aws_recon 0.2.8 → 0.2.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Dockerfile +1 -1
- data/LICENSE.txt +1 -1
- data/binstub/aws_recon +0 -0
- data/lib/aws_recon/collectors/iam.rb +39 -16
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +24 -16
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 748e27233aa80e92e6f74f5685c9620315a649cc425c96186d234650b7c56242
|
|
4
|
+
data.tar.gz: ebb4fd703ffa348040d6659b9095c5a8c5ac49e60707f08958a84f43fa46440c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8bf432c66917846ca2982d566b570d8b1930dff31168847732132ca033c679c9595b2c0729e6d48da13814ef84e76ec4809af288ebb6097e27183b224d8cf30e
|
|
7
|
+
data.tar.gz: cd2694d0a363bf37ad38e0ec1c3d0f1dfd9488e85541169ba2cf3c56a078ce9088406e4f58d8dee2b3b87240969532d8dfaf87fa666413cf2c55da69eeeaea9d
|
data/Dockerfile
CHANGED
|
@@ -11,7 +11,7 @@ ARG BUNDLER_VERSION=2.1.4
|
|
|
11
11
|
# Install new Bundler version
|
|
12
12
|
RUN rm /usr/local/lib/ruby/gems/*/specifications/default/bundler-*.gemspec && \
|
|
13
13
|
gem uninstall bundler && \
|
|
14
|
-
gem install bundler -v $BUNDLER_VERSION
|
|
14
|
+
gem install bundler -v ${BUNDLER_VERSION}
|
|
15
15
|
|
|
16
16
|
# Install gem
|
|
17
17
|
RUN gem install ${GEM} -v ${VERSION}
|
data/LICENSE.txt
CHANGED
data/binstub/aws_recon
CHANGED
|
File without changes
|
|
@@ -10,7 +10,10 @@ class IAM < Mapper
|
|
|
10
10
|
# list_mfa_devices
|
|
11
11
|
# list_ssh_public_keys
|
|
12
12
|
#
|
|
13
|
-
|
|
13
|
+
opts = {
|
|
14
|
+
filter: %w[User Role Group LocalManagedPolicy AWSManagedPolicy]
|
|
15
|
+
}
|
|
16
|
+
@client.get_account_authorization_details(opts).each_with_index do |response, page|
|
|
14
17
|
log(response.context.operation_name, page)
|
|
15
18
|
|
|
16
19
|
# users
|
|
@@ -19,6 +22,14 @@ class IAM < Mapper
|
|
|
19
22
|
struct.type = 'user'
|
|
20
23
|
struct.mfa_devices = @client.list_mfa_devices({ user_name: user.user_name }).mfa_devices.map(&:to_h)
|
|
21
24
|
struct.ssh_keys = @client.list_ssh_public_keys({ user_name: user.user_name }).ssh_public_keys.map(&:to_h)
|
|
25
|
+
struct.user_policy_list = if user.user_policy_list
|
|
26
|
+
user.user_policy_list.map do |p|
|
|
27
|
+
{
|
|
28
|
+
policy_name: p.policy_name,
|
|
29
|
+
policy_document: JSON.parse(CGI.unescape(p.policy_document))
|
|
30
|
+
}
|
|
31
|
+
end
|
|
32
|
+
end
|
|
22
33
|
|
|
23
34
|
resources.push(struct.to_h)
|
|
24
35
|
end
|
|
@@ -27,6 +38,14 @@ class IAM < Mapper
|
|
|
27
38
|
response.group_detail_list.each do |group|
|
|
28
39
|
struct = OpenStruct.new(group.to_h)
|
|
29
40
|
struct.type = 'group'
|
|
41
|
+
struct.group_policy_list = if group.group_policy_list
|
|
42
|
+
group.group_policy_list.map do |p|
|
|
43
|
+
{
|
|
44
|
+
policy_name: p.policy_name,
|
|
45
|
+
policy_document: JSON.parse(CGI.unescape(p.policy_document))
|
|
46
|
+
}
|
|
47
|
+
end
|
|
48
|
+
end
|
|
30
49
|
|
|
31
50
|
resources.push(struct.to_h)
|
|
32
51
|
end
|
|
@@ -35,6 +54,15 @@ class IAM < Mapper
|
|
|
35
54
|
response.role_detail_list.each do |role|
|
|
36
55
|
struct = OpenStruct.new(role.to_h)
|
|
37
56
|
struct.type = 'role'
|
|
57
|
+
struct.assume_role_policy_document = JSON.parse(CGI.unescape(role.assume_role_policy_document))
|
|
58
|
+
struct.role_policy_list = if role.role_policy_list
|
|
59
|
+
role.role_policy_list.map do |p|
|
|
60
|
+
{
|
|
61
|
+
policy_name: p.policy_name,
|
|
62
|
+
policy_document: JSON.parse(CGI.unescape(p.policy_document))
|
|
63
|
+
}
|
|
64
|
+
end
|
|
65
|
+
end
|
|
38
66
|
|
|
39
67
|
resources.push(struct.to_h)
|
|
40
68
|
end
|
|
@@ -43,21 +71,16 @@ class IAM < Mapper
|
|
|
43
71
|
response.policies.each do |policy|
|
|
44
72
|
struct = OpenStruct.new(policy.to_h)
|
|
45
73
|
struct.type = 'policy'
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
# managed policies
|
|
58
|
-
response.policies.each do |policy|
|
|
59
|
-
struct = OpenStruct.new(policy.to_h)
|
|
60
|
-
struct.type = 'managed_policy'
|
|
74
|
+
struct.policy_version_list = if policy.policy_version_list
|
|
75
|
+
policy.policy_version_list.map do |p|
|
|
76
|
+
{
|
|
77
|
+
version_id: p.version_id,
|
|
78
|
+
document: JSON.parse(CGI.unescape(p.document)),
|
|
79
|
+
is_default_version: p.is_default_version,
|
|
80
|
+
create_date: p.create_date
|
|
81
|
+
}
|
|
82
|
+
end
|
|
83
|
+
end
|
|
61
84
|
|
|
62
85
|
resources.push(struct.to_h)
|
|
63
86
|
end
|
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
|
@@ -32,14 +32,14 @@ To run locally, first install the gem:
|
|
|
32
32
|
|
|
33
33
|
```
|
|
34
34
|
$ gem install aws_recon
|
|
35
|
-
Fetching aws_recon-0.2.
|
|
35
|
+
Fetching aws_recon-0.2.8.gem
|
|
36
36
|
Fetching aws-sdk-resources-3.76.0.gem
|
|
37
37
|
Fetching aws-sdk-3.0.1.gem
|
|
38
38
|
Fetching parallel-1.19.2.gem
|
|
39
39
|
...
|
|
40
40
|
Successfully installed aws-sdk-3.0.1
|
|
41
41
|
Successfully installed parallel-1.19.2
|
|
42
|
-
Successfully installed aws_recon-0.2.
|
|
42
|
+
Successfully installed aws_recon-0.2.8
|
|
43
43
|
```
|
|
44
44
|
|
|
45
45
|
Or add it to your Gemfile using `bundle`:
|
|
@@ -51,20 +51,20 @@ Resolving dependencies...
|
|
|
51
51
|
...
|
|
52
52
|
Using aws-sdk 3.0.1
|
|
53
53
|
Using parallel 1.19.2
|
|
54
|
-
Using aws_recon 0.2.
|
|
54
|
+
Using aws_recon 0.2.8
|
|
55
55
|
```
|
|
56
56
|
|
|
57
57
|
To run via a Docker a container, pass the necessary AWS credentials into the Docker `run` command. For example:
|
|
58
58
|
|
|
59
59
|
```
|
|
60
|
-
$ docker run --rm \
|
|
60
|
+
$ docker run -t --rm \
|
|
61
61
|
-e AWS_REGION \
|
|
62
62
|
-e AWS_ACCESS_KEY_ID \
|
|
63
63
|
-e AWS_SECRET_ACCESS_KEY \
|
|
64
64
|
-e AWS_SESSION_TOKEN \
|
|
65
65
|
-v $(pwd)/output.json:/recon/output.json \
|
|
66
|
-
aws_recon:latest \
|
|
67
|
-
aws_recon -v -s EC2 -r us-east-1,us-east-2
|
|
66
|
+
darkbitio/aws_recon:latest \
|
|
67
|
+
aws_recon -v -s EC2 -r global,us-east-1,us-east-2
|
|
68
68
|
```
|
|
69
69
|
|
|
70
70
|
|
|
@@ -82,29 +82,37 @@ Plain environment variables will work fine too.
|
|
|
82
82
|
$ AWS_PROFILE=<profile> aws_recon
|
|
83
83
|
```
|
|
84
84
|
|
|
85
|
-
To run from a Docker container using `aws-vault` managed credentials (output to
|
|
85
|
+
To run from a Docker container using `aws-vault` managed credentials (output to stdout):
|
|
86
86
|
|
|
87
87
|
```
|
|
88
|
-
$ aws-vault exec
|
|
88
|
+
$ aws-vault exec <vault_profile> -- docker run -t --rm \
|
|
89
89
|
-e AWS_REGION \
|
|
90
90
|
-e AWS_ACCESS_KEY_ID \
|
|
91
91
|
-e AWS_SECRET_ACCESS_KEY \
|
|
92
92
|
-e AWS_SESSION_TOKEN \
|
|
93
|
-
|
|
94
|
-
aws_recon
|
|
95
|
-
aws_recon -s EC2 -v -r us-east-1,us-east-2
|
|
93
|
+
darkbitio/aws_recon:latest \
|
|
94
|
+
aws_recon -j -s EC2 -r global,us-east-1,us-east-2
|
|
96
95
|
```
|
|
97
96
|
|
|
98
|
-
To run from a Docker container using `aws-vault` managed credentials
|
|
97
|
+
To run from a Docker container using `aws-vault` managed credentials and output to a file, you will need to satisfy a couple of requirements. First, Docker needs access to bind mount the path you specify (or a parent path above). Second, you need to create an empty file to save the output into (e.g. `output.json`). This is because we are only mounting that one file into the Docker container at run time. For example:
|
|
99
98
|
|
|
99
|
+
Create an empty file.
|
|
100
|
+
|
|
101
|
+
```
|
|
102
|
+
$ touch output.json
|
|
100
103
|
```
|
|
101
|
-
|
|
104
|
+
|
|
105
|
+
Run the `aws_recon` container, specifying the output file.
|
|
106
|
+
|
|
107
|
+
```
|
|
108
|
+
$ aws-vault exec <vault_profile> -- docker run -t --rm \
|
|
102
109
|
-e AWS_REGION \
|
|
103
110
|
-e AWS_ACCESS_KEY_ID \
|
|
104
111
|
-e AWS_SECRET_ACCESS_KEY \
|
|
105
112
|
-e AWS_SESSION_TOKEN \
|
|
106
|
-
|
|
107
|
-
aws_recon
|
|
113
|
+
-v $(pwd)/output.json:/recon/output.json \
|
|
114
|
+
darkbitio/aws_recon:latest \
|
|
115
|
+
aws_recon -s EC2 -v -r global,us-east-1,us-east-2
|
|
108
116
|
```
|
|
109
117
|
|
|
110
118
|
You may want to use the `-v` or `--verbose` flag initially to see status and activity while collection is running.
|
|
@@ -176,7 +184,7 @@ Most users will want to limit collection to relevant services and regions. Runni
|
|
|
176
184
|
```
|
|
177
185
|
$ aws_recon -h
|
|
178
186
|
|
|
179
|
-
AWS Recon - AWS Inventory Collector (0.2.
|
|
187
|
+
AWS Recon - AWS Inventory Collector (0.2.8)
|
|
180
188
|
|
|
181
189
|
Usage: aws_recon [options]
|
|
182
190
|
-r, --regions [REGIONS] Regions to scan, separated by comma (default: all)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws_recon
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Josh Larsen
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2020-11-
|
|
12
|
+
date: 2020-11-10 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: aws-sdk
|