aws_recon 0.5.3 → 0.5.8
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/check-aws-regions.yml +2 -1
- data/Dockerfile +1 -1
- data/aws_recon.gemspec +1 -1
- data/lib/aws_recon/aws_recon.rb +3 -3
- data/lib/aws_recon/collectors/lambda.rb +4 -0
- data/lib/aws_recon/collectors/wafv2.rb +1 -4
- data/lib/aws_recon/options.rb +3 -2
- data/lib/aws_recon/services.yaml +3 -3
- data/lib/aws_recon/version.rb +1 -1
- data/utils/aws/check_region_exclusions.rb +10 -0
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cacdfedc9b86afcaaa776b95751ddbd3799dde854ed190b7e79668cbda08ce8d
|
4
|
+
data.tar.gz: 30f07c6ab93754deb298981aa3f8f2d71692c4537dc0de98f4e259208b734395
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 55370f9a76e8fb31e426c5af9b9cd768ae201305aed403abfd7f1e5c724aae9c88bd49c233c928bf64d7e5ded395b1741a0663c0264a8c62b3ea08363d5c228f
|
7
|
+
data.tar.gz: 63e30b67a206a3ee631eaddb3aa558e85f2d1f7316d1b3a75b9079c18af4a5e98d234900bc75e69615609d646c8ccd17d3d9c7dc39ff5f5bc3a564bc64c0ee7e
|
@@ -1,6 +1,7 @@
|
|
1
1
|
name: check-service-regions
|
2
2
|
|
3
3
|
on:
|
4
|
+
workflow_dispatch:
|
4
5
|
schedule:
|
5
6
|
- cron: '0 10 * * *'
|
6
7
|
|
@@ -12,6 +13,6 @@ jobs:
|
|
12
13
|
uses: actions/checkout@v2
|
13
14
|
with:
|
14
15
|
fetch-depth: 1
|
15
|
-
- name:
|
16
|
+
- name: Check AWS service regions
|
16
17
|
run: |
|
17
18
|
cd utils/aws ; ruby check_region_exclusions.rb
|
data/Dockerfile
CHANGED
data/aws_recon.gemspec
CHANGED
@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
|
|
8
8
|
spec.name = 'aws_recon'
|
9
9
|
spec.version = AwsRecon::VERSION
|
10
10
|
spec.authors = ['Josh Larsen', 'Darkbit']
|
11
|
-
spec.required_ruby_version = '>= 2.
|
11
|
+
spec.required_ruby_version = '>= 2.6.0'
|
12
12
|
spec.summary = 'A multi-threaded AWS security-focused inventory collection tool.'
|
13
13
|
spec.description = 'AWS Recon is a command line tool to collect resources from an Amazon Web Services (AWS) account. The tool outputs JSON suitable for processing with other tools.'
|
14
14
|
spec.homepage = 'https://github.com/darkbitio/aws-recon'
|
data/lib/aws_recon/aws_recon.rb
CHANGED
@@ -34,7 +34,7 @@ module AwsRecon
|
|
34
34
|
# formatter
|
35
35
|
@formatter = Formatter.new
|
36
36
|
|
37
|
-
return
|
37
|
+
return if @options.stream_output
|
38
38
|
|
39
39
|
puts "\nStarting collection with #{@options.threads} threads...\n"
|
40
40
|
end
|
@@ -66,7 +66,7 @@ module AwsRecon
|
|
66
66
|
end
|
67
67
|
|
68
68
|
#
|
69
|
-
# Format @resources as either
|
69
|
+
# Format @resources as either JSON or JSONL
|
70
70
|
#
|
71
71
|
def formatted_json
|
72
72
|
if @options.jsonl
|
@@ -117,7 +117,7 @@ module AwsRecon
|
|
117
117
|
ensure
|
118
118
|
elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
|
119
119
|
|
120
|
-
puts "\nFinished in #{elapsed.to_i} seconds.\n\n"
|
120
|
+
puts "\nFinished in #{elapsed.to_i} seconds.\n\n" unless @options.stream_output
|
121
121
|
|
122
122
|
# write output file
|
123
123
|
if @options.output_file && !@options.s3
|
@@ -17,6 +17,9 @@ class Lambda < Mapper
|
|
17
17
|
struct = OpenStruct.new(function)
|
18
18
|
struct.type = 'function'
|
19
19
|
struct.arn = function.function_arn
|
20
|
+
struct.vpc_config = function.vpc_config.to_h
|
21
|
+
struct.tracing_config = function.tracing_config.to_h
|
22
|
+
struct.layers = function.layers ? function.layers.map(&:to_h) : []
|
20
23
|
struct.policy = @client.get_policy({ function_name: function.function_name }).policy.parse_policy
|
21
24
|
|
22
25
|
rescue Aws::Lambda::Errors::ResourceNotFoundException => e
|
@@ -36,6 +39,7 @@ class Lambda < Mapper
|
|
36
39
|
struct = OpenStruct.new(layer)
|
37
40
|
struct.type = 'layer'
|
38
41
|
struct.arn = layer.layer_arn
|
42
|
+
struct.latest_matching_version = layer.latest_matching_version.to_h
|
39
43
|
|
40
44
|
# list_layer_versions
|
41
45
|
struct.versions = @client.list_layer_versions({ layer_name: layer.layer_name }).layer_versions.map(&:to_h)
|
@@ -7,9 +7,7 @@ class WAFV2 < Mapper
|
|
7
7
|
#
|
8
8
|
# Returns an array of resources.
|
9
9
|
#
|
10
|
-
# TODO: test live
|
11
10
|
# TODO: resolve scope (e.g. CLOUDFRONT supported?)
|
12
|
-
# TODO: confirm paging behavior
|
13
11
|
#
|
14
12
|
def collect
|
15
13
|
resources = []
|
@@ -25,7 +23,6 @@ class WAFV2 < Mapper
|
|
25
23
|
response.web_acls.each do |acl|
|
26
24
|
struct = OpenStruct.new(acl.to_h)
|
27
25
|
struct.type = 'web_acl'
|
28
|
-
# struct.arn = "arn:aws:#{@service}:#{@region}::web_acl/#{acl.id}"
|
29
26
|
|
30
27
|
params = {
|
31
28
|
name: acl.name,
|
@@ -40,7 +37,7 @@ class WAFV2 < Mapper
|
|
40
37
|
end
|
41
38
|
|
42
39
|
# list_resources_for_web_acl
|
43
|
-
@client.list_resources_for_web_acl({ web_acl_arn:
|
40
|
+
@client.list_resources_for_web_acl({ web_acl_arn: acl.arn }).each do |r|
|
44
41
|
struct.resources = r.resource_arns.map(&:to_h)
|
45
42
|
end
|
46
43
|
|
data/lib/aws_recon/options.rb
CHANGED
@@ -100,6 +100,7 @@ class Parser
|
|
100
100
|
|
101
101
|
# write output file to S3 bucket
|
102
102
|
opts.on('-b', '--s3-bucket [BUCKET:REGION]', 'Write output file to S3 bucket (default: \'\')') do |bucket_with_region|
|
103
|
+
args.stream_output = false
|
103
104
|
args.s3 = bucket_with_region
|
104
105
|
end
|
105
106
|
|
@@ -109,8 +110,8 @@ class Parser
|
|
109
110
|
end
|
110
111
|
|
111
112
|
# output format
|
112
|
-
opts.on('-f', '--format [FORMAT]', 'Specify output format (default: aws)') do |
|
113
|
-
args.output_format =
|
113
|
+
opts.on('-f', '--format [FORMAT]', 'Specify output format (default: aws)') do |f|
|
114
|
+
args.output_format = f.downcase if %w[aws custom].include?(f.downcase)
|
114
115
|
end
|
115
116
|
|
116
117
|
# threads
|
data/lib/aws_recon/services.yaml
CHANGED
@@ -56,7 +56,7 @@
|
|
56
56
|
- name: ECR
|
57
57
|
alias: ecr
|
58
58
|
- name: DynamoDB
|
59
|
-
alias:
|
59
|
+
alias: dynamodb
|
60
60
|
- name: KMS
|
61
61
|
alias: kms
|
62
62
|
- name: Kinesis
|
@@ -102,7 +102,7 @@
|
|
102
102
|
- af-south-1
|
103
103
|
- ap-northeast-3
|
104
104
|
- name: SecretsManager
|
105
|
-
alias:
|
105
|
+
alias: secretsmanager
|
106
106
|
- name: SecurityHub
|
107
107
|
alias: securityhub
|
108
108
|
- name: Support
|
@@ -155,7 +155,7 @@
|
|
155
155
|
- ap-northeast-3
|
156
156
|
- eu-south-1
|
157
157
|
- name: DirectConnect
|
158
|
-
alias:
|
158
|
+
alias: directconnect
|
159
159
|
- name: DirectoryService
|
160
160
|
alias: ds
|
161
161
|
excluded_regions:
|
data/lib/aws_recon/version.rb
CHANGED
@@ -3,11 +3,21 @@
|
|
3
3
|
#
|
4
4
|
# Check regional service availability against services.yaml exclusions.
|
5
5
|
#
|
6
|
+
# AWS updates the regional service table daily. By checking regional service
|
7
|
+
# coverage, we can identify regions that should be excluded from AWS Recon
|
8
|
+
# checks. We exclude non-supported regions because service APIs handle non-
|
9
|
+
# availability differently. Some will respond with an error that can be handled
|
10
|
+
# by the errors defined in the AWS Ruby SDK client. Others will fail at the
|
11
|
+
# network level (i.e. there is no API endpoint even available). We could handle
|
12
|
+
# those errors and silently fail, but we choose not to so we can identify cases
|
13
|
+
# where there is a lack of service availability in a particular region.
|
14
|
+
#
|
6
15
|
require 'net/http'
|
7
16
|
require 'json'
|
8
17
|
require 'yaml'
|
9
18
|
|
10
19
|
TS = Time.now.to_i
|
20
|
+
# AWS Regional services table
|
11
21
|
URL = "https://api.regional-table.region-services.aws.a2z.com/index.json?timestamp=#{TS}000"
|
12
22
|
|
13
23
|
service_to_query = ARGV[0]
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws_recon
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.8
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Josh Larsen
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2021-04-
|
12
|
+
date: 2021-04-25 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: aws-sdk
|
@@ -270,7 +270,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
270
270
|
requirements:
|
271
271
|
- - ">="
|
272
272
|
- !ruby/object:Gem::Version
|
273
|
-
version: 2.
|
273
|
+
version: 2.6.0
|
274
274
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
275
275
|
requirements:
|
276
276
|
- - ">="
|