aws_recon 0.3.0 → 0.3.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws_recon/aws_recon.rb +4 -4
- data/lib/aws_recon/collectors/ec2.rb +1 -0
- data/lib/aws_recon/collectors/emr.rb +20 -6
- data/lib/aws_recon/collectors/iam.rb +22 -0
- data/lib/aws_recon/collectors/s3.rb +3 -1
- data/lib/aws_recon/services.yaml +31 -26
- data/lib/aws_recon/version.rb +1 -1
- metadata +2 -3
- data/.travis.yml +0 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 12b30d8e1939333bd6a2f94ba0bfa5a8b9aa381e0330546425158360cda8e099
|
4
|
+
data.tar.gz: dea36844f6fc06403b563fd0dc6938d222c0dc8757b7b88c0cdd03e0b5df79e5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 50fa5ec78c7bbedc8f89321cbd0a679945e2509a2ba8d51c0fd6e95d15a3e7cdf29db051f0b9816d85bf49af0d7375e2f8ada6796b7c9a4ddb3b403ebda4b598
|
7
|
+
data.tar.gz: d1d1cb453321a8dcb669839b3e9597af0a11882863c15f9a44c23f6dda77efaa0c302ed3208032c12a12f97b09f9eff0776f4346e579b588ab10c1ba4d2b713e
|
data/lib/aws_recon/aws_recon.rb
CHANGED
@@ -6,7 +6,7 @@ module AwsRecon
|
|
6
6
|
class CLI
|
7
7
|
def initialize
|
8
8
|
# parse options
|
9
|
-
@options = Parser.parse ARGV.
|
9
|
+
@options = Parser.parse ARGV.empty? ? %w[-h] : ARGV
|
10
10
|
|
11
11
|
# timing
|
12
12
|
@starting = Process.clock_gettime(Process::CLOCK_MONOTONIC)
|
@@ -15,11 +15,11 @@ module AwsRecon
|
|
15
15
|
@account_id = Aws::STS::Client.new.get_caller_identity.account
|
16
16
|
|
17
17
|
# AWS services
|
18
|
-
@aws_services = YAML.
|
18
|
+
@aws_services = YAML.safe_load(File.read(SERVICES_CONFIG_FILE), symbolize_names: true)
|
19
19
|
|
20
20
|
# User config services
|
21
21
|
if @options.config_file
|
22
|
-
user_config = YAML.
|
22
|
+
user_config = YAML.safe_load(File.read(@options.config_file), symbolize_names: true)
|
23
23
|
|
24
24
|
@services = user_config[:services]
|
25
25
|
@regions = user_config[:regions]
|
@@ -94,7 +94,7 @@ module AwsRecon
|
|
94
94
|
next unless @regions.include?(region) && !skip_region
|
95
95
|
|
96
96
|
# user included this service in the args
|
97
|
-
next unless @services.include?(service.name) || @services.include?(service.alias)
|
97
|
+
next unless @services.include?(service.name) || @services.include?(service.alias)
|
98
98
|
|
99
99
|
collect(service, region)
|
100
100
|
end
|
@@ -13,14 +13,20 @@ class EMR < Mapper
|
|
13
13
|
#
|
14
14
|
# get_block_public_access_configuration
|
15
15
|
#
|
16
|
-
|
17
|
-
|
16
|
+
begin
|
17
|
+
@client.get_block_public_access_configuration.each do |response|
|
18
|
+
log(response.context.operation_name)
|
18
19
|
|
19
|
-
|
20
|
-
|
21
|
-
|
20
|
+
struct = OpenStruct.new(response.block_public_access_configuration.to_h)
|
21
|
+
struct.type = 'configuration'
|
22
|
+
struct.arn = "arn:aws:emr:#{@region}:#{@account}/block_public_access_configuration"
|
22
23
|
|
23
|
-
|
24
|
+
resources.push(struct.to_h)
|
25
|
+
end
|
26
|
+
rescue Aws::EMR::Errors::ServiceError => e
|
27
|
+
log_error(e.code)
|
28
|
+
|
29
|
+
raise e unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
24
30
|
end
|
25
31
|
|
26
32
|
#
|
@@ -42,4 +48,12 @@ class EMR < Mapper
|
|
42
48
|
|
43
49
|
resources
|
44
50
|
end
|
51
|
+
|
52
|
+
private
|
53
|
+
|
54
|
+
def suppressed_errors
|
55
|
+
%w[
|
56
|
+
InvalidRequestException
|
57
|
+
]
|
58
|
+
end
|
45
59
|
end
|
@@ -91,6 +91,28 @@ class IAM < Mapper
|
|
91
91
|
end
|
92
92
|
end
|
93
93
|
|
94
|
+
#
|
95
|
+
# list_instance_profiles
|
96
|
+
#
|
97
|
+
@client.list_instance_profiles.each_with_index do |response, page|
|
98
|
+
log(response.context.operation_name, page)
|
99
|
+
|
100
|
+
# instance_profiles
|
101
|
+
response.instance_profiles.each do |profile|
|
102
|
+
struct = OpenStruct.new(profile.to_h)
|
103
|
+
struct.type = 'instance_profile'
|
104
|
+
struct.arn = profile.arn
|
105
|
+
struct.roles = []
|
106
|
+
|
107
|
+
profile.roles&.each do |role|
|
108
|
+
role.assume_role_policy_document = role.assume_role_policy_document.parse_policy
|
109
|
+
struct.roles.push(role.to_h)
|
110
|
+
end
|
111
|
+
|
112
|
+
resources.push(struct.to_h)
|
113
|
+
end
|
114
|
+
end
|
115
|
+
|
94
116
|
#
|
95
117
|
# get_account_password_policy
|
96
118
|
#
|
@@ -48,6 +48,7 @@ class S3 < Mapper
|
|
48
48
|
{ func: 'get_bucket_policy', key: 'policy', field: 'policy' },
|
49
49
|
{ func: 'get_bucket_policy_status', key: 'public', field: 'policy_status' },
|
50
50
|
{ func: 'get_public_access_block', key: 'public_access_block', field: 'public_access_block_configuration' },
|
51
|
+
{ func: 'get_object_lock_configuration', key: 'object_lock_configuration', field: 'object_lock_configuration' },
|
51
52
|
{ func: 'get_bucket_tagging', key: 'tagging', field: nil },
|
52
53
|
{ func: 'get_bucket_logging', key: 'logging', field: 'logging_enabled' },
|
53
54
|
{ func: 'get_bucket_versioning', key: 'versioning', field: nil },
|
@@ -66,7 +67,7 @@ class S3 < Mapper
|
|
66
67
|
end
|
67
68
|
|
68
69
|
rescue Aws::S3::Errors::ServiceError => e
|
69
|
-
log_error(e.code)
|
70
|
+
log_error(bucket.name, op.func, e.code)
|
70
71
|
|
71
72
|
raise e unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
72
73
|
end
|
@@ -90,6 +91,7 @@ class S3 < Mapper
|
|
90
91
|
NoSuchWebsiteConfiguration
|
91
92
|
ReplicationConfigurationNotFoundError
|
92
93
|
NoSuchPublicAccessBlockConfiguration
|
94
|
+
ObjectLockConfigurationNotFoundError
|
93
95
|
]
|
94
96
|
end
|
95
97
|
end
|
data/lib/aws_recon/services.yaml
CHANGED
@@ -13,11 +13,12 @@
|
|
13
13
|
- name: CodeBuild
|
14
14
|
alias: codebuild
|
15
15
|
excluded_regions:
|
16
|
-
-
|
16
|
+
- ap-northeast-3
|
17
17
|
- name: CodePipeline
|
18
18
|
alias: codepipeline
|
19
19
|
excluded_regions:
|
20
20
|
- af-south-1
|
21
|
+
- ap-northeast-3
|
21
22
|
- me-south-1
|
22
23
|
- name: AutoScaling
|
23
24
|
alias: autoscaling
|
@@ -40,17 +41,10 @@
|
|
40
41
|
- ap-southeast-1
|
41
42
|
- name: ElasticLoadBalancingV2
|
42
43
|
alias: elbv2
|
43
|
-
excluded_regions:
|
44
|
-
- ap-southeast-1
|
45
44
|
- name: ElastiCache
|
46
45
|
alias: elasticache
|
47
46
|
- name: EMR
|
48
47
|
alias: emr
|
49
|
-
excluded_regions:
|
50
|
-
- ap-east-1
|
51
|
-
- af-south-1
|
52
|
-
- eu-south-1
|
53
|
-
- me-south-1
|
54
48
|
- name: IAM
|
55
49
|
global: true
|
56
50
|
alias: iam
|
@@ -96,11 +90,9 @@
|
|
96
90
|
- name: SES
|
97
91
|
alias: ses
|
98
92
|
excluded_regions:
|
99
|
-
- eu-north-1
|
100
|
-
- eu-west-3
|
101
|
-
- us-west-1
|
102
|
-
- ap-east-1
|
103
93
|
- af-south-1
|
94
|
+
- ap-east-1
|
95
|
+
- ap-northeast-3
|
104
96
|
- eu-south-1
|
105
97
|
- name: CloudWatch
|
106
98
|
alias: cloudwatch
|
@@ -110,65 +102,78 @@
|
|
110
102
|
alias: kafka
|
111
103
|
excluded_regions:
|
112
104
|
- af-south-1
|
105
|
+
- ap-northeast-3
|
113
106
|
- name: SecretsManager
|
114
107
|
alias: sm
|
115
108
|
- name: SecurityHub
|
116
109
|
alias: sh
|
110
|
+
excluded_regions:
|
111
|
+
- ap-northeast-3
|
117
112
|
- name: Support
|
118
113
|
global: true
|
119
114
|
alias: support
|
120
115
|
- name: SSM
|
121
116
|
alias: ssm
|
122
|
-
excluded_regions:
|
123
|
-
- ap-southeast-1
|
124
117
|
- name: GuardDuty
|
125
118
|
alias: guardduty
|
119
|
+
excluded_regions:
|
120
|
+
- ap-northeast-3
|
126
121
|
- name: Athena
|
127
122
|
alias: athena
|
123
|
+
excluded_regions:
|
124
|
+
- ap-northeast-3
|
128
125
|
- name: EFS
|
129
126
|
alias: efs
|
127
|
+
excluded_regions:
|
128
|
+
- ap-northeast-3
|
130
129
|
- name: Firehose
|
131
130
|
alias: firehose
|
132
131
|
- name: Lightsail
|
133
132
|
alias: lightsail
|
134
133
|
excluded_regions:
|
135
|
-
- eu-north-1
|
136
|
-
- us-west-1
|
137
|
-
- sa-east-1
|
138
|
-
- ap-east-1
|
139
134
|
- af-south-1
|
135
|
+
- ap-east-1
|
136
|
+
- ap-northeast-3
|
137
|
+
- eu-north-1
|
140
138
|
- eu-south-1
|
141
139
|
- me-south-1
|
140
|
+
- sa-east-1
|
141
|
+
- us-west-1
|
142
142
|
- name: WorkSpaces
|
143
143
|
alias: workspaces
|
144
144
|
excluded_regions:
|
145
|
-
-
|
145
|
+
- af-south-1
|
146
|
+
- ap-east-1
|
147
|
+
- ap-northeast-3
|
146
148
|
- ap-south-1
|
149
|
+
- eu-north-1
|
150
|
+
- eu-south-1
|
147
151
|
- eu-west-3
|
152
|
+
- me-south-1
|
148
153
|
- us-east-2
|
149
154
|
- us-west-1
|
150
|
-
- ap-east-1
|
151
|
-
- af-south-1
|
152
|
-
- eu-south-1
|
153
|
-
- me-south-1
|
154
155
|
- name: SageMaker
|
155
156
|
alias: sagemaker
|
157
|
+
excluded_regions:
|
158
|
+
- ap-northeast-3
|
156
159
|
- name: ServiceQuotas
|
157
160
|
alias: servicequotas
|
158
161
|
- name: Transfer
|
159
162
|
alias: transfer
|
160
163
|
excluded_regions:
|
161
|
-
- ap-
|
162
|
-
- af-south-1
|
164
|
+
- ap-northeast-3
|
163
165
|
- eu-south-1
|
164
|
-
- me-south-1
|
165
166
|
- name: DirectConnect
|
166
167
|
alias: dc
|
167
168
|
- name: DirectoryService
|
168
169
|
alias: ds
|
170
|
+
excluded_regions:
|
171
|
+
- ap-northeast-3
|
169
172
|
- name: DatabaseMigrationService
|
170
173
|
alias: dms
|
171
174
|
- name: XRay
|
172
175
|
alias: xray
|
173
176
|
- name: WAFV2
|
174
177
|
alias: wafv2
|
178
|
+
excluded_regions:
|
179
|
+
- ap-northeast-3
|
data/lib/aws_recon/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws_recon
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Josh Larsen
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2021-
|
12
|
+
date: 2021-03-25 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: aws-sdk
|
@@ -167,7 +167,6 @@ files:
|
|
167
167
|
- ".github/workflows/smoke-test.yml"
|
168
168
|
- ".gitignore"
|
169
169
|
- ".rubocop.yml"
|
170
|
-
- ".travis.yml"
|
171
170
|
- Dockerfile
|
172
171
|
- Gemfile
|
173
172
|
- LICENSE.txt
|