aws_recon 0.2.2 → 0.2.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 233f4b10a4360186449d4046d61bb0ae0e78511483e4dac27ae0dfee89a8ff04
-  data.tar.gz: 1cde6970d7f06cdfa0d52cefd9d931794c832cceeb98c7b8fe5e2f7aa5a447ab
+  metadata.gz: 5378dc5f65acecaf982ff59b6d4330561a03d3ed68b8ec56051126e64dff9b09
+  data.tar.gz: d4c1c151b7a96c66e0bf541fc198f479622d06ced30f1197dd912afd965122fd
 SHA512:
-  metadata.gz: 38ee33272bf5980f4c4e5a764790e29222febaf435bab4c7a7b478a688b07211432a281b762ec94565d052be2f7496a45b028b501f1c741446b06a87da75611f
-  data.tar.gz: 5691d204c31c2423e92c86bcb05b27406c95285ef5777d1f5225496750aae35a6642c52f3b4b92ac36859c05692bced6c0968f11d41ee12a43ed628a98f74afc
+  metadata.gz: 65bfec760bd658d331a505d9faa37c3bf5c27b6e36d6b963c962ae963fa7da738e7ba4b2d48f584c94b70fba6d1ce441de3c4e23a594fb0d81e0cb59066c8b07
+  data.tar.gz: cf33e89b9faf71b70dbf555e14d2bbf8190fbc81aa8c2504f43e5773dc614fc3a5a2b086360d02491ffdf626abf8a91e3bcdf019e6f54637aafe36ec9f0caf83

data/.github/stale.yml

@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 30
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 5
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

data/.gitignore

@@ -1,5 +1,6 @@
 .DS_Store
 *.json
+Gemfile.lock
 .rvmrc
 .ruby-gemset
 .ruby-version

data/aws_recon.gemspec

@@ -7,10 +7,10 @@ require 'aws_recon/version'
 Gem::Specification.new do |spec|
   spec.name          = 'aws_recon'
   spec.version       = AwsRecon::VERSION
-  spec.authors       = ['Josh Larsen']
+  spec.authors       = ['Josh Larsen', 'Darkbit']
   spec.required_ruby_version = '>= 2.5.0'
-  spec.summary       = 'A multi-threaded AWS inventory collection tool.'
-  spec.description   = spec.summary
+  spec.summary       = 'A multi-threaded AWS inventory collection cli tool.'
+  spec.description   = 'AWS Recon is a command line tool to collect resources from an Amazon Web Services (AWS) account. The tool outputs JSON suitable for processing with other tools.'
   spec.homepage      = 'https://github.com/darkbitio/aws-recon'
   spec.license       = 'MIT'
 
@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency 'bundler', '~> 1.17'
   spec.add_development_dependency 'gem-release', '~> 2.1'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rake', '~> 12.3'
   spec.add_development_dependency 'minitest', '~> 5.0'
   spec.add_development_dependency 'solargraph', '~> 0.39.11'
   spec.add_development_dependency 'rubocop', '~> 0.87.1'

data/bin/aws_recon

@@ -1,5 +1,8 @@
 #!/usr/bin/env ruby
 
+# for local testing
+$LOAD_PATH.unshift(File.expand_path(File.join('..', '..', 'lib'), __FILE__))
+
 require 'aws_recon'
 
 AwsRecon::CLI.new.start(ARGV)

data/lib/aws_recon.rb

@@ -12,7 +12,7 @@ require 'aws-sdk'
 require 'aws_recon/options.rb'
 require 'aws_recon/lib/mapper.rb'
 require 'aws_recon/lib/formatter.rb'
-require 'aws_recon/collectors/collectors.rb'
+require 'aws_recon/collectors.rb'
 
 require 'aws_recon/version'
 require 'aws_recon/aws_recon'

data/lib/aws_recon/aws_recon.rb

@@ -88,7 +88,7 @@ module AwsRecon
       @regions.filter { |x| x != 'global' }.each do |region|
         Parallel.map(@aws_services.map { |x| OpenStruct.new(x) }.filter { |s| !s.global }.each, in_threads: @options.threads) do |service|
           # some services aren't available in some regions
-          skip_region = @service&.excluded_regions&.include?(region)
+          skip_region = service&.excluded_regions&.include?(region)
 
           # user included this region in the args
           next unless @regions.include?(region) && !skip_region

data/lib/aws_recon/collectors.rb

@@ -0,0 +1,2 @@
+# require all collectors
+Dir[File.join(__dir__, 'collectors', '*.rb')].each { |file| require file }

data/lib/aws_recon/collectors/ec2.rb

@@ -48,6 +48,23 @@ class EC2 < Mapper
             struct.arn = instance.instance_id # no true ARN
             struct.reservation_id = reservation.reservation_id
 
+            # collect instance user_data
+            if @options.collect_user_data
+              user_data_raw = @client.describe_instance_attribute({
+                                                                    attribute: 'userData',
+                                                                    instance_id: instance.instance_id
+                                                                  }).user_data.to_h[:value]
+
+              # don't save non-string user_data
+              if user_data_raw
+                user_data = Base64.decode64(user_data_raw)
+
+                if user_data.force_encoding('UTF-8').ascii_only?
+                  struct.user_data = user_data
+                end
+              end
+            end
+
             resources.push(struct.to_h)
           end
         end

data/lib/aws_recon/collectors/elasticache.rb

@@ -0,0 +1,22 @@
+class ElastiCache < Mapper
+  def collect
+    resources = []
+
+    #
+    # describe_cache_clusters
+    #
+    @client.describe_cache_clusters.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      response.cache_clusters.each do |cluster|
+        struct = OpenStruct.new(cluster.to_h)
+        struct.type = 'cluster'
+        struct.arn = cluster.arn
+
+        resources.push(struct.to_h)
+      end
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/lambda.rb

@@ -1,6 +1,5 @@
 class Lambda < Mapper
   def collect
-    service = self.class.to_s.downcase
     resources = []
 
     #

data/lib/aws_recon/collectors/s3.rb

@@ -15,8 +15,6 @@ class S3 < Mapper
       log(response.context.operation_name, page)
 
       Parallel.map(response.buckets.each, in_threads: @options.threads) do |bucket|
-        # use shared client instance
-        client = @client
         @thread = Parallel.worker_number
         log(response.context.operation_name, bucket.name)
 
@@ -27,10 +25,14 @@ class S3 < Mapper
         # check bucket region constraint
         location = @client.get_bucket_location({ bucket: bucket.name }).location_constraint
 
-        # reset client if needed
-        unless location.empty?
-          client = Aws::S3::Client.new({ region: location })
-        end
+        # if you use a region other than the us-east-1 endpoint
+        # to create a bucket, you must set the location_constraint
+        # bucket parameter to the same region. (https://docs.aws.amazon.com/general/latest/gr/s3.html)
+        client = if location.empty?
+                   @client
+                 else
+                   Aws::S3::Client.new({ region: location })
+                 end
 
         operations = [
           { func: 'get_bucket_acl', key: 'acl', field: nil },

data/lib/aws_recon/lib/mapper.rb

@@ -15,6 +15,13 @@
 # to add 5 seconds delay on each retry for a total max of 55 seconds.
 #
 class Mapper
+  # Services that use us-east-1 endpoint only:
+  #   Organizations
+  #   Route53Domains
+  #   Shield
+  #   S3 (unless the bucket was created in another region)
+  SINGLE_REGION_SERVICES = %w[route53domains s3 shield support organizations].freeze
+
   def initialize(service, region, options)
     @service = service
     @region = region
@@ -39,8 +46,8 @@ class Mapper
     # regional service
     client_options.merge!({ region: region }) unless region == 'global'
 
-    # organizations only uses us-east-1 in non cn/gov regions
-    client_options.merge!({ region: 'us-east-1' }) if service.downcase == 'organizations' # rubocop:disable Layout/LineLength
+    # single region services
+    client_options.merge!({ region: 'us-east-1' }) if SINGLE_REGION_SERVICES.include?(service.downcase) # rubocop:disable Layout/LineLength
 
     # debug with wire trace
     client_options.merge!({ http_wire_trace: true }) if @options.debug

data/lib/aws_recon/options.rb

@@ -15,6 +15,7 @@ class Parser
     :output_file,
     :output_format,
     :threads,
+    :collect_user_data,
     :skip_slow,
     :stream_output,
     :verbose,
@@ -43,11 +44,12 @@ class Parser
       false,
       false,
       false,
+      false,
       false
     )
 
     opt_parser = OptionParser.new do |opts|
-      opts.banner = "\n\x1b[32mAWS Recon\x1b[0m - AWS Inventory Collector\n\nUsage: aws_recon [options]"
+      opts.banner = "\n\x1b[32mAWS Recon\x1b[0m - AWS Inventory Collector (#{AwsRecon::VERSION})\n\nUsage: aws_recon [options]"
 
       # regions
       opts.on('-r', '--regions [REGIONS]', 'Regions to scan, separated by comma (default: all)') do |regions|
@@ -103,6 +105,11 @@ class Parser
         end
       end
 
+      # collect EC2 instance user data
+      opts.on('-u', '--user-data', 'Collect EC2 instance user data (default: false)') do
+        args.collect_user_data = true
+      end
+
       # skip slow operations
       opts.on('-z', '--skip-slow', 'Skip slow operations (default: false)') do
         args.skip_slow = true

data/lib/aws_recon/services.yaml

@@ -21,8 +21,6 @@
   alias: ec2
 - name: EKS
   alias: eks
-  excluded_regions:
-    - us-west-1
 - name: ECS
   alias: ecs
 - name: ElasticLoadBalancing
@@ -33,6 +31,8 @@
   alias: elbv2
   excluded_regions:
     - ap-southeast-1
+- name: ElastiCache
+  alias: elasticache
 - name: IAM
   global: true
   alias: iam

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.2.2"
+  VERSION = "0.2.7"
 end

data/readme.md

@@ -1,3 +1,5 @@
+[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
+
 # AWS Recon
 
 A multi-threaded AWS inventory collection tool.
@@ -24,17 +26,30 @@ Ruby 2.5.x or 2.6.x (developed and tested with 2.6.5)
 
 ### Installation
 
-Clone this repository, then install the required gems using `bundle`:
+Install the gem:
 
 ```
-$ git clone git@github.com:darkbitio/aws-recon.git
-$ cd aws-recon
-$ bundle
+$ gem install aws_recon
+Fetching aws_recon-0.2.7.gem
+Fetching aws-sdk-resources-3.76.0.gem
+Fetching aws-sdk-3.0.1.gem
+Fetching parallel-1.19.2.gem
 ...
-Using aws-sdk-core 3.103.0
+Successfully installed aws-sdk-3.0.1
+Successfully installed parallel-1.19.2
+Successfully installed aws_recon-0.2.7
+```
+
+Or add it to your Gemfile using `bundle`:
+
+```
+$ bundle add aws_recon
+Fetching gem metadata from https://rubygems.org/
+Resolving dependencies...
 ...
-Bundle complete! 5 Gemfile dependencies, 259 gems now installed.
-Use `bundle info [gemname]` to see where a bundled gem is installed.
+Using aws-sdk 3.0.1
+Using parallel 1.19.2
+Using aws_recon 0.2.2
 ```
 
 ## Usage
@@ -42,13 +57,13 @@ Use `bundle info [gemname]` to see where a bundled gem is installed.
 AWS Recon will leverage any AWS credentials currently available to the environment it runs in. If you are collecting from multiple accounts, you may want to leverage something like [aws-vault](https://github.com/99designs/aws-vault) to manage different credentials. 
 
 ```
-$ aws-vault exec profile -- ./recon.rb
+$ aws-vault exec profile -- aws_recon
 ```
 
 Plain environment variables will work fine too.
 
 ```
-$ AWS_PROFILE=<profile> ./recon.rb
+$ AWS_PROFILE=<profile> aws_recon
 ```
 
 You may want to use the `-v` or `--verbose` flag initially to see status and activity while collection is running. 
@@ -62,7 +77,7 @@ In verbose mode, the console output will show:
 The `t` prefix indicates which thread a particular request is running under. Region, service, and operation indicate which request operation is currently in progress and where.
 
 ```
-$ ./recon.rb -v
+$ aws_recon -v
 
 t0.global.EC2.describe_account_attributes
 t2.global.S3.list_buckets
@@ -87,11 +102,11 @@ Finished in 46 seconds. Saving resources to output.json.
 #### Example command line options
 
 ```
-$ AWS_PROFILE=<profile> ./recon.rb -s S3,EC2 -r global,us-east-1,us-east-2
+$ AWS_PROFILE=<profile> aws_recon -s S3,EC2 -r global,us-east-1,us-east-2
 ```
 
 ```
-$ AWS_PROFILE=<profile> ./recon.rb --services S3,EC2 --regions global,us-east-1,us-east-2
+$ AWS_PROFILE=<profile> aws_recon --services S3,EC2 --regions global,us-east-1,us-east-2
 ```
 
 #### Errors
@@ -118,11 +133,11 @@ For regional services, a thread (up to the thread limit) is spawned for each ser
 Most users will want to limit collection to relevant services and regions. Running without any options will attempt to collect all resources from all 16 regular regions.
 
 ```
-$ ./recon.rb -h
+$ aws_recon -h
 
-AWS Recon - AWS Inventory Collector
+AWS Recon - AWS Inventory Collector (0.2.7)
 
-Usage: ./recon.rb [options]
+Usage: aws_recon [options]
     -r, --regions [REGIONS]          Regions to scan, separated by comma (default: all)
     -n, --not-regions [REGIONS]      Regions to skip, separated by comma (default: none)
     -s, --services [SERVICES]        Services to scan, separated by comma (default: all)
@@ -131,6 +146,7 @@ Usage: ./recon.rb [options]
     -o, --output [OUTPUT]            Specify output file (default: output.json)
     -f, --format [FORMAT]            Specify output format (default: aws)
     -t, --threads [THREADS]          Specify max threads (default: 8, max: 128)
+    -u, --user-data                  Collect EC2 instance user data (default: false)
     -z, --skip-slow                  Skip slow operations (default: false)
     -j, --stream-output              Stream JSON lines to stdout (default: false)
     -v, --verbose                    Output client progress and current operation
@@ -178,6 +194,7 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 - [x] ELB
 - [x] EKS
 - [x] Elasticsearch
+- [x] ElastiCache
 - [x] Firehose
 - [ ] FMS
 - [ ] Glacier
@@ -210,10 +227,29 @@ AWS Recon aims to collect all resources and metadata that are relevant in determ
 
 One of the primary motivations for AWS Recon was to build a tool that is easy to maintain and extend. If you feel like coverage could be improved for a particular service, we would welcome PRs to that effect. Anyone with a moderate familiarity with Ruby will be able to mimic the pattern used by the existing collectors to query a specific service and add the results to the resource collection.
 
+### Development
+
+Clone this repository:
+
+```
+$ git clone git@github.com:darkbitio/aws-recon.git
+$ cd aws-recon
+```
+
+Create a sticky gemset if using RVM:
+
+```
+$ rvm use 2.6.5@aws_recon_dev --create --ruby-version
+```
+
+Run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
 ### TODO
 
 - [ ] Optionally suppress AWS API errors instead of re-raising them
-- [ ] Package as a gem
+- [x] Package as a gem
 - [ ] Test coverage with AWS SDK stubbed resources
 
 

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.7
 platform: ruby
 authors:
 - Josh Larsen
+- Darkbit
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-08-10 00:00:00.000000000 Z
+date: 2020-09-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -72,14 +73,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -136,7 +137,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.13.1
-description: A multi-threaded AWS inventory collection tool.
+description: AWS Recon is a command line tool to collect resources from an Amazon
+  Web Services (AWS) account. The tool outputs JSON suitable for processing with other
+  tools.
 email:
 executables:
 - aws_recon
@@ -145,13 +148,11 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/stale.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".ruby-gemset"
-- ".ruby-version"
 - ".travis.yml"
 - Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - Rakefile
 - aws_recon.gemspec
@@ -160,6 +161,7 @@ files:
 - bin/setup
 - lib/aws_recon.rb
 - lib/aws_recon/aws_recon.rb
+- lib/aws_recon/collectors.rb
 - lib/aws_recon/collectors/acm.rb
 - lib/aws_recon/collectors/apigateway.rb
 - lib/aws_recon/collectors/apigatewayv2.rb
@@ -172,7 +174,6 @@ files:
 - lib/aws_recon/collectors/cloudwatchlogs.rb
 - lib/aws_recon/collectors/codebuild.rb
 - lib/aws_recon/collectors/codepipeline.rb
-- lib/aws_recon/collectors/collectors.rb
 - lib/aws_recon/collectors/configservice.rb
 - lib/aws_recon/collectors/directconnect.rb
 - lib/aws_recon/collectors/directyservice.rb
@@ -183,6 +184,7 @@ files:
 - lib/aws_recon/collectors/ecs.rb
 - lib/aws_recon/collectors/efs.rb
 - lib/aws_recon/collectors/eks.rb
+- lib/aws_recon/collectors/elasticache.rb
 - lib/aws_recon/collectors/elasticloadbalancing.rb
 - lib/aws_recon/collectors/elasticloadbalancingv2.rb
 - lib/aws_recon/collectors/elasticsearch.rb
@@ -218,7 +220,6 @@ files:
 - lib/aws_recon/services.yaml
 - lib/aws_recon/version.rb
 - readme.md
-- readme_gem.md
 homepage: https://github.com/darkbitio/aws-recon
 licenses:
 - MIT
@@ -241,5 +242,5 @@ requirements: []
 rubygems_version: 3.0.8
 signing_key:
 specification_version: 4
-summary: A multi-threaded AWS inventory collection tool.
+summary: A multi-threaded AWS inventory collection cli tool.
 test_files: []