aws_recon 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f7ece5998d62559623442fbd5435c0a6949abb140c00a72007ab28b19cefa0a
-  data.tar.gz: b7ebfdc20a895b60a29435b4f70456c73c99d99ae1a642e06bbab9a86f70fd5a
+  metadata.gz: 9647cee32c4df1624a99cf180258f43e664e7ee62b8ceee5fe00b8d6b31a2803
+  data.tar.gz: aca9a6383263ca7add32682df25a633ad9db031a50d2f38f319f903b6dd75c45
 SHA512:
-  metadata.gz: 027ee08ba24948e23d96988410aea58b95803dbf3f6e54b496c6da20f36a6913b1e590ca434a0301bf19900cc540989759c38ea96cc4986270d239183effbcdb
-  data.tar.gz: c714d6d005d95806a89fe9ff1b82ec4d5dfc12a05ace708505849a84acc594576a9b53b8843cd6b36cc9a0d49a7dc0ca2830a5ae48f0faa9ae21c2cd8cf63cd2
+  metadata.gz: 426acf5937d26974c7a7c5bc26e84487fe8b76cc28bf0f51a7302d05897356e7007b877e26a47cc3af7b54044ac45bec23b409b1b66bef0336aaa1216d340437
+  data.tar.gz: 790fd25c65d4fe49c2e3857f65cddb590ecfe9f481b923bcdf8def9007ddf1ccb0b16f616164e7472b43a75eebe77698146d3d2e46204af1085b276afedf2099

data/.rubocop.yml

@@ -12,7 +12,6 @@ Layout/LineLength:
   Max: 100
 Style/FrozenStringLiteralComment:
   EnforcedStyle: always_true
-  Safe: true
   SafeAutoCorrect: true
 Style/ClassAndModuleChildren:
   Enabled: false

data/lib/aws_recon/aws_recon.rb

@@ -6,7 +6,7 @@ module AwsRecon
   class CLI
     def initialize
       # parse options
-      @options = Parser.parse ARGV.length < 1 ? %w[-h] : ARGV
+      @options = Parser.parse ARGV.empty? ? %w[-h] : ARGV
 
       # timing
       @starting = Process.clock_gettime(Process::CLOCK_MONOTONIC)
@@ -15,11 +15,11 @@ module AwsRecon
       @account_id = Aws::STS::Client.new.get_caller_identity.account
 
       # AWS services
-      @aws_services = YAML.load(File.read(SERVICES_CONFIG_FILE), symbolize_names: true)
+      @aws_services = YAML.safe_load(File.read(SERVICES_CONFIG_FILE), symbolize_names: true)
 
       # User config services
       if @options.config_file
-        user_config = YAML.load(File.read(@options.config_file), symbolize_names: true)
+        user_config = YAML.safe_load(File.read(@options.config_file), symbolize_names: true)
 
         @services = user_config[:services]
         @regions = user_config[:regions]
@@ -34,9 +34,9 @@ module AwsRecon
       # formatter
       @formatter = Formatter.new
 
-      unless @options.stream_output
-        puts "\nStarting collection with #{@options.threads} threads...\n"
-      end
+      return unless @options.stream_output
+
+      puts "\nStarting collection with #{@options.threads} threads...\n"
     end
 
     #
@@ -72,7 +72,7 @@ module AwsRecon
       #
       # global services
       #
-      @aws_services.map { |x| OpenStruct.new(x) }.filter { |s| s.global }.each do |service|
+      @aws_services.map { |x| OpenStruct.new(x) }.filter(&:global).each do |service|
         # user included this service in the args
         next unless @services.include?(service.name)
 
@@ -94,7 +94,7 @@ module AwsRecon
           next unless @regions.include?(region) && !skip_region
 
           # user included this service in the args
-          next unless @services.include?(service.name) || @services.include?(service.alias) # rubocop:disable Layout/LineLength
+          next unless @services.include?(service.name) || @services.include?(service.alias)
 
           collect(service, region)
         end
@@ -104,14 +104,45 @@ module AwsRecon
 
       puts "\nStopped early after \x1b[32m#{elapsed.to_i}\x1b[0m seconds.\n"
     ensure
+      elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
+
+      puts "\nFinished in \x1b[32m#{elapsed.to_i}\x1b[0m seconds.\n\n"
+
       # write output file
       if @options.output_file
-        elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
-
-        puts "\nFinished in \x1b[32m#{elapsed.to_i}\x1b[0m seconds. Saving resources to \x1b[32m#{@options.output_file}\x1b[0m.\n\n"
+        puts "Saving resources to \x1b[32m#{@options.output_file}\x1b[0m.\n\n"
 
         File.write(@options.output_file, @resources.to_json)
       end
+
+      # write output file to S3 bucket
+      if @options.s3
+        t = Time.now.utc
+
+        s3_full_object_path = "AWSRecon/#{t.year}/#{t.month}/#{t.day}/#{@account_id}_aws_recon_#{t.to_i}.json.gz"
+
+        begin
+          # get bucket name (and region if not us-east-1)
+          s3_bucket, s3_region = @options.s3.split(':')
+
+          # build IO object and gzip it
+          io = StringIO.new
+          gzip_data = Zlib::GzipWriter.new(io)
+          gzip_data.write(@resources.to_json)
+          gzip_data.close
+
+          # send it to S3
+          s3_client = Aws::S3::Client.new(region: s3_region || 'us-east-1')
+          s3_resource = Aws::S3::Resource.new(client: s3_client)
+          obj = s3_resource.bucket(s3_bucket).object(s3_full_object_path)
+          obj.put(body: io.string)
+
+          puts "Saving resources to S3 \x1b[32ms3://#{s3_bucket}/#{s3_full_object_path}\x1b[0m\n\n"
+        rescue Aws::S3::Errors::ServiceError => e
+          puts "\x1b[35mError!\x1b[0m - could not save output S3 bucket\n\n"
+          puts "#{e.message} - #{e.code}\n"
+        end
+      end
     end
   end
 end

data/lib/aws_recon/collectors.rb

@@ -1,2 +1,4 @@
+# frozen_string_literal: true
+
 # require all collectors
-Dir[File.join(__dir__, 'collectors', '*.rb')].each { |file| require file }
+Dir[File.join(__dir__, 'collectors', '*.rb')].sort.each { |file| require file }

data/lib/aws_recon/collectors/emr.rb

@@ -13,14 +13,20 @@ class EMR < Mapper
     #
     # get_block_public_access_configuration
     #
-    @client.get_block_public_access_configuration.each do |response|
-      log(response.context.operation_name)
+    begin
+      @client.get_block_public_access_configuration.each do |response|
+        log(response.context.operation_name)
 
-      struct = OpenStruct.new(response.block_public_access_configuration.to_h)
-      struct.type = 'configuration'
-      struct.arn = "arn:aws:emr:#{@region}:#{@account}/block_public_access_configuration"
+        struct = OpenStruct.new(response.block_public_access_configuration.to_h)
+        struct.type = 'configuration'
+        struct.arn = "arn:aws:emr:#{@region}:#{@account}/block_public_access_configuration"
 
-      resources.push(struct.to_h)
+        resources.push(struct.to_h)
+      end
+    rescue Aws::EMR::Errors::ServiceError => e
+      log_error(e.code)
+
+      raise e unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
     end
 
     #
@@ -42,4 +48,12 @@ class EMR < Mapper
 
     resources
   end
+
+  private
+
+  def suppressed_errors
+    %w[
+      InvalidRequestException
+    ]
+  end
 end

data/lib/aws_recon/collectors/iam.rb

@@ -91,6 +91,28 @@ class IAM < Mapper
       end
     end
 
+    #
+    # list_instance_profiles
+    #
+    @client.list_instance_profiles.each_with_index do |response, page|
+      log(response.context.operation_name, page)
+
+      # instance_profiles
+      response.instance_profiles.each do |profile|
+        struct = OpenStruct.new(profile.to_h)
+        struct.type = 'instance_profile'
+        struct.arn = profile.arn
+        struct.roles = []
+
+        profile.roles&.each do |role|
+          role.assume_role_policy_document = role.assume_role_policy_document.parse_policy
+          struct.roles.push(role.to_h)
+        end
+
+        resources.push(struct.to_h)
+      end
+    end
+
     #
     # get_account_password_policy
     #

data/lib/aws_recon/collectors/s3.rb

@@ -48,6 +48,7 @@ class S3 < Mapper
           { func: 'get_bucket_policy', key: 'policy', field: 'policy' },
           { func: 'get_bucket_policy_status', key: 'public', field: 'policy_status' },
           { func: 'get_public_access_block', key: 'public_access_block', field: 'public_access_block_configuration' },
+          { func: 'get_object_lock_configuration', key: 'object_lock_configuration', field: 'object_lock_configuration' },
           { func: 'get_bucket_tagging', key: 'tagging', field: nil },
           { func: 'get_bucket_logging', key: 'logging', field: 'logging_enabled' },
           { func: 'get_bucket_versioning', key: 'versioning', field: nil },
@@ -66,7 +67,7 @@ class S3 < Mapper
                            end
 
         rescue Aws::S3::Errors::ServiceError => e
-          log_error(e.code)
+          log_error(bucket.name, op.func, e.code)
 
           raise e unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
         end
@@ -90,6 +91,7 @@ class S3 < Mapper
       NoSuchWebsiteConfiguration
       ReplicationConfigurationNotFoundError
       NoSuchPublicAccessBlockConfiguration
+      ObjectLockConfigurationNotFoundError
     ]
   end
 end

data/lib/aws_recon/options.rb

@@ -6,6 +6,7 @@
 class Parser
   DEFAULT_CONFIG_FILE = nil
   DEFAULT_OUTPUT_FILE = File.expand_path(File.join(Dir.pwd, 'output.json')).freeze
+  DEFAULT_S3_PATH = nil
   SERVICES_CONFIG_FILE = File.join(File.dirname(__FILE__), 'services.yaml').freeze
   DEFAULT_FORMAT = 'aws'
   DEFAULT_THREADS = 8
@@ -15,6 +16,7 @@ class Parser
     :regions,
     :services,
     :config_file,
+    :s3,
     :output_file,
     :output_format,
     :threads,
@@ -43,6 +45,7 @@ class Parser
       aws_regions,
       aws_services.map { |service| service[:name] },
       DEFAULT_CONFIG_FILE,
+      DEFAULT_S3_PATH,
       DEFAULT_OUTPUT_FILE,
       DEFAULT_FORMAT,
       DEFAULT_THREADS,
@@ -93,6 +96,11 @@ class Parser
         args.config_file = config
       end
 
+      # write output file to S3 bucket
+      opts.on('-b', '--s3-bucket [BUCKET:REGION]', 'Write output file to S3 bucket (default: \'\')') do |bucket_with_region|
+        args.s3 = bucket_with_region
+      end
+
       # output file
       opts.on('-o', '--output [OUTPUT]', 'Specify output file (default: output.json)') do |output|
         args.output_file = File.expand_path(File.join(Dir.pwd, output))

data/lib/aws_recon/services.yaml

@@ -13,11 +13,12 @@
 - name: CodeBuild
   alias: codebuild
   excluded_regions:
-    - af-south-1
+    - ap-northeast-3
 - name: CodePipeline
   alias: codepipeline
   excluded_regions:
     - af-south-1
+    - ap-northeast-3
     - me-south-1
 - name: AutoScaling
   alias: autoscaling
@@ -40,17 +41,10 @@
     - ap-southeast-1
 - name: ElasticLoadBalancingV2
   alias: elbv2
-  excluded_regions:
-    - ap-southeast-1
 - name: ElastiCache
   alias: elasticache
 - name: EMR
   alias: emr
-  excluded_regions:
-    - ap-east-1
-    - af-south-1
-    - eu-south-1
-    - me-south-1
 - name: IAM
   global: true
   alias: iam
@@ -96,11 +90,9 @@
 - name: SES
   alias: ses
   excluded_regions:
-    - eu-north-1
-    - eu-west-3
-    - us-west-1
-    - ap-east-1
     - af-south-1
+    - ap-east-1
+    - ap-northeast-3
     - eu-south-1
 - name: CloudWatch
   alias: cloudwatch
@@ -110,65 +102,78 @@
   alias: kafka
   excluded_regions:
     - af-south-1
+    - ap-northeast-3
 - name: SecretsManager
   alias: sm
 - name: SecurityHub
   alias: sh
+  excluded_regions:
+    - ap-northeast-3
 - name: Support
   global: true
   alias: support
 - name: SSM
   alias: ssm
-  excluded_regions:
-    - ap-southeast-1
 - name: GuardDuty
   alias: guardduty
+  excluded_regions:
+    - ap-northeast-3
 - name: Athena
   alias: athena
+  excluded_regions:
+    - ap-northeast-3
 - name: EFS
   alias: efs
+  excluded_regions:
+    - ap-northeast-3
 - name: Firehose
   alias: firehose
 - name: Lightsail
   alias: lightsail
   excluded_regions:
-    - eu-north-1
-    - us-west-1
-    - sa-east-1
-    - ap-east-1
     - af-south-1
+    - ap-east-1
+    - ap-northeast-3
+    - eu-north-1
     - eu-south-1
     - me-south-1
+    - sa-east-1
+    - us-west-1
 - name: WorkSpaces
   alias: workspaces
   excluded_regions:
-    - eu-north-1
+    - af-south-1
+    - ap-east-1
+    - ap-northeast-3
     - ap-south-1
+    - eu-north-1
+    - eu-south-1
     - eu-west-3
+    - me-south-1
     - us-east-2
     - us-west-1
-    - ap-east-1
-    - af-south-1
-    - eu-south-1
-    - me-south-1
 - name: SageMaker
   alias: sagemaker
+  excluded_regions:
+    - ap-northeast-3
 - name: ServiceQuotas
   alias: servicequotas
 - name: Transfer
   alias: transfer
   excluded_regions:
-    - ap-east-1
-    - af-south-1
+    - ap-northeast-3
     - eu-south-1
-    - me-south-1
 - name: DirectConnect
   alias: dc
 - name: DirectoryService
   alias: ds
+  excluded_regions:
+    - ap-northeast-3
 - name: DatabaseMigrationService
   alias: dms
 - name: XRay
   alias: xray
 - name: WAFV2
   alias: wafv2
+  excluded_regions:
+    - ap-northeast-3

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.3.1"
+  VERSION = "0.4.0"
 end

data/readme.md

@@ -5,9 +5,9 @@
 
 A multi-threaded AWS inventory collection tool.
 
-The [creators](https://darkbit.io) of this tool have a recurring need to be able to efficiently collect a large amount of AWS resource attributes and metadata to help clients understand their cloud security posture.
+This tool was created to facilitate efficient collection of a large amount of AWS resource attributes and metadata. It aims to collect nearly everything that is relevant to the security configuration and posture of an AWS environment.
 
-Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity we needed. We also needed a tool that produced consistent output that was easily consumed by other tools/systems.
+Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity to accurately measure security posture (e.g. detailed attribute data and full policy documents).
 
 Enter AWS Recon, multi-threaded AWS inventory collection tool written in plain Ruby. Though Python tends to dominate the AWS tooling landscape, the [Ruby SDK](https://aws.amazon.com/sdk-for-ruby/) has a few convenient advantages over the [other](https://aws.amazon.com/sdk-for-node-js/) [AWS](https://aws.amazon.com/sdk-for-python/) [SDKs](https://aws.amazon.com/sdk-for-go/) we tested. Specifically, easy handling of automatic retries, paging of large responses, and - with some help - threading huge numbers of requests.
 
@@ -15,7 +15,7 @@ Enter AWS Recon, multi-threaded AWS inventory collection tool written in plain R
 
 - More complete resource coverage than available tools (especially for ECS & EKS)
 - More granular resource detail, including nested related resources in the output
-- Flexible output (console, JSON lines, plain JSON, file, standard out)
+- Flexible output (console, JSON lines, plain JSON, file, S3 bucket, and standard out)
 - Efficient (multi-threaded, rate limited, automatic retries, and automatic result paging)
 - Easy to maintain and extend
 
@@ -54,13 +54,13 @@ To run locally, first install the gem:
 
 ```
 $ gem install aws_recon
-Fetching aws_recon-0.3.0.gem
+Fetching aws_recon-0.4.0.gem
 Fetching aws-sdk-3.0.1.gem
 Fetching parallel-1.20.1.gem
 ...
 Successfully installed aws-sdk-3.0.1
 Successfully installed parallel-1.20.1
-Successfully installed aws_recon-0.3.0
+Successfully installed aws_recon-0.4.0
 ```
 
 Or add it to your Gemfile using `bundle`:
@@ -72,7 +72,7 @@ Resolving dependencies...
 ...
 Using aws-sdk 3.0.1
 Using parallel-1.20.1
-Using aws_recon 0.3.0
+Using aws_recon 0.4.0
 ```
 
 ## Usage
@@ -158,13 +158,37 @@ Finished in 46 seconds. Saving resources to output.json.
 #### Example command line options
 
 ```
+# collect S3 and EC2 global resources, as well as us-east-1 and us-east-2
+
 $ AWS_PROFILE=<profile> aws_recon -s S3,EC2 -r global,us-east-1,us-east-2
 ```
 
 ```
+# collect S3 and EC2 global resources, as well as us-east-1 and us-east-2
+
 $ AWS_PROFILE=<profile> aws_recon --services S3,EC2 --regions global,us-east-1,us-east-2
 ```
 
+```
+# save output to S3 bucket
+
+$ AWS_PROFILE=<profile> aws_recon \
+  --services S3,EC2 \
+  --regions global,us-east-1,us-east-2 \
+  --verbose \
+  --s3-bucket my-recon-bucket
+```
+
+```
+# save output to S3 bucket with a home region other than us-east-1
+
+$ AWS_PROFILE=<profile> aws_recon \
+  --services S3,EC2 \
+  --regions global,us-east-1,us-east-2 \
+  --verbose \
+  --s3-bucket my-recon-bucket:us-west-2
+```
+
 Example [OpenCSPM](https://github.com/OpenCSPM/opencspm) formatted (NDJSON) output.
 
 ```
@@ -225,7 +249,7 @@ Most users will want to limit collection to relevant services and regions. Runni
 ```
 $ aws_recon -h
 
-AWS Recon - AWS Inventory Collector (0.3.0)
+AWS Recon - AWS Inventory Collector (0.4.0)
 
 Usage: aws_recon [options]
     -r, --regions [REGIONS]          Regions to scan, separated by comma (default: all)
@@ -233,6 +257,7 @@ Usage: aws_recon [options]
     -s, --services [SERVICES]        Services to scan, separated by comma (default: all)
     -x, --not-services [SERVICES]    Services to skip, separated by comma (default: none)
     -c, --config [CONFIG]            Specify config file for services & regions (e.g. config.yaml)
+    -b, --s3-bucket [BUCKET:REGION]  Write output file to S3 bucket (default: '')
     -o, --output [OUTPUT]            Specify output file (default: output.json)
     -f, --format [FORMAT]            Specify output format (default: aws)
     -t, --threads [THREADS]          Specify max threads (default: 8, max: 128)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-05 00:00:00.000000000 Z
+date: 2021-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -167,7 +167,6 @@ files:
 - ".github/workflows/smoke-test.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".travis.yml"
 - Dockerfile
 - Gemfile
 - LICENSE.txt

data/.travis.yml

@@ -1,7 +0,0 @@
----
-sudo: false
-language: ruby
-cache: bundler
-rvm:
-  - 2.6.5
-before_install: gem install bundler -v 1.17.3