aws_recon 0.2.9 → 0.2.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 748e27233aa80e92e6f74f5685c9620315a649cc425c96186d234650b7c56242
-  data.tar.gz: ebb4fd703ffa348040d6659b9095c5a8c5ac49e60707f08958a84f43fa46440c
+  metadata.gz: 9a778dc405cb41606bd79f7f49fb40f71ac1ad403084a3708bd7910ae60904c1
+  data.tar.gz: d719d81f1b14c208f3b182054408ffc4cd1b6a808806fae15e33ee2dfb569b9e
 SHA512:
-  metadata.gz: 8bf432c66917846ca2982d566b570d8b1930dff31168847732132ca033c679c9595b2c0729e6d48da13814ef84e76ec4809af288ebb6097e27183b224d8cf30e
-  data.tar.gz: cd2694d0a363bf37ad38e0ec1c3d0f1dfd9488e85541169ba2cf3c56a078ce9088406e4f58d8dee2b3b87240969532d8dfaf87fa666413cf2c55da69eeeaea9d
+  metadata.gz: 52809bcee06bcf81182ce52ac4e8acfcef5a77cb21ec2fd1c82b2fbfd16b704b63f1381c1fb43fb116e94711a541e39286a635e736faf2d1a34ff71c3ae65984
+  data.tar.gz: 14781d182dae5b639863a1b2ec388358a04e86d8bc4680faa30494057d6941f3b8fe821021dfdc2f88100db49bd5ad634885bed670920e1498e8d7d0f9567b5c

data/.github/workflows/docker-build.yml

@@ -0,0 +1,38 @@
+name: docker-build
+
+on:
+  push:
+    branches: build
+    paths:
+      - 'lib/aws_recon/version.rb'
+
+jobs:
+  docker-build:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set version tag
+        run: |
+          echo "VERSION_TAG=$(grep VERSION lib/aws_recon/version.rb | awk -F\" '{print $2}')" >> $GITHUB_ENV
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          build-args: |
+            VERSION=${{ env.VERSION_TAG }}
+          tags: |
+            darkbitio/aws_recon:${{ env.VERSION_TAG }}
+            darkbitio/aws_recon:latest

data/.github/workflows/smoke-test.yml

@@ -0,0 +1,23 @@
+name: smoke-test
+
+on:
+  push:
+    branches: main
+
+jobs:
+  smoke-test:
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 1
+      - name: Set version tag
+        run: |
+          echo "VERSION_TAG=$(grep VERSION lib/aws_recon/version.rb | awk -F\" '{print $2}')" >> $GITHUB_ENV
+      - name: Smoke Test :${{ env.VERSION_TAG }}
+        run: |
+          docker run -t --rm darkbitio/aws_recon:${{ env.VERSION_TAG }} aws_recon
+      - name: Smoke Test :latest
+        run: |
+          docker run -t --rm darkbitio/aws_recon:latest aws_recon

data/Dockerfile

@@ -3,9 +3,10 @@ FROM ruby:${RUBY_VERSION}-alpine
 
 LABEL maintainer="Darkbit <info@darkbit.io>"
 
+# Supply AWS Recon version at build time
+ARG VERSION
 ARG USER=recon
 ARG GEM=aws_recon
-ARG VERSION=0.2.8
 ARG BUNDLER_VERSION=2.1.4
 
 # Install new Bundler version

data/aws_recon.gemspec

@@ -33,4 +33,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'solargraph', '~> 0.39.11'
   spec.add_development_dependency 'rubocop', '~> 0.87.1'
   spec.add_development_dependency 'pry', '~> 0.13.1'
+  spec.add_development_dependency 'byebug', '~> 11.1'
 end

data/lib/aws_recon/collectors/accessanalyzer.rb

@@ -0,0 +1,24 @@
+class AccessAnalyzer < Mapper
+  #
+  # Returns an array of resources.
+  #
+  def collect
+    resources = []
+
+    #
+    # list_analyzers
+    #
+    @client.list_analyzers.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      # analyzers
+      response.analyzers.each do |analyzer|
+        struct = OpenStruct.new(analyzer.to_h)
+        struct.type = 'analyzer'
+        resources.push(struct.to_h)
+      end
+    end
+
+    resources
+  end
+end

data/lib/aws_recon/collectors/ec2.rb

@@ -31,6 +31,18 @@ class EC2 < Mapper
 
     # regional calls
     if @region != 'global'
+      #
+      # get_ebs_encryption_by_default
+      #
+      @client.get_ebs_encryption_by_default.each do |response|
+        log(response.context.operation_name)
+
+        struct = OpenStruct.new(response.to_h)
+        struct.type = 'ebs_encryption_settings'
+
+        resources.push(struct.to_h)
+      end
+
       #
       # describe_instances
       #

data/lib/aws_recon/collectors/iam.rb

@@ -142,6 +142,24 @@ class IAM < Mapper
       end
     end
 
+    #
+    # generate_credential_report
+    #
+    unless @options.skip_credential_report
+      status = 'STARTED'
+      interval = 5
+
+      # wait for report to generate
+      while status != 'COMPLETE'
+        @client.generate_credential_report.each do |response|
+          log(response.context.operation_name)
+          status = response.state
+        end
+
+        sleep interval unless status == 'COMPLETE'
+      end
+    end
+
     #
     # get_credential_report
     #

data/lib/aws_recon/collectors/organizations.rb

@@ -31,6 +31,21 @@ class Organizations < Mapper
       end
     end
 
+    #
+    # list_policies
+    #
+    @client.list_policies({ filter: 'SERVICE_CONTROL_POLICY' }).each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      response.policies.each do |policy|
+        struct = OpenStruct.new(policy.to_h)
+        struct.type = 'service_control_policy'
+        struct.content = JSON.parse(CGI.unescape(@client.describe_policy({ policy_id: policy.id }).policy.content))
+
+        resources.push(struct.to_h)
+      end
+    end
+
     resources
   end
 end

data/lib/aws_recon/collectors/sqs.rb

@@ -18,6 +18,7 @@ class SQS < Mapper
         struct = OpenStruct.new(@client.get_queue_attributes({ queue_url: queue, attribute_names: ['All'] }).attributes.to_h)
         struct.type = 'queue'
         struct.arn = struct.QueueArn
+        struct.Policy = JSON.parse(CGI.unescape(struct.Policy))
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/options.rb

@@ -17,6 +17,7 @@ class Parser
     :threads,
     :collect_user_data,
     :skip_slow,
+    :skip_credential_report,
     :stream_output,
     :verbose,
     :debug
@@ -45,6 +46,7 @@ class Parser
       false,
       false,
       false,
+      false,
       false
     )
 
@@ -115,6 +117,11 @@ class Parser
         args.skip_slow = true
       end
 
+      # skip generating IAM credential report
+      opts.on('-g', '--skip-credential-report', 'Skip generating IAM credential report (default: false)') do
+        args.skip_credential_report = true
+      end
+
       # stream output (forces JSON lines, doesn't output handled warnings or errors )
       opts.on('-j', '--stream-output', 'Stream JSON lines to stdout (default: false)') do
         args.output_file = nil

data/lib/aws_recon/services.yaml

@@ -2,6 +2,8 @@
 - name: Organizations
   global: true
   alias: organizations
+- name: AccessAnalyzer
+  alias: aa
 - name: ConfigService
   alias: config
 - name: CodeBuild

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.2.9"
+  VERSION = "0.2.14"
 end

data/readme.md

@@ -1,3 +1,4 @@
+![smoke-test](https://github.com/darkbitio/aws-recon/workflows/smoke-test/badge.svg)
 [![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
 
 # AWS Recon
@@ -158,6 +159,12 @@ $ AWS_PROFILE=<profile> aws_recon -s S3,EC2 -r global,us-east-1,us-east-2
 $ AWS_PROFILE=<profile> aws_recon --services S3,EC2 --regions global,us-east-1,us-east-2
 ```
 
+Example [OpenCSPM](https://github.com/OpenCSPM/opencspm) formatted output.
+
+```
+$ AWS_PROFILE=<profile> aws_recon -s S3,EC2 -r global,us-east-1,us-east-2 -f custom > output.json
+```
+
 #### Errors
 
 An exception will be raised on `AccessDeniedException` errors. This typically means your user/role doesn't have the necessary permissions to get/list/describe for that service. These exceptions are raised so troubleshooting access issues is easier.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.2.9
+  version: 0.2.14
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-10 00:00:00.000000000 Z
+date: 2020-11-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -137,6 +137,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.13.1
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.1'
 description: AWS Recon is a command line tool to collect resources from an Amazon
   Web Services (AWS) account. The tool outputs JSON suitable for processing with other
   tools.
@@ -149,6 +163,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".github/stale.yml"
+- ".github/workflows/docker-build.yml"
+- ".github/workflows/smoke-test.yml"
 - ".gitignore"
 - ".rubocop.yml"
 - ".travis.yml"
@@ -164,6 +180,7 @@ files:
 - lib/aws_recon.rb
 - lib/aws_recon/aws_recon.rb
 - lib/aws_recon/collectors.rb
+- lib/aws_recon/collectors/accessanalyzer.rb
 - lib/aws_recon/collectors/acm.rb
 - lib/aws_recon/collectors/apigateway.rb
 - lib/aws_recon/collectors/apigatewayv2.rb