aws_recon 0.3.0 → 0.3.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a7f479006111ba869fcdccea5264ffb5a3cc4c0536e0b2cf4a6b3581ff65146
-  data.tar.gz: dfa1191aea8a07fcd9a54be418f913b777f0bd43cf5cf9cbdfb0b8f8707dc8aa
+  metadata.gz: 12b30d8e1939333bd6a2f94ba0bfa5a8b9aa381e0330546425158360cda8e099
+  data.tar.gz: dea36844f6fc06403b563fd0dc6938d222c0dc8757b7b88c0cdd03e0b5df79e5
 SHA512:
-  metadata.gz: 8f5a65342608fd58234383c704ddb416333e1439ca024e8e09bb0b3e96cfe2df0d53b5489ad040317b7b47b0f523c4c8252753af81e018866f081ef2c06cf414
-  data.tar.gz: '0867e52a15899ff2e63f141ab376b2992f968c4b19a0a64b57b1506d1cc036a8724b289c231a8a15dd4118bad65eff6945b891629150d8fe6bf9afb284bca0dd'
+  metadata.gz: 50fa5ec78c7bbedc8f89321cbd0a679945e2509a2ba8d51c0fd6e95d15a3e7cdf29db051f0b9816d85bf49af0d7375e2f8ada6796b7c9a4ddb3b403ebda4b598
+  data.tar.gz: d1d1cb453321a8dcb669839b3e9597af0a11882863c15f9a44c23f6dda77efaa0c302ed3208032c12a12f97b09f9eff0776f4346e579b588ab10c1ba4d2b713e

data/lib/aws_recon/aws_recon.rb

@@ -6,7 +6,7 @@ module AwsRecon
   class CLI
     def initialize
       # parse options
-      @options = Parser.parse ARGV.length < 1 ? %w[-h] : ARGV
+      @options = Parser.parse ARGV.empty? ? %w[-h] : ARGV
 
       # timing
       @starting = Process.clock_gettime(Process::CLOCK_MONOTONIC)
@@ -15,11 +15,11 @@ module AwsRecon
       @account_id = Aws::STS::Client.new.get_caller_identity.account
 
       # AWS services
-      @aws_services = YAML.load(File.read(SERVICES_CONFIG_FILE), symbolize_names: true)
+      @aws_services = YAML.safe_load(File.read(SERVICES_CONFIG_FILE), symbolize_names: true)
 
       # User config services
       if @options.config_file
-        user_config = YAML.load(File.read(@options.config_file), symbolize_names: true)
+        user_config = YAML.safe_load(File.read(@options.config_file), symbolize_names: true)
 
         @services = user_config[:services]
         @regions = user_config[:regions]
@@ -94,7 +94,7 @@ module AwsRecon
           next unless @regions.include?(region) && !skip_region
 
           # user included this service in the args
-          next unless @services.include?(service.name) || @services.include?(service.alias) # rubocop:disable Layout/LineLength
+          next unless @services.include?(service.name) || @services.include?(service.alias)
 
           collect(service, region)
         end

data/lib/aws_recon/collectors/ec2.rb

@@ -29,6 +29,7 @@ class EC2 < Mapper
         struct = OpenStruct.new
         struct.attributes = response.account_attributes.map(&:to_h)
         struct.type = 'account'
+        struct.arn = "arn:aws::#{@account}"
 
         resources.push(struct.to_h)
       end

data/lib/aws_recon/collectors/emr.rb

@@ -13,14 +13,20 @@ class EMR < Mapper
     #
     # get_block_public_access_configuration
     #
-    @client.get_block_public_access_configuration.each do |response|
-      log(response.context.operation_name)
+    begin
+      @client.get_block_public_access_configuration.each do |response|
+        log(response.context.operation_name)
 
-      struct = OpenStruct.new(response.block_public_access_configuration.to_h)
-      struct.type = 'configuration'
-      struct.arn = "arn:aws:emr:#{@region}:#{@account}/block_public_access_configuration"
+        struct = OpenStruct.new(response.block_public_access_configuration.to_h)
+        struct.type = 'configuration'
+        struct.arn = "arn:aws:emr:#{@region}:#{@account}/block_public_access_configuration"
 
-      resources.push(struct.to_h)
+        resources.push(struct.to_h)
+      end
+    rescue Aws::EMR::Errors::ServiceError => e
+      log_error(e.code)
+
+      raise e unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
     end
 
     #
@@ -42,4 +48,12 @@ class EMR < Mapper
 
     resources
   end
+
+  private
+
+  def suppressed_errors
+    %w[
+      InvalidRequestException
+    ]
+  end
 end

data/lib/aws_recon/collectors/iam.rb

@@ -91,6 +91,28 @@ class IAM < Mapper
       end
     end
 
+    #
+    # list_instance_profiles
+    #
+    @client.list_instance_profiles.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      # instance_profiles
+      response.instance_profiles.each do |profile|
+        struct = OpenStruct.new(profile.to_h)
+        struct.type = 'instance_profile'
+        struct.arn = profile.arn
+        struct.roles = []
+
+        profile.roles&.each do |role|
+          role.assume_role_policy_document = role.assume_role_policy_document.parse_policy
+          struct.roles.push(role.to_h)
+        end
+
+        resources.push(struct.to_h)
+      end
+    end
+
     #
     # get_account_password_policy
     #

data/lib/aws_recon/collectors/s3.rb

@@ -48,6 +48,7 @@ class S3 < Mapper
           { func: 'get_bucket_policy', key: 'policy', field: 'policy' },
           { func: 'get_bucket_policy_status', key: 'public', field: 'policy_status' },
           { func: 'get_public_access_block', key: 'public_access_block', field: 'public_access_block_configuration' },
+          { func: 'get_object_lock_configuration', key: 'object_lock_configuration', field: 'object_lock_configuration' },
           { func: 'get_bucket_tagging', key: 'tagging', field: nil },
           { func: 'get_bucket_logging', key: 'logging', field: 'logging_enabled' },
           { func: 'get_bucket_versioning', key: 'versioning', field: nil },
@@ -66,7 +67,7 @@ class S3 < Mapper
                            end
 
         rescue Aws::S3::Errors::ServiceError => e
-          log_error(e.code)
+          log_error(bucket.name, op.func, e.code)
 
           raise e unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
         end
@@ -90,6 +91,7 @@ class S3 < Mapper
       NoSuchWebsiteConfiguration
       ReplicationConfigurationNotFoundError
       NoSuchPublicAccessBlockConfiguration
+      ObjectLockConfigurationNotFoundError
     ]
   end
 end

data/lib/aws_recon/services.yaml

@@ -13,11 +13,12 @@
 - name: CodeBuild
   alias: codebuild
   excluded_regions:
-    - af-south-1
+    - ap-northeast-3
 - name: CodePipeline
   alias: codepipeline
   excluded_regions:
     - af-south-1
+    - ap-northeast-3
     - me-south-1
 - name: AutoScaling
   alias: autoscaling
@@ -40,17 +41,10 @@
     - ap-southeast-1
 - name: ElasticLoadBalancingV2
   alias: elbv2
-  excluded_regions:
-    - ap-southeast-1
 - name: ElastiCache
   alias: elasticache
 - name: EMR
   alias: emr
-  excluded_regions:
-    - ap-east-1
-    - af-south-1
-    - eu-south-1
-    - me-south-1
 - name: IAM
   global: true
   alias: iam
@@ -96,11 +90,9 @@
 - name: SES
   alias: ses
   excluded_regions:
-    - eu-north-1
-    - eu-west-3
-    - us-west-1
-    - ap-east-1
     - af-south-1
+    - ap-east-1
+    - ap-northeast-3
     - eu-south-1
 - name: CloudWatch
   alias: cloudwatch
@@ -110,65 +102,78 @@
   alias: kafka
   excluded_regions:
     - af-south-1
+    - ap-northeast-3
 - name: SecretsManager
   alias: sm
 - name: SecurityHub
   alias: sh
+  excluded_regions:
+    - ap-northeast-3
 - name: Support
   global: true
   alias: support
 - name: SSM
   alias: ssm
-  excluded_regions:
-    - ap-southeast-1
 - name: GuardDuty
   alias: guardduty
+  excluded_regions:
+    - ap-northeast-3
 - name: Athena
   alias: athena
+  excluded_regions:
+    - ap-northeast-3
 - name: EFS
   alias: efs
+  excluded_regions:
+    - ap-northeast-3
 - name: Firehose
   alias: firehose
 - name: Lightsail
   alias: lightsail
   excluded_regions:
-    - eu-north-1
-    - us-west-1
-    - sa-east-1
-    - ap-east-1
     - af-south-1
+    - ap-east-1
+    - ap-northeast-3
+    - eu-north-1
     - eu-south-1
     - me-south-1
+    - sa-east-1
+    - us-west-1
 - name: WorkSpaces
   alias: workspaces
   excluded_regions:
-    - eu-north-1
+    - af-south-1
+    - ap-east-1
+    - ap-northeast-3
     - ap-south-1
+    - eu-north-1
+    - eu-south-1
     - eu-west-3
+    - me-south-1
     - us-east-2
     - us-west-1
-    - ap-east-1
-    - af-south-1
-    - eu-south-1
-    - me-south-1
 - name: SageMaker
   alias: sagemaker
+  excluded_regions:
+    - ap-northeast-3
 - name: ServiceQuotas
   alias: servicequotas
 - name: Transfer
   alias: transfer
   excluded_regions:
-    - ap-east-1
-    - af-south-1
+    - ap-northeast-3
     - eu-south-1
-    - me-south-1
 - name: DirectConnect
   alias: dc
 - name: DirectoryService
   alias: ds
+  excluded_regions:
+    - ap-northeast-3
 - name: DatabaseMigrationService
   alias: dms
 - name: XRay
   alias: xray
 - name: WAFV2
   alias: wafv2
+  excluded_regions:
+    - ap-northeast-3

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.3.0"
+  VERSION = "0.3.5"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.5
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-03 00:00:00.000000000 Z
+date: 2021-03-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -167,7 +167,6 @@ files:
 - ".github/workflows/smoke-test.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".travis.yml"
 - Dockerfile
 - Gemfile
 - LICENSE.txt

data/.travis.yml

@@ -1,7 +0,0 @@
----
-sudo: false
-language: ruby
-cache: bundler
-rvm:
-  - 2.6.5
-before_install: gem install bundler -v 1.17.3