aws_recon 0.2.9 → 0.2.14
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/docker-build.yml +38 -0
- data/.github/workflows/smoke-test.yml +23 -0
- data/Dockerfile +2 -1
- data/aws_recon.gemspec +1 -0
- data/lib/aws_recon/collectors/accessanalyzer.rb +24 -0
- data/lib/aws_recon/collectors/ec2.rb +12 -0
- data/lib/aws_recon/collectors/iam.rb +18 -0
- data/lib/aws_recon/collectors/organizations.rb +15 -0
- data/lib/aws_recon/collectors/sqs.rb +1 -0
- data/lib/aws_recon/options.rb +7 -0
- data/lib/aws_recon/services.yaml +2 -0
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +7 -0
- metadata +19 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9a778dc405cb41606bd79f7f49fb40f71ac1ad403084a3708bd7910ae60904c1
|
4
|
+
data.tar.gz: d719d81f1b14c208f3b182054408ffc4cd1b6a808806fae15e33ee2dfb569b9e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 52809bcee06bcf81182ce52ac4e8acfcef5a77cb21ec2fd1c82b2fbfd16b704b63f1381c1fb43fb116e94711a541e39286a635e736faf2d1a34ff71c3ae65984
|
7
|
+
data.tar.gz: 14781d182dae5b639863a1b2ec388358a04e86d8bc4680faa30494057d6941f3b8fe821021dfdc2f88100db49bd5ad634885bed670920e1498e8d7d0f9567b5c
|
@@ -0,0 +1,38 @@
|
|
1
|
+
name: docker-build
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches: build
|
6
|
+
paths:
|
7
|
+
- 'lib/aws_recon/version.rb'
|
8
|
+
|
9
|
+
jobs:
|
10
|
+
docker-build:
|
11
|
+
runs-on: ubuntu-20.04
|
12
|
+
steps:
|
13
|
+
- name: Checkout
|
14
|
+
uses: actions/checkout@v2
|
15
|
+
with:
|
16
|
+
fetch-depth: 1
|
17
|
+
- name: Set up QEMU
|
18
|
+
uses: docker/setup-qemu-action@v1
|
19
|
+
- name: Set up Docker Buildx
|
20
|
+
uses: docker/setup-buildx-action@v1
|
21
|
+
- name: Login to DockerHub
|
22
|
+
uses: docker/login-action@v1
|
23
|
+
with:
|
24
|
+
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
25
|
+
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
26
|
+
- name: Set version tag
|
27
|
+
run: |
|
28
|
+
echo "VERSION_TAG=$(grep VERSION lib/aws_recon/version.rb | awk -F\" '{print $2}')" >> $GITHUB_ENV
|
29
|
+
- name: Build and push
|
30
|
+
id: docker_build
|
31
|
+
uses: docker/build-push-action@v2
|
32
|
+
with:
|
33
|
+
push: true
|
34
|
+
build-args: |
|
35
|
+
VERSION=${{ env.VERSION_TAG }}
|
36
|
+
tags: |
|
37
|
+
darkbitio/aws_recon:${{ env.VERSION_TAG }}
|
38
|
+
darkbitio/aws_recon:latest
|
@@ -0,0 +1,23 @@
|
|
1
|
+
name: smoke-test
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches: main
|
6
|
+
|
7
|
+
jobs:
|
8
|
+
smoke-test:
|
9
|
+
runs-on: ubuntu-20.04
|
10
|
+
steps:
|
11
|
+
- name: Checkout
|
12
|
+
uses: actions/checkout@v2
|
13
|
+
with:
|
14
|
+
fetch-depth: 1
|
15
|
+
- name: Set version tag
|
16
|
+
run: |
|
17
|
+
echo "VERSION_TAG=$(grep VERSION lib/aws_recon/version.rb | awk -F\" '{print $2}')" >> $GITHUB_ENV
|
18
|
+
- name: Smoke Test :${{ env.VERSION_TAG }}
|
19
|
+
run: |
|
20
|
+
docker run -t --rm darkbitio/aws_recon:${{ env.VERSION_TAG }} aws_recon
|
21
|
+
- name: Smoke Test :latest
|
22
|
+
run: |
|
23
|
+
docker run -t --rm darkbitio/aws_recon:latest aws_recon
|
data/Dockerfile
CHANGED
@@ -3,9 +3,10 @@ FROM ruby:${RUBY_VERSION}-alpine
|
|
3
3
|
|
4
4
|
LABEL maintainer="Darkbit <info@darkbit.io>"
|
5
5
|
|
6
|
+
# Supply AWS Recon version at build time
|
7
|
+
ARG VERSION
|
6
8
|
ARG USER=recon
|
7
9
|
ARG GEM=aws_recon
|
8
|
-
ARG VERSION=0.2.8
|
9
10
|
ARG BUNDLER_VERSION=2.1.4
|
10
11
|
|
11
12
|
# Install new Bundler version
|
data/aws_recon.gemspec
CHANGED
@@ -33,4 +33,5 @@ Gem::Specification.new do |spec|
|
|
33
33
|
spec.add_development_dependency 'solargraph', '~> 0.39.11'
|
34
34
|
spec.add_development_dependency 'rubocop', '~> 0.87.1'
|
35
35
|
spec.add_development_dependency 'pry', '~> 0.13.1'
|
36
|
+
spec.add_development_dependency 'byebug', '~> 11.1'
|
36
37
|
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
class AccessAnalyzer < Mapper
|
2
|
+
#
|
3
|
+
# Returns an array of resources.
|
4
|
+
#
|
5
|
+
def collect
|
6
|
+
resources = []
|
7
|
+
|
8
|
+
#
|
9
|
+
# list_analyzers
|
10
|
+
#
|
11
|
+
@client.list_analyzers.each_with_index do |response, page|
|
12
|
+
log(response.context.operation_name, page)
|
13
|
+
|
14
|
+
# analyzers
|
15
|
+
response.analyzers.each do |analyzer|
|
16
|
+
struct = OpenStruct.new(analyzer.to_h)
|
17
|
+
struct.type = 'analyzer'
|
18
|
+
resources.push(struct.to_h)
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
resources
|
23
|
+
end
|
24
|
+
end
|
@@ -31,6 +31,18 @@ class EC2 < Mapper
|
|
31
31
|
|
32
32
|
# regional calls
|
33
33
|
if @region != 'global'
|
34
|
+
#
|
35
|
+
# get_ebs_encryption_by_default
|
36
|
+
#
|
37
|
+
@client.get_ebs_encryption_by_default.each do |response|
|
38
|
+
log(response.context.operation_name)
|
39
|
+
|
40
|
+
struct = OpenStruct.new(response.to_h)
|
41
|
+
struct.type = 'ebs_encryption_settings'
|
42
|
+
|
43
|
+
resources.push(struct.to_h)
|
44
|
+
end
|
45
|
+
|
34
46
|
#
|
35
47
|
# describe_instances
|
36
48
|
#
|
@@ -142,6 +142,24 @@ class IAM < Mapper
|
|
142
142
|
end
|
143
143
|
end
|
144
144
|
|
145
|
+
#
|
146
|
+
# generate_credential_report
|
147
|
+
#
|
148
|
+
unless @options.skip_credential_report
|
149
|
+
status = 'STARTED'
|
150
|
+
interval = 5
|
151
|
+
|
152
|
+
# wait for report to generate
|
153
|
+
while status != 'COMPLETE'
|
154
|
+
@client.generate_credential_report.each do |response|
|
155
|
+
log(response.context.operation_name)
|
156
|
+
status = response.state
|
157
|
+
end
|
158
|
+
|
159
|
+
sleep interval unless status == 'COMPLETE'
|
160
|
+
end
|
161
|
+
end
|
162
|
+
|
145
163
|
#
|
146
164
|
# get_credential_report
|
147
165
|
#
|
@@ -31,6 +31,21 @@ class Organizations < Mapper
|
|
31
31
|
end
|
32
32
|
end
|
33
33
|
|
34
|
+
#
|
35
|
+
# list_policies
|
36
|
+
#
|
37
|
+
@client.list_policies({ filter: 'SERVICE_CONTROL_POLICY' }).each_with_index do |response, page|
|
38
|
+
log(response.context.operation_name, page)
|
39
|
+
|
40
|
+
response.policies.each do |policy|
|
41
|
+
struct = OpenStruct.new(policy.to_h)
|
42
|
+
struct.type = 'service_control_policy'
|
43
|
+
struct.content = JSON.parse(CGI.unescape(@client.describe_policy({ policy_id: policy.id }).policy.content))
|
44
|
+
|
45
|
+
resources.push(struct.to_h)
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
34
49
|
resources
|
35
50
|
end
|
36
51
|
end
|
@@ -18,6 +18,7 @@ class SQS < Mapper
|
|
18
18
|
struct = OpenStruct.new(@client.get_queue_attributes({ queue_url: queue, attribute_names: ['All'] }).attributes.to_h)
|
19
19
|
struct.type = 'queue'
|
20
20
|
struct.arn = struct.QueueArn
|
21
|
+
struct.Policy = JSON.parse(CGI.unescape(struct.Policy))
|
21
22
|
|
22
23
|
resources.push(struct.to_h)
|
23
24
|
end
|
data/lib/aws_recon/options.rb
CHANGED
@@ -17,6 +17,7 @@ class Parser
|
|
17
17
|
:threads,
|
18
18
|
:collect_user_data,
|
19
19
|
:skip_slow,
|
20
|
+
:skip_credential_report,
|
20
21
|
:stream_output,
|
21
22
|
:verbose,
|
22
23
|
:debug
|
@@ -45,6 +46,7 @@ class Parser
|
|
45
46
|
false,
|
46
47
|
false,
|
47
48
|
false,
|
49
|
+
false,
|
48
50
|
false
|
49
51
|
)
|
50
52
|
|
@@ -115,6 +117,11 @@ class Parser
|
|
115
117
|
args.skip_slow = true
|
116
118
|
end
|
117
119
|
|
120
|
+
# skip generating IAM credential report
|
121
|
+
opts.on('-g', '--skip-credential-report', 'Skip generating IAM credential report (default: false)') do
|
122
|
+
args.skip_credential_report = true
|
123
|
+
end
|
124
|
+
|
118
125
|
# stream output (forces JSON lines, doesn't output handled warnings or errors )
|
119
126
|
opts.on('-j', '--stream-output', 'Stream JSON lines to stdout (default: false)') do
|
120
127
|
args.output_file = nil
|
data/lib/aws_recon/services.yaml
CHANGED
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
![smoke-test](https://github.com/darkbitio/aws-recon/workflows/smoke-test/badge.svg)
|
1
2
|
[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://badge.fury.io/rb/aws_recon)
|
2
3
|
|
3
4
|
# AWS Recon
|
@@ -158,6 +159,12 @@ $ AWS_PROFILE=<profile> aws_recon -s S3,EC2 -r global,us-east-1,us-east-2
|
|
158
159
|
$ AWS_PROFILE=<profile> aws_recon --services S3,EC2 --regions global,us-east-1,us-east-2
|
159
160
|
```
|
160
161
|
|
162
|
+
Example [OpenCSPM](https://github.com/OpenCSPM/opencspm) formatted output.
|
163
|
+
|
164
|
+
```
|
165
|
+
$ AWS_PROFILE=<profile> aws_recon -s S3,EC2 -r global,us-east-1,us-east-2 -f custom > output.json
|
166
|
+
```
|
167
|
+
|
161
168
|
#### Errors
|
162
169
|
|
163
170
|
An exception will be raised on `AccessDeniedException` errors. This typically means your user/role doesn't have the necessary permissions to get/list/describe for that service. These exceptions are raised so troubleshooting access issues is easier.
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws_recon
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.14
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Josh Larsen
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2020-11-
|
12
|
+
date: 2020-11-18 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: aws-sdk
|
@@ -137,6 +137,20 @@ dependencies:
|
|
137
137
|
- - "~>"
|
138
138
|
- !ruby/object:Gem::Version
|
139
139
|
version: 0.13.1
|
140
|
+
- !ruby/object:Gem::Dependency
|
141
|
+
name: byebug
|
142
|
+
requirement: !ruby/object:Gem::Requirement
|
143
|
+
requirements:
|
144
|
+
- - "~>"
|
145
|
+
- !ruby/object:Gem::Version
|
146
|
+
version: '11.1'
|
147
|
+
type: :development
|
148
|
+
prerelease: false
|
149
|
+
version_requirements: !ruby/object:Gem::Requirement
|
150
|
+
requirements:
|
151
|
+
- - "~>"
|
152
|
+
- !ruby/object:Gem::Version
|
153
|
+
version: '11.1'
|
140
154
|
description: AWS Recon is a command line tool to collect resources from an Amazon
|
141
155
|
Web Services (AWS) account. The tool outputs JSON suitable for processing with other
|
142
156
|
tools.
|
@@ -149,6 +163,8 @@ extensions: []
|
|
149
163
|
extra_rdoc_files: []
|
150
164
|
files:
|
151
165
|
- ".github/stale.yml"
|
166
|
+
- ".github/workflows/docker-build.yml"
|
167
|
+
- ".github/workflows/smoke-test.yml"
|
152
168
|
- ".gitignore"
|
153
169
|
- ".rubocop.yml"
|
154
170
|
- ".travis.yml"
|
@@ -164,6 +180,7 @@ files:
|
|
164
180
|
- lib/aws_recon.rb
|
165
181
|
- lib/aws_recon/aws_recon.rb
|
166
182
|
- lib/aws_recon/collectors.rb
|
183
|
+
- lib/aws_recon/collectors/accessanalyzer.rb
|
167
184
|
- lib/aws_recon/collectors/acm.rb
|
168
185
|
- lib/aws_recon/collectors/apigateway.rb
|
169
186
|
- lib/aws_recon/collectors/apigatewayv2.rb
|