aws_recon 0.5.2 → 0.5.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/check-aws-regions.yml +3 -2
- data/Dockerfile +1 -1
- data/aws_recon.gemspec +1 -1
- data/lib/aws_recon/collectors/wafv2.rb +1 -4
- data/lib/aws_recon/services.yaml +5 -14
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +5 -5
- data/utils/aws/check_region_exclusions.rb +26 -0
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e99a96f3054a14b9908d0f4e57a498783804f73cb2fc8f81846da7fae8d6a60d
|
4
|
+
data.tar.gz: 125a0f69e1ee9e45d8f5cd1b8eedd067155fb53d68cb9271ba98da34d963b23b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 340361ade00fffcfe97cf18c86dae1afee9489464efdb2d686135682d155f7d416d66d5675d550badd82d0625665334b19b005c5e93bbbb473d154f859e6d039
|
7
|
+
data.tar.gz: 608ab989fe2a129690eb64d1adac67bfc99575ba1c5dfec75cbcb75734a4298c2eb9a3abc44c7cb94148b2ae10c81ac944a961db9f2a7c17035869f3da40b2eb
|
@@ -1,8 +1,9 @@
|
|
1
1
|
name: check-service-regions
|
2
2
|
|
3
3
|
on:
|
4
|
+
workflow_dispatch:
|
4
5
|
schedule:
|
5
|
-
- cron: '
|
6
|
+
- cron: '0 10 * * *'
|
6
7
|
|
7
8
|
jobs:
|
8
9
|
region-check:
|
@@ -12,6 +13,6 @@ jobs:
|
|
12
13
|
uses: actions/checkout@v2
|
13
14
|
with:
|
14
15
|
fetch-depth: 1
|
15
|
-
- name:
|
16
|
+
- name: Check AWS service regions
|
16
17
|
run: |
|
17
18
|
cd utils/aws ; ruby check_region_exclusions.rb
|
data/Dockerfile
CHANGED
data/aws_recon.gemspec
CHANGED
@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
|
|
8
8
|
spec.name = 'aws_recon'
|
9
9
|
spec.version = AwsRecon::VERSION
|
10
10
|
spec.authors = ['Josh Larsen', 'Darkbit']
|
11
|
-
spec.required_ruby_version = '>= 2.
|
11
|
+
spec.required_ruby_version = '>= 2.6.0'
|
12
12
|
spec.summary = 'A multi-threaded AWS security-focused inventory collection tool.'
|
13
13
|
spec.description = 'AWS Recon is a command line tool to collect resources from an Amazon Web Services (AWS) account. The tool outputs JSON suitable for processing with other tools.'
|
14
14
|
spec.homepage = 'https://github.com/darkbitio/aws-recon'
|
@@ -7,9 +7,7 @@ class WAFV2 < Mapper
|
|
7
7
|
#
|
8
8
|
# Returns an array of resources.
|
9
9
|
#
|
10
|
-
# TODO: test live
|
11
10
|
# TODO: resolve scope (e.g. CLOUDFRONT supported?)
|
12
|
-
# TODO: confirm paging behavior
|
13
11
|
#
|
14
12
|
def collect
|
15
13
|
resources = []
|
@@ -25,7 +23,6 @@ class WAFV2 < Mapper
|
|
25
23
|
response.web_acls.each do |acl|
|
26
24
|
struct = OpenStruct.new(acl.to_h)
|
27
25
|
struct.type = 'web_acl'
|
28
|
-
# struct.arn = "arn:aws:#{@service}:#{@region}::web_acl/#{acl.id}"
|
29
26
|
|
30
27
|
params = {
|
31
28
|
name: acl.name,
|
@@ -40,7 +37,7 @@ class WAFV2 < Mapper
|
|
40
37
|
end
|
41
38
|
|
42
39
|
# list_resources_for_web_acl
|
43
|
-
@client.list_resources_for_web_acl({ web_acl_arn:
|
40
|
+
@client.list_resources_for_web_acl({ web_acl_arn: acl.arn }).each do |r|
|
44
41
|
struct.resources = r.resource_arns.map(&:to_h)
|
45
42
|
end
|
46
43
|
|
data/lib/aws_recon/services.yaml
CHANGED
@@ -37,8 +37,6 @@
|
|
37
37
|
alias: ecs
|
38
38
|
- name: ElasticLoadBalancing
|
39
39
|
alias: elb
|
40
|
-
excluded_regions:
|
41
|
-
- ap-southeast-1
|
42
40
|
- name: ElasticLoadBalancingV2
|
43
41
|
alias: elbv2
|
44
42
|
- name: ElastiCache
|
@@ -58,7 +56,7 @@
|
|
58
56
|
- name: ECR
|
59
57
|
alias: ecr
|
60
58
|
- name: DynamoDB
|
61
|
-
alias:
|
59
|
+
alias: dynamodb
|
62
60
|
- name: KMS
|
63
61
|
alias: kms
|
64
62
|
- name: Kinesis
|
@@ -85,15 +83,15 @@
|
|
85
83
|
- name: Shield
|
86
84
|
global: true
|
87
85
|
alias: shield
|
86
|
+
excluded_regions:
|
87
|
+
- ap-northeast-3
|
88
88
|
- name: CloudFormation
|
89
89
|
alias: cloudformation
|
90
90
|
- name: SES
|
91
91
|
alias: ses
|
92
92
|
excluded_regions:
|
93
|
-
- af-south-1
|
94
93
|
- ap-east-1
|
95
94
|
- ap-northeast-3
|
96
|
-
- eu-south-1
|
97
95
|
- name: CloudWatch
|
98
96
|
alias: cloudwatch
|
99
97
|
- name: CloudWatchLogs
|
@@ -104,11 +102,9 @@
|
|
104
102
|
- af-south-1
|
105
103
|
- ap-northeast-3
|
106
104
|
- name: SecretsManager
|
107
|
-
alias:
|
105
|
+
alias: secretsmanager
|
108
106
|
- name: SecurityHub
|
109
107
|
alias: securityhub
|
110
|
-
excluded_regions:
|
111
|
-
- ap-northeast-3
|
112
108
|
- name: Support
|
113
109
|
global: true
|
114
110
|
alias: support
|
@@ -116,16 +112,12 @@
|
|
116
112
|
alias: ssm
|
117
113
|
- name: GuardDuty
|
118
114
|
alias: guardduty
|
119
|
-
excluded_regions:
|
120
|
-
- ap-northeast-3
|
121
115
|
- name: Athena
|
122
116
|
alias: athena
|
123
117
|
excluded_regions:
|
124
118
|
- ap-northeast-3
|
125
119
|
- name: EFS
|
126
120
|
alias: efs
|
127
|
-
excluded_regions:
|
128
|
-
- ap-northeast-3
|
129
121
|
- name: Firehose
|
130
122
|
alias: firehose
|
131
123
|
- name: Lightsail
|
@@ -145,7 +137,6 @@
|
|
145
137
|
- af-south-1
|
146
138
|
- ap-east-1
|
147
139
|
- ap-northeast-3
|
148
|
-
- ap-south-1
|
149
140
|
- eu-north-1
|
150
141
|
- eu-south-1
|
151
142
|
- eu-west-3
|
@@ -164,7 +155,7 @@
|
|
164
155
|
- ap-northeast-3
|
165
156
|
- eu-south-1
|
166
157
|
- name: DirectConnect
|
167
|
-
alias:
|
158
|
+
alias: directconnect
|
168
159
|
- name: DirectoryService
|
169
160
|
alias: ds
|
170
161
|
excluded_regions:
|
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
[![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/darkbitio/aws-recon/smoke-test/main)](https://github.com/darkbitio/aws-recon/actions?query=branch%3Amain)
|
2
2
|
[![Gem Version](https://badge.fury.io/rb/aws_recon.svg)](https://rubygems.org/gems/aws_recon)
|
3
|
-
|
3
|
+
[![AWS Service Regions](https://github.com/darkbitio/aws-recon/actions/workflows/check-aws-regions.yml/badge.svg?branch=main&event=schedule)](https://github.com/darkbitio/aws-recon/actions/workflows/check-aws-regions.yml)
|
4
4
|
# AWS Recon
|
5
5
|
|
6
6
|
A multi-threaded AWS security-focused inventory collection tool written in Ruby.
|
@@ -54,13 +54,13 @@ To run locally, first install the gem:
|
|
54
54
|
|
55
55
|
```
|
56
56
|
$ gem install aws_recon
|
57
|
-
Fetching aws_recon-0.
|
57
|
+
Fetching aws_recon-0.5.2.gem
|
58
58
|
Fetching aws-sdk-3.0.1.gem
|
59
59
|
Fetching parallel-1.20.1.gem
|
60
60
|
...
|
61
61
|
Successfully installed aws-sdk-3.0.1
|
62
62
|
Successfully installed parallel-1.20.1
|
63
|
-
Successfully installed aws_recon-0.
|
63
|
+
Successfully installed aws_recon-0.5.2
|
64
64
|
```
|
65
65
|
|
66
66
|
Or add it to your Gemfile using `bundle`:
|
@@ -72,7 +72,7 @@ Resolving dependencies...
|
|
72
72
|
...
|
73
73
|
Using aws-sdk 3.0.1
|
74
74
|
Using parallel-1.20.1
|
75
|
-
Using aws_recon 0.
|
75
|
+
Using aws_recon 0.5.2
|
76
76
|
```
|
77
77
|
|
78
78
|
## Usage
|
@@ -249,7 +249,7 @@ Most users will want to limit collection to relevant services and regions. Runni
|
|
249
249
|
```
|
250
250
|
$ aws_recon -h
|
251
251
|
|
252
|
-
AWS Recon - AWS Inventory Collector (0.
|
252
|
+
AWS Recon - AWS Inventory Collector (0.5.2)
|
253
253
|
|
254
254
|
Usage: aws_recon [options]
|
255
255
|
-r, --regions [REGIONS] Regions to scan, separated by comma (default: all)
|
@@ -3,13 +3,24 @@
|
|
3
3
|
#
|
4
4
|
# Check regional service availability against services.yaml exclusions.
|
5
5
|
#
|
6
|
+
# AWS updates the regional service table daily. By checking regional service
|
7
|
+
# coverage, we can identify regions that should be excluded from AWS Recon
|
8
|
+
# checks. We exclude non-supported regions because service APIs handle non-
|
9
|
+
# availability differently. Some will respond with an error that can be handled
|
10
|
+
# by the errors defined in the AWS Ruby SDK client. Others will fail at the
|
11
|
+
# network level (i.e. there is no API endpoint even available). We could handle
|
12
|
+
# those errors and silently fail, but we choose not to so we can identify cases
|
13
|
+
# where there is a lack of service availability in a particular region.
|
14
|
+
#
|
6
15
|
require 'net/http'
|
7
16
|
require 'json'
|
8
17
|
require 'yaml'
|
9
18
|
|
10
19
|
TS = Time.now.to_i
|
20
|
+
# AWS Regional services table
|
11
21
|
URL = "https://api.regional-table.region-services.aws.a2z.com/index.json?timestamp=#{TS}000"
|
12
22
|
|
23
|
+
service_to_query = ARGV[0]
|
13
24
|
region_exclusion_mistmatch = nil
|
14
25
|
|
15
26
|
#
|
@@ -41,6 +52,21 @@ map = {}
|
|
41
52
|
data = res.body
|
42
53
|
json = JSON.parse(data)
|
43
54
|
|
55
|
+
#
|
56
|
+
# query regions for a single service
|
57
|
+
#
|
58
|
+
if service_to_query
|
59
|
+
single_service_regions = []
|
60
|
+
|
61
|
+
json['prices'].each do |p|
|
62
|
+
single_service_regions << p['id'].split(':').last
|
63
|
+
end
|
64
|
+
|
65
|
+
single_service_regions.uniq.sort.each { |r| puts r }
|
66
|
+
|
67
|
+
exit 0
|
68
|
+
end
|
69
|
+
|
44
70
|
# iterate through AWS provided services & regions
|
45
71
|
json['prices'].each do |p|
|
46
72
|
at = p['attributes']
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws_recon
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.7
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Josh Larsen
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2021-04-
|
12
|
+
date: 2021-04-23 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: aws-sdk
|
@@ -270,7 +270,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
270
270
|
requirements:
|
271
271
|
- - ">="
|
272
272
|
- !ruby/object:Gem::Version
|
273
|
-
version: 2.
|
273
|
+
version: 2.6.0
|
274
274
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
275
275
|
requirements:
|
276
276
|
- - ">="
|