 → 0.2.23
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws_recon/collectors/applicationautoscaling.rb +25 -0
- data/lib/aws_recon/collectors/backup.rb +25 -0
- data/lib/aws_recon/collectors/dynamodb.rb +14 -0
- data/lib/aws_recon/collectors/ec2.rb +15 -0
- data/lib/aws_recon/collectors/ecr.rb +1 -1
- data/lib/aws_recon/collectors/emr.rb +39 -0
- data/lib/aws_recon/collectors/guardduty.rb +14 -1
- data/lib/aws_recon/collectors/iam.rb +5 -5
- data/lib/aws_recon/collectors/organizations.rb +1 -1
- data/lib/aws_recon/collectors/redshift.rb +1 -0
- data/lib/aws_recon/collectors/s3.rb +1 -1
- data/lib/aws_recon/collectors/secretsmanager.rb +26 -0
- data/lib/aws_recon/collectors/securityhub.rb +23 -0
- data/lib/aws_recon/collectors/sns.rb +2 -2
- data/lib/aws_recon/collectors/sqs.rb +1 -1
- data/lib/aws_recon/services.yaml +10 -0
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +6 -1
- metadata +7 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 54fad8cccce80029ddf2ae72d7dc8bccb12677d1605f113c16416f2b9e897536
|
|
4
|
+
data.tar.gz: '02280cf3c096fa03d3b893a19ef444c14f891ab6f1694997ca76905a11290b29'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cf30189b0f288c076d026104a1ce43775b9ae4704f842aa2d77d7166773a232716e85822392321fe958a74896a2ced3b0f0e36ffbfb82e2b4f5a98f33f17f660
|
|
7
|
+
data.tar.gz: e0990bc486ffaf659d84de6a23e8d214bb9327c81d8518810682107e1c9144b7d40f35d5a3addf61ce1b5b5b57f3a398898c83b81b6187aa9911b7650e5be5d2
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
class ApplicationAutoScaling < Mapper
|
|
2
|
+
#
|
|
3
|
+
# Returns an array of resources.
|
|
4
|
+
#
|
|
5
|
+
def collect
|
|
6
|
+
resources = []
|
|
7
|
+
|
|
8
|
+
#
|
|
9
|
+
# DynamoDB auto-scaling policies
|
|
10
|
+
#
|
|
11
|
+
@client.describe_scaling_policies({ service_namespace: 'dynamodb' }).each_with_index do |response, page|
|
|
12
|
+
log(response.context.operation_name, page)
|
|
13
|
+
|
|
14
|
+
response.scaling_policies.each do |policy|
|
|
15
|
+
struct = OpenStruct.new(policy.to_h)
|
|
16
|
+
struct.type = 'auto_scaling_policy'
|
|
17
|
+
struct.arn = policy.policy_arn
|
|
18
|
+
|
|
19
|
+
resources.push(struct.to_h)
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
resources
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
class Backup < Mapper
|
|
2
|
+
#
|
|
3
|
+
# Returns an array of resources.
|
|
4
|
+
#
|
|
5
|
+
def collect
|
|
6
|
+
resources = []
|
|
7
|
+
|
|
8
|
+
#
|
|
9
|
+
# list_backup_plans
|
|
10
|
+
#
|
|
11
|
+
@client.list_protected_resources.each_with_index do |response, page|
|
|
12
|
+
log(response.context.operation_name, page)
|
|
13
|
+
|
|
14
|
+
response.results.each do |resource|
|
|
15
|
+
struct = OpenStruct.new(resource.to_h)
|
|
16
|
+
struct.type = 'protected_resource'
|
|
17
|
+
struct.arn = resource.resource_arn
|
|
18
|
+
|
|
19
|
+
resources.push(struct.to_h)
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
resources
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -5,6 +5,19 @@ class DynamoDB < Mapper
|
|
|
5
5
|
def collect
|
|
6
6
|
resources = []
|
|
7
7
|
|
|
8
|
+
#
|
|
9
|
+
# describe_limits
|
|
10
|
+
#
|
|
11
|
+
@client.describe_limits.each_with_index do |response, page|
|
|
12
|
+
log(response.context.operation_name, page)
|
|
13
|
+
|
|
14
|
+
struct = OpenStruct.new(response)
|
|
15
|
+
struct.type = 'limits'
|
|
16
|
+
struct.arn = "arn:aws:dynamodb:#{@region}:#{@account}:limits"
|
|
17
|
+
|
|
18
|
+
resources.push(struct.to_h)
|
|
19
|
+
end
|
|
20
|
+
|
|
8
21
|
#
|
|
9
22
|
# list_tables
|
|
10
23
|
#
|
|
@@ -16,6 +29,7 @@ class DynamoDB < Mapper
|
|
|
16
29
|
struct = OpenStruct.new(@client.describe_table({ table_name: table_name }).table.to_h)
|
|
17
30
|
struct.type = 'table'
|
|
18
31
|
struct.arn = struct.table_arn
|
|
32
|
+
struct.continuous_backups_description = @client.describe_continuous_backups({ table_name: table_name }).continuous_backups_description.to_h
|
|
19
33
|
|
|
20
34
|
resources.push(struct.to_h)
|
|
21
35
|
end
|
|
@@ -130,6 +130,21 @@ class EC2 < Mapper
|
|
|
130
130
|
end
|
|
131
131
|
end
|
|
132
132
|
|
|
133
|
+
#
|
|
134
|
+
# describe_network_acls
|
|
135
|
+
#
|
|
136
|
+
@client.describe_network_acls.each_with_index do |response, page|
|
|
137
|
+
log(response.context.operation_name, page)
|
|
138
|
+
|
|
139
|
+
response.network_acls.each do |network_acl|
|
|
140
|
+
struct = OpenStruct.new(network_acl.to_h)
|
|
141
|
+
struct.type = 'network_acl'
|
|
142
|
+
struct.arn = network_acl.network_acl_id # no true ARN
|
|
143
|
+
|
|
144
|
+
resources.push(struct.to_h)
|
|
145
|
+
end
|
|
146
|
+
end
|
|
147
|
+
|
|
133
148
|
#
|
|
134
149
|
# describe_subnets
|
|
135
150
|
#
|
|
@@ -16,7 +16,7 @@ class ECR < Mapper
|
|
|
16
16
|
struct.type = 'repository'
|
|
17
17
|
struct.arn = repo.repository_arn
|
|
18
18
|
struct.policy = @client
|
|
19
|
-
.get_repository_policy({ repository_name: repo.repository_name }).
|
|
19
|
+
.get_repository_policy({ repository_name: repo.repository_name }).policy_text.parse_policy
|
|
20
20
|
|
|
21
21
|
rescue Aws::ECR::Errors::ServiceError => e
|
|
22
22
|
raise e unless suppressed_errors.include?(e.code)
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
class EMR < Mapper
|
|
2
|
+
#
|
|
3
|
+
# Returns an array of resources.
|
|
4
|
+
#
|
|
5
|
+
def collect
|
|
6
|
+
resources = []
|
|
7
|
+
|
|
8
|
+
#
|
|
9
|
+
# get_block_public_access_configuration
|
|
10
|
+
#
|
|
11
|
+
@client.get_block_public_access_configuration.each do |response|
|
|
12
|
+
log(response.context.operation_name)
|
|
13
|
+
|
|
14
|
+
struct = OpenStruct.new(response.block_public_access_configuration.to_h)
|
|
15
|
+
struct.type = 'configuration'
|
|
16
|
+
|
|
17
|
+
resources.push(struct.to_h)
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
#
|
|
21
|
+
# list_clusters
|
|
22
|
+
#
|
|
23
|
+
@client.list_clusters.each_with_index do |response, page|
|
|
24
|
+
log(response.context.operation_name, page)
|
|
25
|
+
|
|
26
|
+
response.clusters.each do |cluster|
|
|
27
|
+
log(response.context.operation_name, cluster.id)
|
|
28
|
+
|
|
29
|
+
struct = OpenStruct.new(@client.describe_cluster({ cluster_id: cluster.id }).cluster.to_h)
|
|
30
|
+
struct.type = 'cluster'
|
|
31
|
+
struct.arn = cluster.cluster_arn
|
|
32
|
+
|
|
33
|
+
resources.push(struct.to_h)
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
resources
|
|
38
|
+
end
|
|
39
|
+
end
|
|
@@ -21,8 +21,21 @@ class GuardDuty < Mapper
|
|
|
21
21
|
struct.type = 'detector'
|
|
22
22
|
struct.arn = "arn:aws:guardduty:#{@region}:detector/#{detector}"
|
|
23
23
|
|
|
24
|
+
# get_findings_statistics (only active findings)
|
|
25
|
+
struct.findings_statistics = @client.get_findings_statistics({
|
|
26
|
+
detector_id: detector,
|
|
27
|
+
finding_statistic_types: ['COUNT_BY_SEVERITY'],
|
|
28
|
+
finding_criteria: {
|
|
29
|
+
criterion: {
|
|
30
|
+
'service.archived': {
|
|
31
|
+
eq: ['false']
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
}).finding_statistics.to_h
|
|
36
|
+
|
|
24
37
|
# get_master_account
|
|
25
|
-
struct.master_account = @client.get_master_account({ detector_id: detector }).to_h
|
|
38
|
+
struct.master_account = @client.get_master_account({ detector_id: detector }).master.to_h
|
|
26
39
|
|
|
27
40
|
resources.push(struct.to_h)
|
|
28
41
|
end
|
|
@@ -26,7 +26,7 @@ class IAM < Mapper
|
|
|
26
26
|
user.user_policy_list.map do |p|
|
|
27
27
|
{
|
|
28
28
|
policy_name: p.policy_name,
|
|
29
|
-
policy_document:
|
|
29
|
+
policy_document: p.policy_document.parse_policy
|
|
30
30
|
}
|
|
31
31
|
end
|
|
32
32
|
end
|
|
@@ -42,7 +42,7 @@ class IAM < Mapper
|
|
|
42
42
|
group.group_policy_list.map do |p|
|
|
43
43
|
{
|
|
44
44
|
policy_name: p.policy_name,
|
|
45
|
-
policy_document:
|
|
45
|
+
policy_document: p.policy_document.parse_policy
|
|
46
46
|
}
|
|
47
47
|
end
|
|
48
48
|
end
|
|
@@ -54,12 +54,12 @@ class IAM < Mapper
|
|
|
54
54
|
response.role_detail_list.each do |role|
|
|
55
55
|
struct = OpenStruct.new(role.to_h)
|
|
56
56
|
struct.type = 'role'
|
|
57
|
-
struct.assume_role_policy_document =
|
|
57
|
+
struct.assume_role_policy_document = role.assume_role_policy_document.parse_policy
|
|
58
58
|
struct.role_policy_list = if role.role_policy_list
|
|
59
59
|
role.role_policy_list.map do |p|
|
|
60
60
|
{
|
|
61
61
|
policy_name: p.policy_name,
|
|
62
|
-
policy_document:
|
|
62
|
+
policy_document: p.policy_document.parse_policy
|
|
63
63
|
}
|
|
64
64
|
end
|
|
65
65
|
end
|
|
@@ -75,7 +75,7 @@ class IAM < Mapper
|
|
|
75
75
|
policy.policy_version_list.map do |p|
|
|
76
76
|
{
|
|
77
77
|
version_id: p.version_id,
|
|
78
|
-
document:
|
|
78
|
+
document: p.document.parse_policy,
|
|
79
79
|
is_default_version: p.is_default_version,
|
|
80
80
|
create_date: p.create_date
|
|
81
81
|
}
|
|
@@ -40,7 +40,7 @@ class Organizations < Mapper
|
|
|
40
40
|
response.policies.each do |policy|
|
|
41
41
|
struct = OpenStruct.new(policy.to_h)
|
|
42
42
|
struct.type = 'service_control_policy'
|
|
43
|
-
struct.content =
|
|
43
|
+
struct.content = @client.describe_policy({ policy_id: policy.id }).policy.content.parse_policy
|
|
44
44
|
|
|
45
45
|
resources.push(struct.to_h)
|
|
46
46
|
end
|
|
@@ -15,6 +15,7 @@ class Redshift < Mapper
|
|
|
15
15
|
struct = OpenStruct.new(cluster.to_h)
|
|
16
16
|
struct.type = 'cluster'
|
|
17
17
|
struct.arn = cluster.cluster_identifier
|
|
18
|
+
struct.logging_status = @client.describe_logging_status({ cluster_identifier: cluster.cluster_identifier }).to_h
|
|
18
19
|
|
|
19
20
|
resources.push(struct.to_h)
|
|
20
21
|
end
|
|
@@ -55,7 +55,7 @@ class S3 < Mapper
|
|
|
55
55
|
resp = client.send(op.func, { bucket: bucket.name })
|
|
56
56
|
|
|
57
57
|
struct[op.key] = if op.key == 'policy'
|
|
58
|
-
|
|
58
|
+
resp.policy.string.parse_policy
|
|
59
59
|
else
|
|
60
60
|
op.field ? resp.send(op.field).to_h : resp.to_h
|
|
61
61
|
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
class SecretsManager < Mapper
|
|
2
|
+
#
|
|
3
|
+
# Returns an array of resources.
|
|
4
|
+
#
|
|
5
|
+
def collect
|
|
6
|
+
resources = []
|
|
7
|
+
|
|
8
|
+
#
|
|
9
|
+
# describe_auto_scaling_groups
|
|
10
|
+
#
|
|
11
|
+
@client.list_secrets.each_with_index do |response, page|
|
|
12
|
+
log(response.context.operation_name, page)
|
|
13
|
+
|
|
14
|
+
response.secret_list.each_with_index do |secret, i|
|
|
15
|
+
log(response.context.operation_name, i)
|
|
16
|
+
|
|
17
|
+
struct = OpenStruct.new(secret.to_h)
|
|
18
|
+
struct.type = 'secret'
|
|
19
|
+
|
|
20
|
+
resources.push(struct.to_h)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
resources
|
|
25
|
+
end
|
|
26
|
+
end
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
class SecurityHub < Mapper
|
|
2
|
+
#
|
|
3
|
+
# Returns an array of resources.
|
|
4
|
+
#
|
|
5
|
+
def collect
|
|
6
|
+
resources = []
|
|
7
|
+
|
|
8
|
+
#
|
|
9
|
+
# describe_hub
|
|
10
|
+
#
|
|
11
|
+
@client.describe_hub.each do |response|
|
|
12
|
+
log(response.context.operation_name)
|
|
13
|
+
|
|
14
|
+
struct = OpenStruct.new(response.to_h)
|
|
15
|
+
struct.type = 'hub'
|
|
16
|
+
struct.arn = response.hub_arn
|
|
17
|
+
|
|
18
|
+
resources.push(struct.to_h)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
resources
|
|
22
|
+
end
|
|
23
|
+
end
|
|
@@ -18,8 +18,8 @@ class SNS < Mapper
|
|
|
18
18
|
struct = OpenStruct.new(@client.get_topic_attributes({ topic_arn: topic.topic_arn }).attributes.to_h)
|
|
19
19
|
struct.type = 'topic'
|
|
20
20
|
struct.arn = topic.topic_arn
|
|
21
|
-
struct.policy =
|
|
22
|
-
struct.effective_delivery_policy =
|
|
21
|
+
struct.policy = struct.delete_field('Policy').parse_policy
|
|
22
|
+
struct.effective_delivery_policy = struct.delete_field('EffectiveDeliveryPolicy').parse_policy
|
|
23
23
|
struct.subscriptions = []
|
|
24
24
|
|
|
25
25
|
# list_subscriptions_by_topic
|
|
@@ -18,7 +18,7 @@ class SQS < Mapper
|
|
|
18
18
|
struct = OpenStruct.new(@client.get_queue_attributes({ queue_url: queue, attribute_names: ['All'] }).attributes.to_h)
|
|
19
19
|
struct.type = 'queue'
|
|
20
20
|
struct.arn = struct.QueueArn
|
|
21
|
-
struct.policy =
|
|
21
|
+
struct.policy = struct.delete_field('Policy').parse_policy
|
|
22
22
|
|
|
23
23
|
resources.push(struct.to_h)
|
|
24
24
|
end
|
data/lib/aws_recon/services.yaml
CHANGED
|
@@ -4,6 +4,10 @@
|
|
|
4
4
|
alias: organizations
|
|
5
5
|
- name: AccessAnalyzer
|
|
6
6
|
alias: aa
|
|
7
|
+
- name: ApplicationAutoScaling
|
|
8
|
+
alias: aas
|
|
9
|
+
- name: Backup
|
|
10
|
+
alias: backup
|
|
7
11
|
- name: ConfigService
|
|
8
12
|
alias: config
|
|
9
13
|
- name: CodeBuild
|
|
@@ -35,6 +39,8 @@
|
|
|
35
39
|
- ap-southeast-1
|
|
36
40
|
- name: ElastiCache
|
|
37
41
|
alias: elasticache
|
|
42
|
+
- name: EMR
|
|
43
|
+
alias: emr
|
|
38
44
|
- name: IAM
|
|
39
45
|
global: true
|
|
40
46
|
alias: iam
|
|
@@ -89,6 +95,10 @@
|
|
|
89
95
|
alias: cloudwatchlogs
|
|
90
96
|
- name: Kafka
|
|
91
97
|
alias: kafka
|
|
98
|
+
- name: SecretsManager
|
|
99
|
+
alias: sm
|
|
100
|
+
- name: SecurityHub
|
|
101
|
+
alias: sh
|
|
92
102
|
- name: Support
|
|
93
103
|
global: true
|
|
94
104
|
alias: support
|
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
|
@@ -224,7 +224,9 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
|
|
|
224
224
|
|
|
225
225
|
- [x] AccessAnalyzer
|
|
226
226
|
- [x] AdvancedShield
|
|
227
|
+
- [x] ApplicationAutoScaling
|
|
227
228
|
- [x] Athena
|
|
229
|
+
- [x] Backup
|
|
228
230
|
- [x] GuardDuty
|
|
229
231
|
- [ ] Macie
|
|
230
232
|
- [x] Systems Manager
|
|
@@ -248,8 +250,9 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
|
|
|
248
250
|
- [x] ECR
|
|
249
251
|
- [x] ECS
|
|
250
252
|
- [x] EFS
|
|
251
|
-
- [x] ELB
|
|
252
253
|
- [x] EKS
|
|
254
|
+
- [x] ELB
|
|
255
|
+
- [x] EMR
|
|
253
256
|
- [x] Elasticsearch
|
|
254
257
|
- [x] ElastiCache
|
|
255
258
|
- [x] Firehose
|
|
@@ -269,6 +272,8 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
|
|
|
269
272
|
- [x] S3
|
|
270
273
|
- [x] SageMaker
|
|
271
274
|
- [x] SES
|
|
275
|
+
- [x] SecretsManager
|
|
276
|
+
- [x] SecurityHub
|
|
272
277
|
- [x] ServiceQuotas
|
|
273
278
|
- [x] Shield
|
|
274
279
|
- [x] SNS
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws_recon
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.23
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Josh Larsen
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2020-11-
|
|
12
|
+
date: 2020-11-28 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: aws-sdk
|
|
@@ -184,8 +184,10 @@ files:
|
|
|
184
184
|
- lib/aws_recon/collectors/acm.rb
|
|
185
185
|
- lib/aws_recon/collectors/apigateway.rb
|
|
186
186
|
- lib/aws_recon/collectors/apigatewayv2.rb
|
|
187
|
+
- lib/aws_recon/collectors/applicationautoscaling.rb
|
|
187
188
|
- lib/aws_recon/collectors/athena.rb
|
|
188
189
|
- lib/aws_recon/collectors/autoscaling.rb
|
|
190
|
+
- lib/aws_recon/collectors/backup.rb
|
|
189
191
|
- lib/aws_recon/collectors/cloudformation.rb
|
|
190
192
|
- lib/aws_recon/collectors/cloudfront.rb
|
|
191
193
|
- lib/aws_recon/collectors/cloudtrail.rb
|
|
@@ -207,6 +209,7 @@ files:
|
|
|
207
209
|
- lib/aws_recon/collectors/elasticloadbalancing.rb
|
|
208
210
|
- lib/aws_recon/collectors/elasticloadbalancingv2.rb
|
|
209
211
|
- lib/aws_recon/collectors/elasticsearch.rb
|
|
212
|
+
- lib/aws_recon/collectors/emr.rb
|
|
210
213
|
- lib/aws_recon/collectors/firehose.rb
|
|
211
214
|
- lib/aws_recon/collectors/guardduty.rb
|
|
212
215
|
- lib/aws_recon/collectors/iam.rb
|
|
@@ -222,6 +225,8 @@ files:
|
|
|
222
225
|
- lib/aws_recon/collectors/route53domains.rb
|
|
223
226
|
- lib/aws_recon/collectors/s3.rb
|
|
224
227
|
- lib/aws_recon/collectors/sagemaker.rb
|
|
228
|
+
- lib/aws_recon/collectors/secretsmanager.rb
|
|
229
|
+
- lib/aws_recon/collectors/securityhub.rb
|
|
225
230
|
- lib/aws_recon/collectors/servicequotas.rb
|
|
226
231
|
- lib/aws_recon/collectors/ses.rb
|
|
227
232
|
- lib/aws_recon/collectors/shield.rb
|