aws_recon 0.2.24 → 0.2.25
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/aws_recon/collectors/codepipeline.rb +26 -9
- data/lib/aws_recon/collectors/ecr.rb +5 -1
- data/lib/aws_recon/collectors/iam.rb +8 -2
- data/lib/aws_recon/collectors/kms.rb +4 -1
- data/lib/aws_recon/collectors/organizations.rb +4 -1
- data/lib/aws_recon/collectors/rds.rb +2 -0
- data/lib/aws_recon/collectors/s3.rb +5 -1
- data/lib/aws_recon/collectors/securityhub.rb +4 -1
- data/lib/aws_recon/collectors/servicequotas.rb +4 -1
- data/lib/aws_recon/collectors/shield.rb +4 -1
- data/lib/aws_recon/collectors/support.rb +4 -1
- data/lib/aws_recon/options.rb +7 -0
- data/lib/aws_recon/services.yaml +23 -0
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +14 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8786af60d08967c2203b1f4417480b135ae32b9a40ec05810afc9c2ae126f49d
|
|
4
|
+
data.tar.gz: fbd4741002a54dc15f2b2716dee6e1b6efcec48edfdf3e101d9c7bcb19105a4e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2c11e60d61cf9fcf894b8e38cb136e934b03fd7e9ef1bd349ce27c41c9943e75cb146893d14374167d7f2eb73b40d97a901fbaebd6e6aee5ac93ef8095b1d0b4
|
|
7
|
+
data.tar.gz: 9510a49029fbc382fefc50ad8ae0de0351b6f8648a1044abbebdf695459ef5a4845014057618387549546876c10ea1eb09cba55f4692a0405f41b96810c0dce5
|
|
@@ -8,20 +8,37 @@ class CodePipeline < Mapper
|
|
|
8
8
|
#
|
|
9
9
|
# list_pipelines
|
|
10
10
|
#
|
|
11
|
-
|
|
12
|
-
|
|
11
|
+
begin
|
|
12
|
+
@client.list_pipelines.each_with_index do |response, page|
|
|
13
|
+
log(response.context.operation_name, page)
|
|
13
14
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
15
|
+
# get_pipeline
|
|
16
|
+
response.pipelines.each do |pipeline|
|
|
17
|
+
resp = @client.get_pipeline(name: pipeline.name)
|
|
18
|
+
struct = OpenStruct.new(resp.pipeline.to_h)
|
|
19
|
+
struct.type = 'pipeline'
|
|
20
|
+
struct.arn = resp.metadata.pipeline_arn
|
|
20
21
|
|
|
21
|
-
|
|
22
|
+
resources.push(struct.to_h)
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
rescue Aws::CodePipeline::Errors::ServiceError => e
|
|
26
|
+
log_error(e.code)
|
|
27
|
+
|
|
28
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
29
|
+
raise e
|
|
22
30
|
end
|
|
23
31
|
end
|
|
24
32
|
|
|
25
33
|
resources
|
|
26
34
|
end
|
|
35
|
+
|
|
36
|
+
private
|
|
37
|
+
|
|
38
|
+
# not an error
|
|
39
|
+
def suppressed_errors
|
|
40
|
+
%w[
|
|
41
|
+
AccessDeniedException
|
|
42
|
+
]
|
|
43
|
+
end
|
|
27
44
|
end
|
|
@@ -19,7 +19,11 @@ class ECR < Mapper
|
|
|
19
19
|
.get_repository_policy({ repository_name: repo.repository_name }).policy_text.parse_policy
|
|
20
20
|
|
|
21
21
|
rescue Aws::ECR::Errors::ServiceError => e
|
|
22
|
-
|
|
22
|
+
log_error(e.code)
|
|
23
|
+
|
|
24
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
25
|
+
raise e
|
|
26
|
+
end
|
|
23
27
|
ensure
|
|
24
28
|
resources.push(struct.to_h)
|
|
25
29
|
end
|
|
@@ -101,7 +101,10 @@ class IAM < Mapper
|
|
|
101
101
|
end
|
|
102
102
|
rescue Aws::IAM::Errors::ServiceError => e
|
|
103
103
|
log_error(e.code)
|
|
104
|
-
|
|
104
|
+
|
|
105
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
106
|
+
raise e
|
|
107
|
+
end
|
|
105
108
|
end
|
|
106
109
|
|
|
107
110
|
#
|
|
@@ -183,7 +186,10 @@ class IAM < Mapper
|
|
|
183
186
|
end
|
|
184
187
|
rescue Aws::IAM::Errors::ServiceError => e
|
|
185
188
|
log_error(e.code)
|
|
186
|
-
|
|
189
|
+
|
|
190
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
191
|
+
raise e
|
|
192
|
+
end
|
|
187
193
|
end
|
|
188
194
|
|
|
189
195
|
resources
|
|
@@ -29,7 +29,10 @@ class KMS < Mapper
|
|
|
29
29
|
.key_rotation_enabled
|
|
30
30
|
rescue Aws::KMS::Errors::ServiceError => e
|
|
31
31
|
log_error(e.code)
|
|
32
|
-
|
|
32
|
+
|
|
33
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
34
|
+
raise e
|
|
35
|
+
end
|
|
33
36
|
end
|
|
34
37
|
|
|
35
38
|
# list_grants
|
|
@@ -48,7 +48,10 @@ class Organizations < Mapper
|
|
|
48
48
|
end
|
|
49
49
|
rescue Aws::Organizations::Errors::ServiceError => e
|
|
50
50
|
log_error(e.code)
|
|
51
|
-
|
|
51
|
+
|
|
52
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
53
|
+
raise e
|
|
54
|
+
end
|
|
52
55
|
end
|
|
53
56
|
|
|
54
57
|
resources
|
|
@@ -61,7 +61,11 @@ class S3 < Mapper
|
|
|
61
61
|
end
|
|
62
62
|
|
|
63
63
|
rescue Aws::S3::Errors::ServiceError => e
|
|
64
|
-
|
|
64
|
+
log_error(e.code)
|
|
65
|
+
|
|
66
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
67
|
+
raise e
|
|
68
|
+
end
|
|
65
69
|
end
|
|
66
70
|
|
|
67
71
|
resources.push(struct.to_h)
|
|
@@ -20,7 +20,10 @@ class SecurityHub < Mapper
|
|
|
20
20
|
end
|
|
21
21
|
rescue Aws::SecurityHub::Errors::ServiceError => e
|
|
22
22
|
log_error(e.code)
|
|
23
|
-
|
|
23
|
+
|
|
24
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
25
|
+
raise e
|
|
26
|
+
end
|
|
24
27
|
end
|
|
25
28
|
|
|
26
29
|
resources
|
|
@@ -27,7 +27,10 @@ class ServiceQuotas < Mapper
|
|
|
27
27
|
end
|
|
28
28
|
rescue Aws::ServiceQuotas::Errors::ServiceError => e
|
|
29
29
|
log_error(e.code, service)
|
|
30
|
-
|
|
30
|
+
|
|
31
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
32
|
+
raise e
|
|
33
|
+
end
|
|
31
34
|
end
|
|
32
35
|
|
|
33
36
|
resources
|
|
@@ -51,7 +51,10 @@ class Shield < Mapper
|
|
|
51
51
|
resources
|
|
52
52
|
rescue Aws::Shield::Errors::ServiceError => e
|
|
53
53
|
log_error(e.code)
|
|
54
|
-
|
|
54
|
+
|
|
55
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
56
|
+
raise e
|
|
57
|
+
end
|
|
55
58
|
|
|
56
59
|
[] # no access or service isn't enabled
|
|
57
60
|
end
|
|
@@ -27,7 +27,10 @@ class Support < Mapper
|
|
|
27
27
|
resources
|
|
28
28
|
rescue Aws::Support::Errors::ServiceError => e
|
|
29
29
|
log_error(e.code)
|
|
30
|
-
|
|
30
|
+
|
|
31
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
|
32
|
+
raise e
|
|
33
|
+
end
|
|
31
34
|
|
|
32
35
|
[] # no Support subscription
|
|
33
36
|
end
|
data/lib/aws_recon/options.rb
CHANGED
|
@@ -20,6 +20,7 @@ class Parser
|
|
|
20
20
|
:skip_credential_report,
|
|
21
21
|
:stream_output,
|
|
22
22
|
:verbose,
|
|
23
|
+
:quit_on_exception,
|
|
23
24
|
:debug
|
|
24
25
|
)
|
|
25
26
|
|
|
@@ -47,6 +48,7 @@ class Parser
|
|
|
47
48
|
false,
|
|
48
49
|
false,
|
|
49
50
|
false,
|
|
51
|
+
false,
|
|
50
52
|
false
|
|
51
53
|
)
|
|
52
54
|
|
|
@@ -135,6 +137,11 @@ class Parser
|
|
|
135
137
|
args.verbose = true unless args.stream_output
|
|
136
138
|
end
|
|
137
139
|
|
|
140
|
+
# re-raise exceptions
|
|
141
|
+
opts.on('-q', '--quit-on-exception', 'Stop collection if an API error is encountered (default: false)') do
|
|
142
|
+
args.quit_on_exception = true
|
|
143
|
+
end
|
|
144
|
+
|
|
138
145
|
# debug
|
|
139
146
|
opts.on('-d', '--debug', 'Output debug with wire trace info') do
|
|
140
147
|
unless args.stream_output
|
data/lib/aws_recon/services.yaml
CHANGED
|
@@ -12,8 +12,13 @@
|
|
|
12
12
|
alias: config
|
|
13
13
|
- name: CodeBuild
|
|
14
14
|
alias: codebuild
|
|
15
|
+
excluded_regions:
|
|
16
|
+
- af-south-1
|
|
15
17
|
- name: CodePipeline
|
|
16
18
|
alias: codepipeline
|
|
19
|
+
excluded_regions:
|
|
20
|
+
- af-south-1
|
|
21
|
+
- me-south-1
|
|
17
22
|
- name: AutoScaling
|
|
18
23
|
alias: autoscaling
|
|
19
24
|
- name: CloudTrail
|
|
@@ -94,12 +99,17 @@
|
|
|
94
99
|
- eu-north-1
|
|
95
100
|
- eu-west-3
|
|
96
101
|
- us-west-1
|
|
102
|
+
- ap-east-1
|
|
103
|
+
- af-south-1
|
|
104
|
+
- eu-south-1
|
|
97
105
|
- name: CloudWatch
|
|
98
106
|
alias: cloudwatch
|
|
99
107
|
- name: CloudWatchLogs
|
|
100
108
|
alias: cloudwatchlogs
|
|
101
109
|
- name: Kafka
|
|
102
110
|
alias: kafka
|
|
111
|
+
excluded_regions:
|
|
112
|
+
- af-south-1
|
|
103
113
|
- name: SecretsManager
|
|
104
114
|
alias: sm
|
|
105
115
|
- name: SecurityHub
|
|
@@ -125,6 +135,10 @@
|
|
|
125
135
|
- eu-north-1
|
|
126
136
|
- us-west-1
|
|
127
137
|
- sa-east-1
|
|
138
|
+
- ap-east-1
|
|
139
|
+
- af-south-1
|
|
140
|
+
- eu-south-1
|
|
141
|
+
- me-south-1
|
|
128
142
|
- name: WorkSpaces
|
|
129
143
|
alias: workspaces
|
|
130
144
|
excluded_regions:
|
|
@@ -133,12 +147,21 @@
|
|
|
133
147
|
- eu-west-3
|
|
134
148
|
- us-east-2
|
|
135
149
|
- us-west-1
|
|
150
|
+
- ap-east-1
|
|
151
|
+
- af-south-1
|
|
152
|
+
- eu-south-1
|
|
153
|
+
- me-south-1
|
|
136
154
|
- name: SageMaker
|
|
137
155
|
alias: sagemaker
|
|
138
156
|
- name: ServiceQuotas
|
|
139
157
|
alias: servicequotas
|
|
140
158
|
- name: Transfer
|
|
141
159
|
alias: transfer
|
|
160
|
+
excluded_regions:
|
|
161
|
+
- ap-east-1
|
|
162
|
+
- af-south-1
|
|
163
|
+
- eu-south-1
|
|
164
|
+
- me-south-1
|
|
142
165
|
- name: DirectConnect
|
|
143
166
|
alias: dc
|
|
144
167
|
- name: DirectoryService
|
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
|
@@ -215,6 +215,20 @@ Usage: aws_recon [options]
|
|
|
215
215
|
|
|
216
216
|
Output is always some form of JSON - either JSON lines or plain JSON. The output is either written to a file (the default), or written to stdout (with `-j`).
|
|
217
217
|
|
|
218
|
+
## Support for Manually Enabled Regions
|
|
219
|
+
|
|
220
|
+
If you have enabled manually enabled regions:
|
|
221
|
+
|
|
222
|
+
- me-south-1 - Middle East (Bahrain)
|
|
223
|
+
- af-south-1 - Africa (Cape Town)
|
|
224
|
+
- ap-east-1 - Asia Pacific (Hong Kong)
|
|
225
|
+
- eu-south-1 - Europe (Milan)
|
|
226
|
+
|
|
227
|
+
and you are using STS to assume a role into an account, you will need to [enable v2 STS tokens](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the account you are assuming the role **from** to be able to run AWS Recon against those regions.
|
|
228
|
+
|
|
229
|
+
> Version 1 tokens are valid only in AWS Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens are longer and might affect systems where you temporarily store tokens.
|
|
230
|
+
|
|
231
|
+
If you are using a static access key/secret, you can collect from these regions with either `v1` or `v2` STS tokens.
|
|
218
232
|
|
|
219
233
|
## Supported Services & Resources
|
|
220
234
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws_recon
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.25
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Josh Larsen
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2020-12-
|
|
12
|
+
date: 2020-12-06 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: aws-sdk
|