aws_recon 0.4.0 → 0.4.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9647cee32c4df1624a99cf180258f43e664e7ee62b8ceee5fe00b8d6b31a2803
-  data.tar.gz: aca9a6383263ca7add32682df25a633ad9db031a50d2f38f319f903b6dd75c45
+  metadata.gz: 2970ade786485b6ca81b67b96b10e70a23b2dc30b8e3ed83928bd019dc2cd00c
+  data.tar.gz: 1d35be082bd390129fb2b2cfaf1147946a0fa8eb80b08c364ea8b84646e527f2
 SHA512:
-  metadata.gz: 426acf5937d26974c7a7c5bc26e84487fe8b76cc28bf0f51a7302d05897356e7007b877e26a47cc3af7b54044ac45bec23b409b1b66bef0336aaa1216d340437
-  data.tar.gz: 790fd25c65d4fe49c2e3857f65cddb590ecfe9f481b923bcdf8def9007ddf1ccb0b16f616164e7472b43a75eebe77698146d3d2e46204af1085b276afedf2099
+  metadata.gz: a2b106cc04a9d4a8955794ef3bf7f6a1e79222679105f093ef9edcf2275c2744812367c79db18b55f00d195fb44b1eec4685544277bf728a44786a8812e66846
+  data.tar.gz: 65e41b3d482e6a5598e582c52956f78421c67ad16ea0389bb32435c2e1166f79b1300207881fe5d4a30590dffe3d1bf2eb9692cc191e1584b32482645347a0b2

data/.gitignore

@@ -12,3 +12,5 @@ Gemfile.lock
 /pkg/
 /spec/reports/
 /tmp/
+.terraform*
+terraform.tfstate*

data/aws_recon.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |spec|
   spec.version       = AwsRecon::VERSION
   spec.authors       = ['Josh Larsen', 'Darkbit']
   spec.required_ruby_version = '>= 2.5.0'
-  spec.summary       = 'A multi-threaded AWS inventory collection cli tool.'
+  spec.summary       = 'A multi-threaded AWS security-focused inventory collection tool.'
   spec.description   = 'AWS Recon is a command line tool to collect resources from an Amazon Web Services (AWS) account. The tool outputs JSON suitable for processing with other tools.'
   spec.homepage      = 'https://github.com/darkbitio/aws-recon'
   spec.license       = 'MIT'

data/lib/aws_recon/aws_recon.rb

@@ -65,6 +65,17 @@ module AwsRecon
       @resources.concat(collection) if @options.output_file
     end
 
+    #
+    # Format @resources as either
+    #
+    def formatted_json
+      if @options.jsonl
+        @resources.map { |r| JSON.generate(r) }.join("\n")
+      else
+        @resources.to_json
+      end
+    end
+
     #
     # main wrapper
     #
@@ -102,17 +113,17 @@ module AwsRecon
     rescue Interrupt # ctrl-c
       elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
 
-      puts "\nStopped early after \x1b[32m#{elapsed.to_i}\x1b[0m seconds.\n"
+      puts "\nStopped early after #{elapsed.to_i} seconds.\n"
     ensure
       elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
 
-      puts "\nFinished in \x1b[32m#{elapsed.to_i}\x1b[0m seconds.\n\n"
+      puts "\nFinished in #{elapsed.to_i} seconds.\n\n"
 
       # write output file
-      if @options.output_file
-        puts "Saving resources to \x1b[32m#{@options.output_file}\x1b[0m.\n\n"
+      if @options.output_file && !@options.s3
+        puts "Saving resources to #{@options.output_file}.\n\n"
 
-        File.write(@options.output_file, @resources.to_json)
+        File.write(@options.output_file, formatted_json)
       end
 
       # write output file to S3 bucket
@@ -128,7 +139,7 @@ module AwsRecon
           # build IO object and gzip it
           io = StringIO.new
           gzip_data = Zlib::GzipWriter.new(io)
-          gzip_data.write(@resources.to_json)
+          gzip_data.write(formatted_json)
           gzip_data.close
 
           # send it to S3
@@ -137,9 +148,9 @@ module AwsRecon
           obj = s3_resource.bucket(s3_bucket).object(s3_full_object_path)
           obj.put(body: io.string)
 
-          puts "Saving resources to S3 \x1b[32ms3://#{s3_bucket}/#{s3_full_object_path}\x1b[0m\n\n"
+          puts "Saving resources to S3 s3://#{s3_bucket}/#{s3_full_object_path}\n\n"
         rescue Aws::S3::Errors::ServiceError => e
-          puts "\x1b[35mError!\x1b[0m - could not save output S3 bucket\n\n"
+          puts "Error! - could not save output S3 bucket\n\n"
           puts "#{e.message} - #{e.code}\n"
         end
       end

data/lib/aws_recon/collectors/route53.rb

@@ -19,7 +19,7 @@ class Route53 < Mapper
       response.hosted_zones.each do |zone|
         struct = OpenStruct.new(zone.to_h)
         struct.type = 'zone'
-        struct.arn = "aws:route53:#{@region}:#{@account}:zone/#{zone.name}"
+        struct.arn = "arn:aws:route53:#{@region}:#{@account}:zone/#{zone.name}"
         struct.logging_config = @client
                                 .list_query_logging_configs({ hosted_zone_id: zone.id })
                                 .query_logging_configs.first.to_h

data/lib/aws_recon/collectors/s3.rb

@@ -73,6 +73,9 @@ class S3 < Mapper
         end
 
         resources.push(struct.to_h)
+
+      rescue Aws::S3::Errors::NoSuchBucket
+        # skip missing bucket
       end
     end
 

data/lib/aws_recon/lib/mapper.rb

@@ -68,12 +68,12 @@ class Mapper
   def log(*msg)
     return unless @options.verbose
 
-    puts _msg(msg).map { |x| "\x1b[32m#{x}\x1b[0m" }.join("\x1b[35m.\x1b[0m")
+    puts _msg(msg).map(&:to_s).join('.')
   end
 
   def log_error(*msg)
     return unless @options.verbose
 
-    puts _msg(msg).map { |x| "\x1b[35m#{x}\x1b[0m" }.join("\x1b[32m.\x1b[0m")
+    puts _msg(msg).map(&:to_s).join('.')
   end
 end

data/lib/aws_recon/options.rb

@@ -20,6 +20,7 @@ class Parser
     :output_file,
     :output_format,
     :threads,
+    :jsonl,
     :collect_user_data,
     :skip_slow,
     :skip_credential_report,
@@ -55,6 +56,7 @@ class Parser
       false,
       false,
       false,
+      false,
       false
     )
 
@@ -116,6 +118,11 @@ class Parser
         args.threads = threads.to_i if (0..Parser::MAX_THREADS).include?(threads.to_i)
       end
 
+      # output NDJSON/JSONL format
+      opts.on('-l', '--json-lines', 'Output NDJSON/JSONL format (default: false)') do
+        args.jsonl = true
+      end
+
       # collect EC2 instance user data
       opts.on('-u', '--user-data', 'Collect EC2 instance user data (default: false)') do
         args.collect_user_data = true

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.4.0"
+  VERSION = "0.4.5"
 end

data/readme.md

@@ -3,13 +3,13 @@
 
 # AWS Recon
 
-A multi-threaded AWS inventory collection tool.
+A multi-threaded AWS security-focused inventory collection tool written in Ruby.
 
 This tool was created to facilitate efficient collection of a large amount of AWS resource attributes and metadata. It aims to collect nearly everything that is relevant to the security configuration and posture of an AWS environment.
 
-Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity to accurately measure security posture (e.g. detailed attribute data and full policy documents).
+Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity to accurately measure security posture (e.g. detailed resource attribute data, fully parsed policy documents, and nested resource relationships).
 
-Enter AWS Recon, multi-threaded AWS inventory collection tool written in plain Ruby. Though Python tends to dominate the AWS tooling landscape, the [Ruby SDK](https://aws.amazon.com/sdk-for-ruby/) has a few convenient advantages over the [other](https://aws.amazon.com/sdk-for-node-js/) [AWS](https://aws.amazon.com/sdk-for-python/) [SDKs](https://aws.amazon.com/sdk-for-go/) we tested. Specifically, easy handling of automatic retries, paging of large responses, and - with some help - threading huge numbers of requests.
+AWS Recon handles collection from large accounts by taking advantage of automatic retries (either due to network reliability or API throttling), automatic paging of large responses (> 100 resources per API call), and multi-threading parallel requests to speed up collection.
 
 ## Project Goals
 
@@ -31,7 +31,7 @@ Use Docker version 19.x or above to run the pre-built image without having to in
 
 #### Running locally via Ruby
 
-If you already have Ruby installed (2.5.x or 2.6.x), you may want to install the Ruby gem.
+If you already have Ruby installed (2.6.x or 2.7.x), you may want to install the Ruby gem.
 
 ### Installation
 
@@ -276,6 +276,8 @@ Usage: aws_recon [options]
 
 Output is always some form of JSON - either JSON lines or plain JSON. The output is either written to a file (the default), or written to stdout (with `-j`).
 
+When writing to an S3 bucket, the JSON output is automatically compressed with `gzip`.
+
 ## Support for Manually Enabled Regions
 
 If you have enabled **manually enabled regions**:
@@ -376,7 +378,7 @@ $ cd aws-recon
 Create a sticky gemset if using RVM:
 
 ```
-$ rvm use 2.6.5@aws_recon_dev --create --ruby-version
+$ rvm use 2.7.2@aws_recon_dev --create --ruby-version
 ```
 
 Run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/utils/cloudformation/aws-recon-cfn-template.yml

@@ -0,0 +1,151 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Deploys AWS Recon inventory collection resources, scheduled ECS task and corresponding IAM roles and policies.'
+Resources:
+  AWSReconVPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: '10.75.0.0/27'
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+  AWSReconSubnet:
+    Type: AWS::EC2::Subnet
+    Properties:
+      CidrBlock: '10.75.0.0/28'
+      VpcId: !Ref AWSReconVPC
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+    DependsOn: AWSReconVPC
+  AWSReconSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: AWS Recon collection egress
+      VpcId: !Ref AWSReconVPC
+      SecurityGroupEgress:
+        - IpProtocol: -1
+          FromPort: 0
+          ToPort: 0
+          CidrIp: 0.0.0.0/0
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+  AWSReconInternetGateway:
+    Type: AWS::EC2::InternetGateway
+    Properties:
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+  AWSReconInternetGatewayAttachment:
+    Type: AWS::EC2::VPCGatewayAttachment
+    Properties:
+      InternetGatewayId: !Ref AWSReconInternetGateway
+      VpcId: !Ref AWSReconVPC
+  AWSReconEgressRouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId: !Ref AWSReconVPC
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+  AWSReconSubnetRouteTableAssociation:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      SubnetId: !Ref AWSReconSubnet
+      RouteTableId: !Ref AWSReconEgressRouteTable
+  AWSReconEgressRoute:
+    Type: AWS::EC2::Route
+    Properties:
+      DestinationCidrBlock: '0.0.0.0/0'
+      GatewayId: !Ref AWSReconInternetGateway
+      RouteTableId: !Ref AWSReconEgressRouteTable
+  AWSReconECSCluster:
+    Type: AWS::ECS::Cluster
+    Properties:
+      ClusterName: aws-recon-CFN
+      CapacityProviders:
+        - FARGATE
+      Tags:
+        - Key: Name
+          Value: aws-recon-CFN
+    DependsOn: AWSReconSubnet
+  AWSReconECSTask:
+    Type: AWS::ECS::TaskDefinition
+    Properties:
+      Family: aws-recon-CFN
+      RequiresCompatibilities:
+        - FARGATE
+      NetworkMode: awsvpc
+      Cpu: 1024
+      Memory: 2048
+      TaskRoleArn: !Ref AWSReconECSTaskRole
+      ExecutionRoleArn: !Ref AWSReconECSExecutionRole
+      ContainerDefinitions:
+        - Name: aws-recon-CFN
+          Image: 'darkbitio/aws_recon:latest'
+          EntryPoint:
+            - 'aws_recon'
+            - '--verbose'
+            - '--format'
+            - 'custom'
+  AWSReconECSTaskRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: aws-recon-ecs-task-role
+      ManagedPolicyArns:
+        - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
+      Policies:
+        - PolicyName: AWSReconECSTaskRole
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action: 's3:PutObject'
+                Resource: 'arn:aws:s3:::CHANGEME/*'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ecs.amazonaws.com
+                - ecs-tasks.amazonaws.com
+            Action: 'sts:AssumeRole'
+  AWSReconECSExecutionRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: aws-recon-ecs-execution-role
+      Policies:
+        - PolicyName: AWSReconECSTaskExecutionPolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - 'ecr:GetAuthorizationToken'
+                  - 'ecr:BatchCheckLayerAvailability'
+                  - 'ecr:GetDownloadUrlForLayer'
+                  - 'ecr:BatchGetImage'
+                  - 'logs:CreateLogStream'
+                  - 'logs:PutLogEvents'
+                Resource: '*'
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - ecs-tasks.amazonaws.com
+            Action: 'sts:AssumeRole'
+  AWSReconCloudWatchEventsRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: aws-recon-events-role
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - events.amazonaws.com
+            Action: 'sts:AssumeRole'

data/utils/terraform/cloudwatch.tf

@@ -0,0 +1,26 @@
+# https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_rule.html
+resource "aws_cloudwatch_event_rule" "default" {
+  name                = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  description         = "AWS Recon scheduled task"
+  schedule_expression = var.schedule_expression
+}
+
+# https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_target.html
+resource "aws_cloudwatch_event_target" "default" {
+  target_id = aws_ecs_task_definition.aws_recon_task.id
+  arn       = aws_ecs_cluster.aws_recon.arn
+  rule      = aws_cloudwatch_event_rule.default.name
+  role_arn  = aws_iam_role.cw_events.arn
+
+  ecs_target {
+    launch_type         = "FARGATE"
+    task_definition_arn = aws_ecs_task_definition.aws_recon_task.arn
+    platform_version    = "LATEST"
+
+    network_configuration {
+      assign_public_ip = true
+      security_groups  = [aws_security_group.sg.id]
+      subnets          = [aws_subnet.subnet.id]
+    }
+  }
+}

data/utils/terraform/ecs.tf

@@ -0,0 +1,49 @@
+resource "aws_ecs_cluster" "aws_recon" {
+  name               = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  capacity_providers = [local.ecs_task_provider]
+}
+
+resource "aws_ecs_task_definition" "aws_recon_task" {
+  family                   = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  task_role_arn            = aws_iam_role.aws_recon_role.arn
+  execution_role_arn       = aws_iam_role.ecs_task_execution.arn
+  requires_compatibilities = [local.ecs_task_provider]
+  network_mode             = "awsvpc"
+  cpu                      = 1024
+  memory                   = 2048
+
+  container_definitions = jsonencode([
+    {
+      name             = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+      image            = "${var.aws_recon_container_name}:${var.aws_recon_container_version}"
+      assign_public_ip = true
+      entryPoint = [
+        "aws_recon",
+        "--verbose",
+        "--format",
+        "custom",
+        "--s3-bucket",
+        "${aws_s3_bucket.aws_recon.bucket}:${data.aws_region.current.name}",
+        "--regions",
+        join(",", var.aws_regions)
+      ]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group         = aws_cloudwatch_log_group.aws_recon.name,
+          awslogs-region        = data.aws_region.current.name,
+          awslogs-stream-prefix = "ecs"
+        }
+      }
+    }
+  ])
+}
+
+resource "aws_cloudwatch_log_group" "aws_recon" {
+  name              = "/ecs/${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  retention_in_days = var.retention_period
+}
+
+locals {
+  ecs_task_provider = "FARGATE"
+}

data/utils/terraform/iam.tf

@@ -0,0 +1,125 @@
+#
+# IAM policies and roles for ECS and CloudWatch execution
+#
+resource "aws_iam_role" "aws_recon_role" {
+  name               = local.aws_recon_task_role_name
+  assume_role_policy = data.aws_iam_policy_document.aws_recon_task_execution_assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "aws_recon_task_execution_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "ecs.amazonaws.com",
+        "ecs-tasks.amazonaws.com"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "aws_recon_task_execution" {
+  role       = aws_iam_role.aws_recon_role.name
+  policy_arn = data.aws_iam_policy.aws_recon_task_execution.arn
+}
+
+resource "aws_iam_role_policy" "aws_recon" {
+  name = local.bucket_write_policy_name
+  role = aws_iam_role.aws_recon_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "${var.aws_recon_base_name}-bucket-write"
+    Statement = [
+      {
+        Sid    = "AWSReconS3PutObject"
+        Effect = "Allow"
+        Action = "s3:PutObject"
+        Resource = [
+          "${aws_s3_bucket.aws_recon.arn}/*"
+        ]
+      }
+    ]
+  })
+}
+
+data "aws_iam_policy" "aws_recon_task_execution" {
+  arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
+resource "aws_iam_role" "ecs_task_execution" {
+  name               = local.ecs_task_execution_role_name
+  assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_assume_role_policy.json
+
+  tags = {
+    Name = local.ecs_task_execution_role_name
+  }
+}
+
+data "aws_iam_policy_document" "ecs_task_execution_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+# ECS task execution
+resource "aws_iam_policy" "ecs_task_execution" {
+  name   = local.ecs_task_execution_policy_name
+  policy = data.aws_iam_policy.ecs_task_execution.policy
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution" {
+  role       = aws_iam_role.ecs_task_execution.name
+  policy_arn = aws_iam_policy.ecs_task_execution.arn
+}
+
+data "aws_iam_policy" "ecs_task_execution" {
+  arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# CloudWatch Events
+resource "aws_iam_role" "cw_events" {
+  name               = local.cw_events_role_name
+  assume_role_policy = data.aws_iam_policy_document.cw_events_assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "cw_events_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "cw_events" {
+  name   = local.cw_events_policy_name
+  policy = data.aws_iam_policy.cw_events.policy
+}
+
+resource "aws_iam_role_policy_attachment" "cw_events" {
+  role       = aws_iam_role.cw_events.name
+  policy_arn = aws_iam_policy.cw_events.arn
+}
+
+data "aws_iam_policy" "cw_events" {
+  arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
+}
+
+locals {
+  bucket_write_policy_name       = "${var.aws_recon_base_name}-bucket-write-policy"
+  ecs_task_execution_role_name   = "${var.aws_recon_base_name}-ecs-task-execution-role"
+  ecs_task_execution_policy_name = "${var.aws_recon_base_name}-ecs-task-execution-policy"
+  cw_events_policy_name          = "${var.aws_recon_base_name}-cw-events-policy"
+  cw_events_role_name            = "${var.aws_recon_base_name}-cw-events-role"
+  aws_recon_task_role_name       = "${var.aws_recon_base_name}-exec-role"
+}

data/utils/terraform/main.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region = "us-east-2"
+}

data/utils/terraform/output.tf

@@ -0,0 +1,15 @@
+output "aws_recon_ecs_cluster" {
+  value = aws_ecs_cluster.aws_recon.name
+}
+
+output "aws_recon_ecs_scheduled_task" {
+  value = aws_cloudwatch_event_rule.default.name
+}
+
+output "aws_recon_s3_bucket" {
+  value = aws_s3_bucket.aws_recon.bucket
+}
+
+output "aws_recon_task_manual_run_command" {
+  value = "\nOne-off task run command:\n\naws ecs run-task --task-definition ${aws_ecs_task_definition.aws_recon_task.family} --cluster ${aws_ecs_cluster.aws_recon.name} --launch-type FARGATE --network-configuration \"awsvpcConfiguration={subnets=[${aws_subnet.subnet.id}],securityGroups=[${aws_security_group.sg.id}],assignPublicIp=ENABLED}\"\n"
+}

data/utils/terraform/readme.md

@@ -0,0 +1,20 @@
+## Terraform Setup
+
+This is an example module that can be used in its current form or modified for your specific environment. It builds the minimum components necessary to collect inventory on a schedule running AWS Recon as a Fargate scheduled task.
+
+### Requirements
+
+Before running this Terraform module, adjust your region accordingly in `main.tf`.
+
+### What is created?
+
+This Terraform example will deploy the following resources:
+
+- an S3 bucket to store compressed JSON output files
+- an IAM role for ECS task execution
+- a Security Group for the ECS cluster/task
+- a VPC and NGW for the ECS cluster/task
+- an ECS/Fargate cluster
+- an ECS task definition to run AWS Recon collection
+- a CloudWatch event rule to trigger the ECS task
+- a CloudTrail log group for ECS task logs

data/utils/terraform/s3.tf

@@ -0,0 +1,20 @@
+resource "aws_s3_bucket" "aws_recon" {
+  bucket        = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}-${data.aws_iam_account_alias.current.id}"
+  acl           = "private"
+  force_destroy = true
+
+  lifecycle_rule {
+    id      = "expire-after-${var.retention_period}-days"
+    enabled = true
+
+    expiration {
+      days = var.retention_period
+    }
+  }
+}
+
+resource "random_id" "aws_recon" {
+  byte_length = 6
+}
+
+data "aws_iam_account_alias" "current" {}

data/utils/terraform/vars.tf

@@ -0,0 +1,58 @@
+variable "aws_recon_base_name" {
+  type    = string
+  default = "aws-recon"
+}
+
+variable "aws_recon_container_name" {
+  type    = string
+  default = "darkbitio/aws_recon"
+}
+
+variable "aws_recon_container_version" {
+  type    = string
+  default = "latest"
+}
+
+variable "aws_regions" {
+  type = list(any)
+  default = [
+    "global",
+    # "af-south-1",
+    # "ap-east-1",
+    # "ap-northeast-1",
+    # "ap-northeast-2",
+    # "ap-northeast-3",
+    # "ap-south-1",
+    # "ap-southeast-1",
+    # "ap-southeast-2",
+    # "ca-central-1",
+    # "eu-central-1",
+    # "eu-north-1",
+    # "eu-south-1",
+    # "eu-west-1",
+    # "eu-west-2",
+    # "eu-west-3",
+    # "me-south-1",
+    # "sa-east-1",
+    "us-east-1",
+    "us-east-2",
+    "us-west-1",
+    "us-west-2",
+  ]
+}
+
+# must be one of: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365
+variable "retention_period" {
+  type    = number
+  default = 30
+}
+
+variable "schedule_expression" {
+  type    = string
+  default = "cron(4 * * * ? *)"
+}
+
+variable "base_subnet_cidr" {
+  type    = string
+  default = "10.76.0.0/16"
+}

data/utils/terraform/vpc.tf

@@ -0,0 +1,73 @@
+
+# Create a VPC
+resource "aws_vpc" "vpc" {
+  cidr_block = local.cidr_block
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  }
+}
+
+# Create subnet
+resource "aws_subnet" "subnet" {
+  vpc_id            = aws_vpc.vpc.id
+  cidr_block        = local.subnet_cidr_block
+  availability_zone = data.aws_availability_zones.available.names[0]
+
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}-public"
+  }
+}
+
+resource "aws_security_group" "sg" {
+  name        = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  description = "Allow AWS Recon collection egress"
+  vpc_id      = aws_vpc.vpc.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  }
+}
+
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.vpc.id
+
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  }
+}
+
+resource "aws_route_table" "rt" {
+  vpc_id = aws_vpc.vpc.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.igw.id
+  }
+
+  tags = {
+    Name = "${var.aws_recon_base_name}-${random_id.aws_recon.hex}"
+  }
+}
+
+resource "aws_route_table_association" "rt_association" {
+  subnet_id      = aws_subnet.subnet.id
+  route_table_id = aws_route_table.rt.id
+}
+
+locals {
+  cidr_block        = var.base_subnet_cidr
+  subnet_cidr_block = cidrsubnet(local.cidr_block, 8, 0)
+}
+
+data "aws_region" "current" {}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.5
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-30 00:00:00.000000000 Z
+date: 2021-04-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -244,6 +244,16 @@ files:
 - lib/aws_recon/services.yaml
 - lib/aws_recon/version.rb
 - readme.md
+- utils/cloudformation/aws-recon-cfn-template.yml
+- utils/terraform/cloudwatch.tf
+- utils/terraform/ecs.tf
+- utils/terraform/iam.tf
+- utils/terraform/main.tf
+- utils/terraform/output.tf
+- utils/terraform/readme.md
+- utils/terraform/s3.tf
+- utils/terraform/vars.tf
+- utils/terraform/vpc.tf
 homepage: https://github.com/darkbitio/aws-recon
 licenses:
 - MIT
@@ -266,5 +276,5 @@ requirements: []
 rubygems_version: 3.0.8
 signing_key:
 specification_version: 4
-summary: A multi-threaded AWS inventory collection cli tool.
+summary: A multi-threaded AWS security-focused inventory collection tool.
 test_files: []