aws_recon 0.3.5 → 0.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 12b30d8e1939333bd6a2f94ba0bfa5a8b9aa381e0330546425158360cda8e099
-  data.tar.gz: dea36844f6fc06403b563fd0dc6938d222c0dc8757b7b88c0cdd03e0b5df79e5
+  metadata.gz: 48ccf03d964fff678dc732fcf74d4dcd9c7c06293845bbb9a4f54e9e1ce61a24
+  data.tar.gz: 7c39747a7845fe497be052baae41af8ee45014166d97114abb797d5f6c06e5b9
 SHA512:
-  metadata.gz: 50fa5ec78c7bbedc8f89321cbd0a679945e2509a2ba8d51c0fd6e95d15a3e7cdf29db051f0b9816d85bf49af0d7375e2f8ada6796b7c9a4ddb3b403ebda4b598
-  data.tar.gz: d1d1cb453321a8dcb669839b3e9597af0a11882863c15f9a44c23f6dda77efaa0c302ed3208032c12a12f97b09f9eff0776f4346e579b588ab10c1ba4d2b713e
+  metadata.gz: 3b6c26ff3b38dd58c63313b70a609e6b08fe6d16762afb9651bbc81d6cef21d7c46e8b11ad73d40caf0e6abbfd877ef5d5f2fde1536425b70a25afe82b7a4a78
+  data.tar.gz: a74af8ad1b868895d997110a4688bc88266536ad2187c235ba27a0720e3ccce0d18d6959981ab3e82e40bb738944d1402380761f9c3c65ce33cc1649bfddbc4e

data/.gitignore

@@ -12,3 +12,5 @@ Gemfile.lock
 /pkg/
 /spec/reports/
 /tmp/
+.terraform*
+terraform.tfstate*

data/.rubocop.yml

@@ -12,7 +12,6 @@ Layout/LineLength:
   Max: 100
 Style/FrozenStringLiteralComment:
   EnforcedStyle: always_true
-  Safe: true
   SafeAutoCorrect: true
 Style/ClassAndModuleChildren:
   Enabled: false

data/aws_recon.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |spec|
   spec.version       = AwsRecon::VERSION
   spec.authors       = ['Josh Larsen', 'Darkbit']
   spec.required_ruby_version = '>= 2.5.0'
-  spec.summary       = 'A multi-threaded AWS inventory collection cli tool.'
+  spec.summary       = 'A multi-threaded AWS security-focused inventory collection tool.'
   spec.description   = 'AWS Recon is a command line tool to collect resources from an Amazon Web Services (AWS) account. The tool outputs JSON suitable for processing with other tools.'
   spec.homepage      = 'https://github.com/darkbitio/aws-recon'
   spec.license       = 'MIT'

data/lib/aws_recon/aws_recon.rb

@@ -34,9 +34,9 @@ module AwsRecon
       # formatter
       @formatter = Formatter.new
 
-      unless @options.stream_output
-        puts "\nStarting collection with #{@options.threads} threads...\n"
-      end
+      return unless @options.stream_output
+
+      puts "\nStarting collection with #{@options.threads} threads...\n"
     end
 
     #
@@ -72,7 +72,7 @@ module AwsRecon
       #
       # global services
       #
-      @aws_services.map { |x| OpenStruct.new(x) }.filter { |s| s.global }.each do |service|
+      @aws_services.map { |x| OpenStruct.new(x) }.filter(&:global).each do |service|
         # user included this service in the args
         next unless @services.include?(service.name)
 
@@ -102,16 +102,47 @@ module AwsRecon
     rescue Interrupt # ctrl-c
       elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
 
-      puts "\nStopped early after \x1b[32m#{elapsed.to_i}\x1b[0m seconds.\n"
+      puts "\nStopped early after #{elapsed.to_i} seconds.\n"
     ensure
-      # write output file
-      if @options.output_file
-        elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
+      elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
 
-        puts "\nFinished in \x1b[32m#{elapsed.to_i}\x1b[0m seconds. Saving resources to \x1b[32m#{@options.output_file}\x1b[0m.\n\n"
+      puts "\nFinished in #{elapsed.to_i} seconds.\n\n"
+
+      # write output file
+      if @options.output_file && !@options.s3
+        puts "Saving resources to #{@options.output_file}.\n\n"
 
         File.write(@options.output_file, @resources.to_json)
       end
+
+      # write output file to S3 bucket
+      if @options.s3
+        t = Time.now.utc
+
+        s3_full_object_path = "AWSRecon/#{t.year}/#{t.month}/#{t.day}/#{@account_id}_aws_recon_#{t.to_i}.json.gz"
+
+        begin
+          # get bucket name (and region if not us-east-1)
+          s3_bucket, s3_region = @options.s3.split(':')
+
+          # build IO object and gzip it
+          io = StringIO.new
+          gzip_data = Zlib::GzipWriter.new(io)
+          gzip_data.write(@resources.to_json)
+          gzip_data.close
+
+          # send it to S3
+          s3_client = Aws::S3::Client.new(region: s3_region || 'us-east-1')
+          s3_resource = Aws::S3::Resource.new(client: s3_client)
+          obj = s3_resource.bucket(s3_bucket).object(s3_full_object_path)
+          obj.put(body: io.string)
+
+          puts "Saving resources to S3 s3://#{s3_bucket}/#{s3_full_object_path}\n\n"
+        rescue Aws::S3::Errors::ServiceError => e
+          puts "Error! - could not save output S3 bucket\n\n"
+          puts "#{e.message} - #{e.code}\n"
+        end
+      end
     end
   end
 end

data/lib/aws_recon/collectors.rb

@@ -1,2 +1,4 @@
+# frozen_string_literal: true
+
 # require all collectors
-Dir[File.join(__dir__, 'collectors', '*.rb')].each { |file| require file }
+Dir[File.join(__dir__, 'collectors', '*.rb')].sort.each { |file| require file }

data/lib/aws_recon/collectors/route53.rb

@@ -19,7 +19,7 @@ class Route53 < Mapper
       response.hosted_zones.each do |zone|
         struct = OpenStruct.new(zone.to_h)
         struct.type = 'zone'
-        struct.arn = "aws:route53:#{@region}:#{@account}:zone/#{zone.name}"
+        struct.arn = "arn:aws:route53:#{@region}:#{@account}:zone/#{zone.name}"
         struct.logging_config = @client
                                 .list_query_logging_configs({ hosted_zone_id: zone.id })
                                 .query_logging_configs.first.to_h

data/lib/aws_recon/collectors/s3.rb

@@ -73,6 +73,9 @@ class S3 < Mapper
         end
 
         resources.push(struct.to_h)
+
+      rescue Aws::S3::Errors::NoSuchBucket
+        # skip missing bucket
       end
     end
 

data/lib/aws_recon/lib/mapper.rb

@@ -68,12 +68,12 @@ class Mapper
   def log(*msg)
     return unless @options.verbose
 
-    puts _msg(msg).map { |x| "\x1b[32m#{x}\x1b[0m" }.join("\x1b[35m.\x1b[0m")
+    puts _msg(msg).map(&:to_s).join('.')
   end
 
   def log_error(*msg)
     return unless @options.verbose
 
-    puts _msg(msg).map { |x| "\x1b[35m#{x}\x1b[0m" }.join("\x1b[32m.\x1b[0m")
+    puts _msg(msg).map(&:to_s).join('.')
   end
 end

data/lib/aws_recon/options.rb

@@ -6,6 +6,7 @@
 class Parser
   DEFAULT_CONFIG_FILE = nil
   DEFAULT_OUTPUT_FILE = File.expand_path(File.join(Dir.pwd, 'output.json')).freeze
+  DEFAULT_S3_PATH = nil
   SERVICES_CONFIG_FILE = File.join(File.dirname(__FILE__), 'services.yaml').freeze
   DEFAULT_FORMAT = 'aws'
   DEFAULT_THREADS = 8
@@ -15,6 +16,7 @@ class Parser
     :regions,
     :services,
     :config_file,
+    :s3,
     :output_file,
     :output_format,
     :threads,
@@ -43,6 +45,7 @@ class Parser
       aws_regions,
       aws_services.map { |service| service[:name] },
       DEFAULT_CONFIG_FILE,
+      DEFAULT_S3_PATH,
       DEFAULT_OUTPUT_FILE,
       DEFAULT_FORMAT,
       DEFAULT_THREADS,
@@ -93,6 +96,11 @@ class Parser
         args.config_file = config
       end
 
+      # write output file to S3 bucket
+      opts.on('-b', '--s3-bucket [BUCKET:REGION]', 'Write output file to S3 bucket (default: \'\')') do |bucket_with_region|
+        args.s3 = bucket_with_region
+      end
+
       # output file
       opts.on('-o', '--output [OUTPUT]', 'Specify output file (default: output.json)') do |output|
         args.output_file = File.expand_path(File.join(Dir.pwd, output))

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.3.5"
+  VERSION = "0.4.4"
 end

data/readme.md

@@ -3,19 +3,19 @@
 
 # AWS Recon
 
-A multi-threaded AWS inventory collection tool.
+A multi-threaded AWS security-focused inventory collection tool written in Ruby.
 
-The [creators](https://darkbit.io) of this tool have a recurring need to be able to efficiently collect a large amount of AWS resource attributes and metadata to help clients understand their cloud security posture.
+This tool was created to facilitate efficient collection of a large amount of AWS resource attributes and metadata. It aims to collect nearly everything that is relevant to the security configuration and posture of an AWS environment.
 
-Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity we needed. We also needed a tool that produced consistent output that was easily consumed by other tools/systems.
+Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity to accurately measure security posture (e.g. detailed resource attribute data, fully parsed policy documents, and nested resource relationships).
 
-Enter AWS Recon, multi-threaded AWS inventory collection tool written in plain Ruby. Though Python tends to dominate the AWS tooling landscape, the [Ruby SDK](https://aws.amazon.com/sdk-for-ruby/) has a few convenient advantages over the [other](https://aws.amazon.com/sdk-for-node-js/) [AWS](https://aws.amazon.com/sdk-for-python/) [SDKs](https://aws.amazon.com/sdk-for-go/) we tested. Specifically, easy handling of automatic retries, paging of large responses, and - with some help - threading huge numbers of requests.
+AWS Recon handles collection from large accounts by taking advantage of automatic retries (either due to network reliability or API throttling), automatic paging of large responses (> 100 resources per API call), and multi-threading parallel requests to speed up collection.
 
 ## Project Goals
 
 - More complete resource coverage than available tools (especially for ECS & EKS)
 - More granular resource detail, including nested related resources in the output
-- Flexible output (console, JSON lines, plain JSON, file, standard out)
+- Flexible output (console, JSON lines, plain JSON, file, S3 bucket, and standard out)
 - Efficient (multi-threaded, rate limited, automatic retries, and automatic result paging)
 - Easy to maintain and extend
 
@@ -31,7 +31,7 @@ Use Docker version 19.x or above to run the pre-built image without having to in
 
 #### Running locally via Ruby
 
-If you already have Ruby installed (2.5.x or 2.6.x), you may want to install the Ruby gem.
+If you already have Ruby installed (2.6.x or 2.7.x), you may want to install the Ruby gem.
 
 ### Installation
 
@@ -54,13 +54,13 @@ To run locally, first install the gem:
 
 ```
 $ gem install aws_recon
-Fetching aws_recon-0.3.0.gem
+Fetching aws_recon-0.4.0.gem
 Fetching aws-sdk-3.0.1.gem
 Fetching parallel-1.20.1.gem
 ...
 Successfully installed aws-sdk-3.0.1
 Successfully installed parallel-1.20.1
-Successfully installed aws_recon-0.3.0
+Successfully installed aws_recon-0.4.0
 ```
 
 Or add it to your Gemfile using `bundle`:
@@ -72,7 +72,7 @@ Resolving dependencies...
 ...
 Using aws-sdk 3.0.1
 Using parallel-1.20.1
-Using aws_recon 0.3.0
+Using aws_recon 0.4.0
 ```
 
 ## Usage
@@ -158,13 +158,37 @@ Finished in 46 seconds. Saving resources to output.json.
 #### Example command line options
 
 ```
+# collect S3 and EC2 global resources, as well as us-east-1 and us-east-2
+
 $ AWS_PROFILE=<profile> aws_recon -s S3,EC2 -r global,us-east-1,us-east-2
 ```
 
 ```
+# collect S3 and EC2 global resources, as well as us-east-1 and us-east-2
+
 $ AWS_PROFILE=<profile> aws_recon --services S3,EC2 --regions global,us-east-1,us-east-2
 ```
 
+```
+# save output to S3 bucket
+
+$ AWS_PROFILE=<profile> aws_recon \
+  --services S3,EC2 \
+  --regions global,us-east-1,us-east-2 \
+  --verbose \
+  --s3-bucket my-recon-bucket
+```
+
+```
+# save output to S3 bucket with a home region other than us-east-1
+
+$ AWS_PROFILE=<profile> aws_recon \
+  --services S3,EC2 \
+  --regions global,us-east-1,us-east-2 \
+  --verbose \
+  --s3-bucket my-recon-bucket:us-west-2
+```
+
 Example [OpenCSPM](https://github.com/OpenCSPM/opencspm) formatted (NDJSON) output.
 
 ```
@@ -225,7 +249,7 @@ Most users will want to limit collection to relevant services and regions. Runni
 ```
 $ aws_recon -h
 
-AWS Recon - AWS Inventory Collector (0.3.0)
+AWS Recon - AWS Inventory Collector (0.4.0)
 
 Usage: aws_recon [options]
     -r, --regions [REGIONS]          Regions to scan, separated by comma (default: all)
@@ -233,6 +257,7 @@ Usage: aws_recon [options]
     -s, --services [SERVICES]        Services to scan, separated by comma (default: all)
     -x, --not-services [SERVICES]    Services to skip, separated by comma (default: none)
     -c, --config [CONFIG]            Specify config file for services & regions (e.g. config.yaml)
+    -b, --s3-bucket [BUCKET:REGION]  Write output file to S3 bucket (default: '')
     -o, --output [OUTPUT]            Specify output file (default: output.json)
     -f, --format [FORMAT]            Specify output format (default: aws)
     -t, --threads [THREADS]          Specify max threads (default: 8, max: 128)
@@ -251,6 +276,8 @@ Usage: aws_recon [options]
 
 Output is always some form of JSON - either JSON lines or plain JSON. The output is either written to a file (the default), or written to stdout (with `-j`).
 
+When writing to an S3 bucket, the JSON output is automatically compressed with `gzip`.
+
 ## Support for Manually Enabled Regions
 
 If you have enabled **manually enabled regions**:
@@ -351,7 +378,7 @@ $ cd aws-recon
 Create a sticky gemset if using RVM:
 
 ```
-$ rvm use 2.6.5@aws_recon_dev --create --ruby-version
+$ rvm use 2.7.2@aws_recon_dev --create --ruby-version
 ```
 
 Run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/utils/cloudformation/aws-recon-cfn-template.yml

@@ -0,0 +1,151 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Deploys AWS Recon inventory collection resources, scheduled ECS task and corresponding IAM roles and policies.'
+Resources:
+  AWSReconVPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: '10.75.0.0/27'
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+  AWSReconSubnet:
+    Type: AWS::EC2::Subnet
+    Properties:
+      CidrBlock: '10.75.0.0/28'
+      VpcId: !Ref AWSReconVPC
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+    DependsOn: AWSReconVPC
+  AWSReconSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: AWS Recon collection egress
+      VpcId: !Ref AWSReconVPC
+      SecurityGroupEgress:
+        - IpProtocol: -1
+          FromPort: 0
+          ToPort: 0
+          CidrIp: 0.0.0.0/0
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+  AWSReconInternetGateway:
+    Type: AWS::EC2::InternetGateway
+    Properties:
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+  AWSReconInternetGatewayAttachment:
+    Type: AWS::EC2::VPCGatewayAttachment
+    Properties:
+      InternetGatewayId: !Ref AWSReconInternetGateway
+      VpcId: !Ref AWSReconVPC
+  AWSReconEgressRouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref AWSReconVPC
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+  AWSReconSubnetRouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      SubnetId: !Ref AWSReconSubnet
+      RouteTableId: !Ref AWSReconEgressRouteTable
+  AWSReconEgressRoute:
+    Type: AWS::EC2::Route
+    Properties:
+      DestinationCidrBlock: '0.0.0.0/0'
+      GatewayId: !Ref AWSReconInternetGateway
+      RouteTableId: !Ref AWSReconEgressRouteTable
+  AWSReconECSCluster:
+    Type: AWS::ECS::Cluster
+    Properties:
+      ClusterName: aws-recon-CFN
+      CapacityProviders:
+        - FARGATE
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+    DependsOn: AWSReconSubnet
+  AWSReconECSTask:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      Family: aws-recon-CFN
+      RequiresCompatibilities:
+        - FARGATE
+      NetworkMode: awsvpc
+      Cpu: 1024
+      Memory: 2048
+      TaskRoleArn: !Ref AWSReconECSTaskRole
+      ExecutionRoleArn: !Ref AWSReconECSExecutionRole
+      ContainerDefinitions:
+        - Name: aws-recon-CFN
+          Image: 'darkbitio/aws_recon:latest'
+          EntryPoint:
+            - 'aws_recon'
+            - '--verbose'
+            - '--format'
+            - 'custom'
+  AWSReconECSTaskRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: aws-recon-ecs-task-role
+      ManagedPolicyArns:
+        - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
+      Policies:
+        - PolicyName: AWSReconECSTaskRole
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action: 's3:PutObject'
+                Resource: 'arn:aws:s3:::CHANGEME/*'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ecs.amazonaws.com
+                - ecs-tasks.amazonaws.com
+            Action: 'sts:AssumeRole'
+  AWSReconECSExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: aws-recon-ecs-execution-role
+      Policies:
+        - PolicyName: AWSReconECSTaskExecutionPolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - 'ecr:GetAuthorizationToken'
+                  - 'ecr:BatchCheckLayerAvailability'
+                  - 'ecr:GetDownloadUrlForLayer'
+                  - 'ecr:BatchGetImage'
+                  - 'logs:CreateLogStream'
+                  - 'logs:PutLogEvents'
+                Resource: '*'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ecs-tasks.amazonaws.com
+            Action: 'sts:AssumeRole'
+  AWSReconCloudWatchEventsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: aws-recon-events-role
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - events.amazonaws.com
+            Action: 'sts:AssumeRole'

data/utils/terraform/cloudwatch.tf

@@ -0,0 +1,26 @@
+# https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_rule.html
+resource "aws_cloudwatch_event_rule" "default" {
+  name                = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  description         = "AWS Recon scheduled task"
+  schedule_expression = var.schedule_expression
+}
+
+# https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_target.html
+resource "aws_cloudwatch_event_target" "default" {
+  target_id = aws_ecs_task_definition.aws_recon_task.id
+  arn       = aws_ecs_cluster.aws_recon.arn
+  rule      = aws_cloudwatch_event_rule.default.name
+  role_arn  = aws_iam_role.cw_events.arn
+
+  ecs_target {
+    launch_type         = "FARGATE"
+    task_definition_arn = aws_ecs_task_definition.aws_recon_task.arn
+    platform_version    = "LATEST"
+
+    network_configuration {
+      assign_public_ip = true
+      security_groups  = [aws_security_group.sg.id]
+      subnets          = [aws_subnet.subnet.id]
+    }
+  }
+}

data/utils/terraform/ecs.tf

@@ -0,0 +1,49 @@
+resource "aws_ecs_cluster" "aws_recon" {
+  name               = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  capacity_providers = [local.ecs_task_provider]
+}
+
+resource "aws_ecs_task_definition" "aws_recon_task" {
+  family                   = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  task_role_arn            = aws_iam_role.aws_recon_role.arn
+  execution_role_arn       = aws_iam_role.ecs_task_execution.arn
+  requires_compatibilities = [local.ecs_task_provider]
+  network_mode             = "awsvpc"
+  cpu                      = 1024
+  memory                   = 2048
+
+  container_definitions = jsonencode([
+    {
+      name             = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+      image            = "${var.aws_recon_container_name}:${var.aws_recon_container_version}"
+      assign_public_ip = true
+      entryPoint = [
+        "aws_recon",
+        "--verbose",
+        "--format",
+        "custom",
+        "--s3-bucket",
+        "${aws_s3_bucket.aws_recon.bucket}:${data.aws_region.current.name}",
+        "--regions",
+        join(",", var.aws_regions)
+      ]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group         = aws_cloudwatch_log_group.aws_recon.name,
+          awslogs-region        = data.aws_region.current.name,
+          awslogs-stream-prefix = "ecs"
+        }
+      }
+    }
+  ])
+}
+
+resource "aws_cloudwatch_log_group" "aws_recon" {
+  name              = "/ecs/${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  retention_in_days = var.retention_period
+}
+
+locals {
+  ecs_task_provider = "FARGATE"
+}

data/utils/terraform/iam.tf

@@ -0,0 +1,125 @@
+#
+# IAM policies and roles for ECS and CloudWatch execution
+#
+resource "aws_iam_role" "aws_recon_role" {
+  name               = local.aws_recon_task_role_name
+  assume_role_policy = data.aws_iam_policy_document.aws_recon_task_execution_assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "aws_recon_task_execution_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "ecs.amazonaws.com",
+        "ecs-tasks.amazonaws.com"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "aws_recon_task_execution" {
+  role       = aws_iam_role.aws_recon_role.name
+  policy_arn = data.aws_iam_policy.aws_recon_task_execution.arn
+}
+
+resource "aws_iam_role_policy" "aws_recon" {
+  name = local.bucket_write_policy_name
+  role = aws_iam_role.aws_recon_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "${var.aws_recon_base_name}-bucket-write"
+    Statement = [
+      {
+        Sid    = "AWSReconS3PutObject"
+        Effect = "Allow"
+        Action = "s3:PutObject"
+        Resource = [
+          "${aws_s3_bucket.aws_recon.arn}/*"
+        ]
+      }
+    ]
+  })
+}
+
+data "aws_iam_policy" "aws_recon_task_execution" {
+  arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
+resource "aws_iam_role" "ecs_task_execution" {
+  name               = local.ecs_task_execution_role_name
+  assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_assume_role_policy.json
+
+  tags = {
+    Name = local.ecs_task_execution_role_name
+  }
+}
+
+data "aws_iam_policy_document" "ecs_task_execution_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+# ECS task execution
+resource "aws_iam_policy" "ecs_task_execution" {
+  name   = local.ecs_task_execution_policy_name
+  policy = data.aws_iam_policy.ecs_task_execution.policy
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution" {
+  role       = aws_iam_role.ecs_task_execution.name
+  policy_arn = aws_iam_policy.ecs_task_execution.arn
+}
+
+data "aws_iam_policy" "ecs_task_execution" {
+  arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# CloudWatch Events
+resource "aws_iam_role" "cw_events" {
+  name               = local.cw_events_role_name
+  assume_role_policy = data.aws_iam_policy_document.cw_events_assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "cw_events_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "cw_events" {
+  name   = local.cw_events_policy_name
+  policy = data.aws_iam_policy.cw_events.policy
+}
+
+resource "aws_iam_role_policy_attachment" "cw_events" {
+  role       = aws_iam_role.cw_events.name
+  policy_arn = aws_iam_policy.cw_events.arn
+}
+
+data "aws_iam_policy" "cw_events" {
+  arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
+}
+
+locals {
+  bucket_write_policy_name       = "${var.aws_recon_base_name}-bucket-write-policy"
+  ecs_task_execution_role_name   = "${var.aws_recon_base_name}-ecs-task-execution-role"
+  ecs_task_execution_policy_name = "${var.aws_recon_base_name}-ecs-task-execution-policy"
+  cw_events_policy_name          = "${var.aws_recon_base_name}-cw-events-policy"
+  cw_events_role_name            = "${var.aws_recon_base_name}-cw-events-role"
+  aws_recon_task_role_name       = "${var.aws_recon_base_name}-exec-role"
+}

data/utils/terraform/main.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region = "us-east-2"
+}

data/utils/terraform/output.tf

@@ -0,0 +1,15 @@
+output "aws_recon_ecs_cluster" {
+  value = aws_ecs_cluster.aws_recon.name
+}
+
+output "aws_recon_ecs_scheduled_task" {
+  value = aws_cloudwatch_event_rule.default.name
+}
+
+output "aws_recon_s3_bucket" {
+  value = aws_s3_bucket.aws_recon.bucket
+}
+
+output "aws_recon_task_manual_run_command" {
+  value = "\nOne-off task run command:\n\naws ecs run-task --task-definition ${aws_ecs_task_definition.aws_recon_task.family} --cluster ${aws_ecs_cluster.aws_recon.name} --launch-type FARGATE --network-configuration \"awsvpcConfiguration={subnets=[${aws_subnet.subnet.id}],securityGroups=[${aws_security_group.sg.id}],assignPublicIp=ENABLED}\"\n"
+}

data/utils/terraform/readme.md

@@ -0,0 +1,20 @@
+## Terraform Setup
+
+This is an example module that can be used in its current form or modified for your specific environment. It builds the minimum components necessary to collect inventory on a schedule running AWS Recon as a Fargate scheduled task.
+
+### Requirements
+
+Before running this Terraform module, adjust your region accordingly in `main.tf`.
+
+### What is created?
+
+This Terraform example will deploy the following resources:
+
+- an S3 bucket to store compressed JSON output files
+- an IAM role for ECS task execution
+- a Security Group for the ECS cluster/task
+- a VPC and NGW for the ECS cluster/task
+- an ECS/Fargate cluster
+- an ECS task definition to run AWS Recon collection
+- a CloudWatch event rule to trigger the ECS task
+- a CloudTrail log group for ECS task logs

data/utils/terraform/s3.tf

@@ -0,0 +1,20 @@
+resource "aws_s3_bucket" "aws_recon" {
+  bucket        = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}-${data.aws_iam_account_alias.current.id}"
+  acl           = "private"
+  force_destroy = true
+
+  lifecycle_rule {
+    id      = "expire-after-${var.retention_period}-days"
+    enabled = true
+
+    expiration {
+      days = var.retention_period
+    }
+  }
+}
+
+resource "random_id" "aws_recon" {
+  byte_length = 6
+}
+
+data "aws_iam_account_alias" "current" {}

data/utils/terraform/vars.tf

@@ -0,0 +1,58 @@
+variable "aws_recon_base_name" {
+  type    = string
+  default = "aws-recon"
+}
+
+variable "aws_recon_container_name" {
+  type    = string
+  default = "darkbitio/aws_recon"
+}
+
+variable "aws_recon_container_version" {
+  type    = string
+  default = "latest"
+}
+
+variable "aws_regions" {
+  type = list(any)
+  default = [
+    "global",
+    # "af-south-1",
+    # "ap-east-1",
+    # "ap-northeast-1",
+    # "ap-northeast-2",
+    # "ap-northeast-3",
+    # "ap-south-1",
+    # "ap-southeast-1",
+    # "ap-southeast-2",
+    # "ca-central-1",
+    # "eu-central-1",
+    # "eu-north-1",
+    # "eu-south-1",
+    # "eu-west-1",
+    # "eu-west-2",
+    # "eu-west-3",
+    # "me-south-1",
+    # "sa-east-1",
+    "us-east-1",
+    "us-east-2",
+    "us-west-1",
+    "us-west-2",
+  ]
+}
+
+# must be one of: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365
+variable "retention_period" {
+  type    = number
+  default = 30
+}
+
+variable "schedule_expression" {
+  type    = string
+  default = "cron(4 * * * ? *)"
+}
+
+variable "base_subnet_cidr" {
+  type    = string
+  default = "10.76.0.0/16"
+}

data/utils/terraform/vpc.tf

@@ -0,0 +1,73 @@
+
+# Create a VPC
+resource "aws_vpc" "vpc" {
+  cidr_block = local.cidr_block
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  }
+}
+
+# Create subnet
+resource "aws_subnet" "subnet" {
+  vpc_id            = aws_vpc.vpc.id
+  cidr_block        = local.subnet_cidr_block
+  availability_zone = data.aws_availability_zones.available.names[0]
+
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}-public"
+  }
+}
+
+resource "aws_security_group" "sg" {
+  name        = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  description = "Allow AWS Recon collection egress"
+  vpc_id      = aws_vpc.vpc.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  }
+}
+
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.vpc.id
+
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  }
+}
+
+resource "aws_route_table" "rt" {
+  vpc_id = aws_vpc.vpc.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.igw.id
+  }
+
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  }
+}
+
+resource "aws_route_table_association" "rt_association" {
+  subnet_id      = aws_subnet.subnet.id
+  route_table_id = aws_route_table.rt.id
+}
+
+locals {
+  cidr_block        = var.base_subnet_cidr
+  subnet_cidr_block = cidrsubnet(local.cidr_block, 8, 0)
+}
+
+data "aws_region" "current" {}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.3.5
+  version: 0.4.4
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-25 00:00:00.000000000 Z
+date: 2021-04-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -244,6 +244,16 @@ files:
 - lib/aws_recon/services.yaml
 - lib/aws_recon/version.rb
 - readme.md
+- utils/cloudformation/aws-recon-cfn-template.yml
+- utils/terraform/cloudwatch.tf
+- utils/terraform/ecs.tf
+- utils/terraform/iam.tf
+- utils/terraform/main.tf
+- utils/terraform/output.tf
+- utils/terraform/readme.md
+- utils/terraform/s3.tf
+- utils/terraform/vars.tf
+- utils/terraform/vpc.tf
 homepage: https://github.com/darkbitio/aws-recon
 licenses:
 - MIT
@@ -266,5 +276,5 @@ requirements: []
 rubygems_version: 3.0.8
 signing_key:
 specification_version: 4
-summary: A multi-threaded AWS inventory collection cli tool.
+summary: A multi-threaded AWS security-focused inventory collection tool.
 test_files: []