aws_recon 0.5.3 → 0.5.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c32ae658ad80c3f24f28a7428f8511526edaf3034c9e6e193361cb55b6788840
-  data.tar.gz: 2927c2351efb59cbb24d2e4c36c188b6fbbf6dcd631c1569e27814e39a546b10
+  metadata.gz: cacdfedc9b86afcaaa776b95751ddbd3799dde854ed190b7e79668cbda08ce8d
+  data.tar.gz: 30f07c6ab93754deb298981aa3f8f2d71692c4537dc0de98f4e259208b734395
 SHA512:
-  metadata.gz: d5450a2d2fb68bc1a33787c550f094b2449474023045304fe0c00da432be3818963cc3285bfed572147890fcf05a02de4c57837d5ec8a7963e00976f7f362003
-  data.tar.gz: b2708a5c9d02b0f2bb226b04c0a86356658c843c75721d102ca9364802ac847c632346bf16c93428dcc5346414457c78e8a39c80d9461b4f373bc2fe92cdee2d
+  metadata.gz: 55370f9a76e8fb31e426c5af9b9cd768ae201305aed403abfd7f1e5c724aae9c88bd49c233c928bf64d7e5ded395b1741a0663c0264a8c62b3ea08363d5c228f
+  data.tar.gz: 63e30b67a206a3ee631eaddb3aa558e85f2d1f7316d1b3a75b9079c18af4a5e98d234900bc75e69615609d646c8ccd17d3d9c7dc39ff5f5bc3a564bc64c0ee7e

data/.github/workflows/check-aws-regions.yml

@@ -1,6 +1,7 @@
 name: check-service-regions
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: '0 10 * * *'
 
@@ -12,6 +13,6 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 1
-      - name: Set version tag
+      - name: Check AWS service regions
         run: |
           cd utils/aws ; ruby check_region_exclusions.rb

data/Dockerfile

@@ -1,4 +1,4 @@
-ARG RUBY_VERSION=2.6.6
+ARG RUBY_VERSION=2.7.3
 FROM ruby:${RUBY_VERSION}-alpine
 
 LABEL maintainer="Darkbit <info@darkbit.io>"

data/aws_recon.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.name          = 'aws_recon'
   spec.version       = AwsRecon::VERSION
   spec.authors       = ['Josh Larsen', 'Darkbit']
-  spec.required_ruby_version = '>= 2.5.0'
+  spec.required_ruby_version = '>= 2.6.0'
   spec.summary       = 'A multi-threaded AWS security-focused inventory collection tool.'
   spec.description   = 'AWS Recon is a command line tool to collect resources from an Amazon Web Services (AWS) account. The tool outputs JSON suitable for processing with other tools.'
   spec.homepage      = 'https://github.com/darkbitio/aws-recon'

data/lib/aws_recon/aws_recon.rb

@@ -34,7 +34,7 @@ module AwsRecon
       # formatter
       @formatter = Formatter.new
 
-      return unless @options.stream_output
+      return if @options.stream_output
 
       puts "\nStarting collection with #{@options.threads} threads...\n"
     end
@@ -66,7 +66,7 @@ module AwsRecon
     end
 
     #
-    # Format @resources as either
+    # Format @resources as either JSON or JSONL
     #
     def formatted_json
       if @options.jsonl
@@ -117,7 +117,7 @@ module AwsRecon
     ensure
       elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
 
-      puts "\nFinished in #{elapsed.to_i} seconds.\n\n"
+      puts "\nFinished in #{elapsed.to_i} seconds.\n\n" unless @options.stream_output
 
       # write output file
       if @options.output_file && !@options.s3

data/lib/aws_recon/collectors/lambda.rb

@@ -17,6 +17,9 @@ class Lambda < Mapper
         struct = OpenStruct.new(function)
         struct.type = 'function'
         struct.arn = function.function_arn
+        struct.vpc_config = function.vpc_config.to_h
+        struct.tracing_config = function.tracing_config.to_h
+        struct.layers = function.layers ? function.layers.map(&:to_h) : []
         struct.policy = @client.get_policy({ function_name: function.function_name }).policy.parse_policy
 
       rescue Aws::Lambda::Errors::ResourceNotFoundException => e
@@ -36,6 +39,7 @@ class Lambda < Mapper
         struct = OpenStruct.new(layer)
         struct.type = 'layer'
         struct.arn = layer.layer_arn
+        struct.latest_matching_version = layer.latest_matching_version.to_h
 
         # list_layer_versions
         struct.versions = @client.list_layer_versions({ layer_name: layer.layer_name }).layer_versions.map(&:to_h)

data/lib/aws_recon/collectors/wafv2.rb

@@ -7,9 +7,7 @@ class WAFV2 < Mapper
   #
   # Returns an array of resources.
   #
-  # TODO: test live
   # TODO: resolve scope (e.g. CLOUDFRONT supported?)
-  # TODO: confirm paging behavior
   #
   def collect
     resources = []
@@ -25,7 +23,6 @@ class WAFV2 < Mapper
         response.web_acls.each do |acl|
           struct = OpenStruct.new(acl.to_h)
           struct.type = 'web_acl'
-          # struct.arn = "arn:aws:#{@service}:#{@region}::web_acl/#{acl.id}"
 
           params = {
             name: acl.name,
@@ -40,7 +37,7 @@ class WAFV2 < Mapper
           end
 
           # list_resources_for_web_acl
-          @client.list_resources_for_web_acl({ web_acl_arn: 'ResourceArn' }).each do |r|
+          @client.list_resources_for_web_acl({ web_acl_arn: acl.arn }).each do |r|
             struct.resources = r.resource_arns.map(&:to_h)
           end
 

data/lib/aws_recon/options.rb

@@ -100,6 +100,7 @@ class Parser
 
       # write output file to S3 bucket
       opts.on('-b', '--s3-bucket [BUCKET:REGION]', 'Write output file to S3 bucket (default: \'\')') do |bucket_with_region|
+        args.stream_output = false
         args.s3 = bucket_with_region
       end
 
@@ -109,8 +110,8 @@ class Parser
       end
 
       # output format
-      opts.on('-f', '--format [FORMAT]', 'Specify output format (default: aws)') do |file|
-        args.output_format = file.downcase if %w[aws custom].include?(file.downcase)
+      opts.on('-f', '--format [FORMAT]', 'Specify output format (default: aws)') do |f|
+        args.output_format = f.downcase if %w[aws custom].include?(f.downcase)
       end
 
       # threads

data/lib/aws_recon/services.yaml

@@ -56,7 +56,7 @@
 - name: ECR
   alias: ecr
 - name: DynamoDB
-  alias: ddb
+  alias: dynamodb
 - name: KMS
   alias: kms
 - name: Kinesis
@@ -102,7 +102,7 @@
     - af-south-1
     - ap-northeast-3
 - name: SecretsManager
-  alias: sm
+  alias: secretsmanager
 - name: SecurityHub
   alias: securityhub
 - name: Support
@@ -155,7 +155,7 @@
     - ap-northeast-3
     - eu-south-1
 - name: DirectConnect
-  alias: dc
+  alias: directconnect
 - name: DirectoryService
   alias: ds
   excluded_regions:

data/lib/aws_recon/version.rb

@@ -1,3 +1,3 @@
 module AwsRecon
-  VERSION = "0.5.3"
+  VERSION = "0.5.8"
 end

data/utils/aws/check_region_exclusions.rb

@@ -3,11 +3,21 @@
 #
 # Check regional service availability against services.yaml exclusions.
 #
+# AWS updates the regional service table daily. By checking regional service
+# coverage, we can identify regions that should be excluded from AWS Recon
+# checks. We exclude non-supported regions because service APIs handle non-
+# availability differently. Some will respond with an error that can be handled
+# by the errors defined in the AWS Ruby SDK client. Others will fail at the
+# network level (i.e. there is no API endpoint even available). We could handle
+# those errors and silently fail, but we choose not to so we can identify cases
+# where there is a lack of service availability in a particular region.
+#
 require 'net/http'
 require 'json'
 require 'yaml'
 
 TS = Time.now.to_i
+# AWS Regional services table
 URL = "https://api.regional-table.region-services.aws.a2z.com/index.json?timestamp=#{TS}000"
 
 service_to_query = ARGV[0]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws_recon
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.5.8
 platform: ruby
 authors:
 - Josh Larsen
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-13 00:00:00.000000000 Z
+date: 2021-04-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -270,7 +270,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.5.0
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="