aws_recon 0.2.24 → 0.2.25

Sign up to get free protection for your applications and to get access to all the features.
Files changed (17) hide show
  1. checksums.yaml +4 -4
  2. data/lib/aws_recon/collectors/codepipeline.rb +26 -9
  3. data/lib/aws_recon/collectors/ecr.rb +5 -1
  4. data/lib/aws_recon/collectors/iam.rb +8 -2
  5. data/lib/aws_recon/collectors/kms.rb +4 -1
  6. data/lib/aws_recon/collectors/organizations.rb +4 -1
  7. data/lib/aws_recon/collectors/rds.rb +2 -0
  8. data/lib/aws_recon/collectors/s3.rb +5 -1
  9. data/lib/aws_recon/collectors/securityhub.rb +4 -1
  10. data/lib/aws_recon/collectors/servicequotas.rb +4 -1
  11. data/lib/aws_recon/collectors/shield.rb +4 -1
  12. data/lib/aws_recon/collectors/support.rb +4 -1
  13. data/lib/aws_recon/options.rb +7 -0
  14. data/lib/aws_recon/services.yaml +23 -0
  15. data/lib/aws_recon/version.rb +1 -1
  16. data/readme.md +14 -0
  17. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: '091d2a7a27fb6c37494ec2bbddfc029c73e915925ea93e4011dbaaf6fbf637e5'
4
- data.tar.gz: a6f2cfb73e6a667f3d3faff70956d26e065d3f83a6dedcdbdf0cd8eb82102385
3
+ metadata.gz: 8786af60d08967c2203b1f4417480b135ae32b9a40ec05810afc9c2ae126f49d
4
+ data.tar.gz: fbd4741002a54dc15f2b2716dee6e1b6efcec48edfdf3e101d9c7bcb19105a4e
5
5
  SHA512:
6
- metadata.gz: b488755dd29b5d262e2b6775a9de1830f024975874a4f617f0cd01f80a621e2a18e1955b4a590418aa0d1efc203b2427221129ae069c01a038d1ed35bdc0b500
7
- data.tar.gz: 8997f3f3350fc9c8a6ded6fbd437816005d5a17a7b6db76c2e3e646b9076af210c4b803a68e2b568bff8ea277950bfb99031c6baa767b23138db5da9869c41c0
6
+ metadata.gz: 2c11e60d61cf9fcf894b8e38cb136e934b03fd7e9ef1bd349ce27c41c9943e75cb146893d14374167d7f2eb73b40d97a901fbaebd6e6aee5ac93ef8095b1d0b4
7
+ data.tar.gz: 9510a49029fbc382fefc50ad8ae0de0351b6f8648a1044abbebdf695459ef5a4845014057618387549546876c10ea1eb09cba55f4692a0405f41b96810c0dce5
data/lib/aws_recon/collectors/codepipeline.rb CHANGED
@@ -8,20 +8,37 @@ class CodePipeline < Mapper
8
8
  #
9
9
  # list_pipelines
10
10
  #
11
- @client.list_pipelines.each_with_index do |response, page|
12
- log(response.context.operation_name, page)
11
+ begin
12
+ @client.list_pipelines.each_with_index do |response, page|
13
+ log(response.context.operation_name, page)
13
14
 
14
- # get_pipeline
15
- response.pipelines.each do |pipeline|
16
- resp = @client.get_pipeline(name: pipeline.name)
17
- struct = OpenStruct.new(resp.pipeline.to_h)
18
- struct.type = 'pipeline'
19
- struct.arn = resp.metadata.pipeline_arn
15
+ # get_pipeline
16
+ response.pipelines.each do |pipeline|
17
+ resp = @client.get_pipeline(name: pipeline.name)
18
+ struct = OpenStruct.new(resp.pipeline.to_h)
19
+ struct.type = 'pipeline'
20
+ struct.arn = resp.metadata.pipeline_arn
20
21
 
21
- resources.push(struct.to_h)
22
+ resources.push(struct.to_h)
23
+ end
24
+ end
25
+ rescue Aws::CodePipeline::Errors::ServiceError => e
26
+ log_error(e.code)
27
+
28
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
29
+ raise e
22
30
  end
23
31
  end
24
32
 
25
33
  resources
26
34
  end
35
+
36
+ private
37
+
38
+ # not an error
39
+ def suppressed_errors
40
+ %w[
41
+ AccessDeniedException
42
+ ]
43
+ end
27
44
  end
data/lib/aws_recon/collectors/ecr.rb CHANGED
@@ -19,7 +19,11 @@ class ECR < Mapper
19
19
  .get_repository_policy({ repository_name: repo.repository_name }).policy_text.parse_policy
20
20
 
21
21
  rescue Aws::ECR::Errors::ServiceError => e
22
- raise e unless suppressed_errors.include?(e.code)
22
+ log_error(e.code)
23
+
24
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
25
+ raise e
26
+ end
23
27
  ensure
24
28
  resources.push(struct.to_h)
25
29
  end
data/lib/aws_recon/collectors/iam.rb CHANGED
@@ -101,7 +101,10 @@ class IAM < Mapper
101
101
  end
102
102
  rescue Aws::IAM::Errors::ServiceError => e
103
103
  log_error(e.code)
104
- raise e unless suppressed_errors.include?(e.code)
104
+
105
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
106
+ raise e
107
+ end
105
108
  end
106
109
 
107
110
  #
@@ -183,7 +186,10 @@ class IAM < Mapper
183
186
  end
184
187
  rescue Aws::IAM::Errors::ServiceError => e
185
188
  log_error(e.code)
186
- raise e unless suppressed_errors.include?(e.code)
189
+
190
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
191
+ raise e
192
+ end
187
193
  end
188
194
 
189
195
  resources
data/lib/aws_recon/collectors/kms.rb CHANGED
@@ -29,7 +29,10 @@ class KMS < Mapper
29
29
  .key_rotation_enabled
30
30
  rescue Aws::KMS::Errors::ServiceError => e
31
31
  log_error(e.code)
32
- raise e unless suppressed_errors.include?(e.code)
32
+
33
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
34
+ raise e
35
+ end
33
36
  end
34
37
 
35
38
  # list_grants
data/lib/aws_recon/collectors/organizations.rb CHANGED
@@ -48,7 +48,10 @@ class Organizations < Mapper
48
48
  end
49
49
  rescue Aws::Organizations::Errors::ServiceError => e
50
50
  log_error(e.code)
51
- raise e unless suppressed_errors.include?(e.code)
51
+
52
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
53
+ raise e
54
+ end
52
55
  end
53
56
 
54
57
  resources
data/lib/aws_recon/collectors/rds.rb CHANGED
@@ -38,6 +38,8 @@ class RDS < Mapper
38
38
  struct.arn = instance.db_instance_arn
39
39
  struct.parent_id = instance.db_cluster_identifier
40
40
 
41
+ # TODO: describe_db_snapshots here (with public flag)
42
+
41
43
  resources.push(struct.to_h)
42
44
  end
43
45
  end
data/lib/aws_recon/collectors/s3.rb CHANGED
@@ -61,7 +61,11 @@ class S3 < Mapper
61
61
  end
62
62
 
63
63
  rescue Aws::S3::Errors::ServiceError => e
64
- raise e unless suppressed_errors.include?(e.code)
64
+ log_error(e.code)
65
+
66
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
67
+ raise e
68
+ end
65
69
  end
66
70
 
67
71
  resources.push(struct.to_h)
data/lib/aws_recon/collectors/securityhub.rb CHANGED
@@ -20,7 +20,10 @@ class SecurityHub < Mapper
20
20
  end
21
21
  rescue Aws::SecurityHub::Errors::ServiceError => e
22
22
  log_error(e.code)
23
- raise e unless suppressed_errors.include?(e.code)
23
+
24
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
25
+ raise e
26
+ end
24
27
  end
25
28
 
26
29
  resources
data/lib/aws_recon/collectors/servicequotas.rb CHANGED
@@ -27,7 +27,10 @@ class ServiceQuotas < Mapper
27
27
  end
28
28
  rescue Aws::ServiceQuotas::Errors::ServiceError => e
29
29
  log_error(e.code, service)
30
- raise e unless suppressed_errors.include?(e.code)
30
+
31
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
32
+ raise e
33
+ end
31
34
  end
32
35
 
33
36
  resources
data/lib/aws_recon/collectors/shield.rb CHANGED
@@ -51,7 +51,10 @@ class Shield < Mapper
51
51
  resources
52
52
  rescue Aws::Shield::Errors::ServiceError => e
53
53
  log_error(e.code)
54
- raise e unless suppressed_errors.include?(e.code)
54
+
55
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
56
+ raise e
57
+ end
55
58
 
56
59
  [] # no access or service isn't enabled
57
60
  end
data/lib/aws_recon/collectors/support.rb CHANGED
@@ -27,7 +27,10 @@ class Support < Mapper
27
27
  resources
28
28
  rescue Aws::Support::Errors::ServiceError => e
29
29
  log_error(e.code)
30
- raise e unless suppressed_errors.include?(e.code)
30
+
31
+ unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
32
+ raise e
33
+ end
31
34
 
32
35
  [] # no Support subscription
33
36
  end
data/lib/aws_recon/options.rb CHANGED
@@ -20,6 +20,7 @@ class Parser
20
20
  :skip_credential_report,
21
21
  :stream_output,
22
22
  :verbose,
23
+ :quit_on_exception,
23
24
  :debug
24
25
  )
25
26
 
@@ -47,6 +48,7 @@ class Parser
47
48
  false,
48
49
  false,
49
50
  false,
51
+ false,
50
52
  false
51
53
  )
52
54
 
@@ -135,6 +137,11 @@ class Parser
135
137
  args.verbose = true unless args.stream_output
136
138
  end
137
139
 
140
+ # re-raise exceptions
141
+ opts.on('-q', '--quit-on-exception', 'Stop collection if an API error is encountered (default: false)') do
142
+ args.quit_on_exception = true
143
+ end
144
+
138
145
  # debug
139
146
  opts.on('-d', '--debug', 'Output debug with wire trace info') do
140
147
  unless args.stream_output
data/lib/aws_recon/services.yaml CHANGED
@@ -12,8 +12,13 @@
12
12
  alias: config
13
13
  - name: CodeBuild
14
14
  alias: codebuild
15
+ excluded_regions:
16
+ - af-south-1
15
17
  - name: CodePipeline
16
18
  alias: codepipeline
19
+ excluded_regions:
20
+ - af-south-1
21
+ - me-south-1
17
22
  - name: AutoScaling
18
23
  alias: autoscaling
19
24
  - name: CloudTrail
@@ -94,12 +99,17 @@
94
99
  - eu-north-1
95
100
  - eu-west-3
96
101
  - us-west-1
102
+ - ap-east-1
103
+ - af-south-1
104
+ - eu-south-1
97
105
  - name: CloudWatch
98
106
  alias: cloudwatch
99
107
  - name: CloudWatchLogs
100
108
  alias: cloudwatchlogs
101
109
  - name: Kafka
102
110
  alias: kafka
111
+ excluded_regions:
112
+ - af-south-1
103
113
  - name: SecretsManager
104
114
  alias: sm
105
115
  - name: SecurityHub
@@ -125,6 +135,10 @@
125
135
  - eu-north-1
126
136
  - us-west-1
127
137
  - sa-east-1
138
+ - ap-east-1
139
+ - af-south-1
140
+ - eu-south-1
141
+ - me-south-1
128
142
  - name: WorkSpaces
129
143
  alias: workspaces
130
144
  excluded_regions:
@@ -133,12 +147,21 @@
133
147
  - eu-west-3
134
148
  - us-east-2
135
149
  - us-west-1
150
+ - ap-east-1
151
+ - af-south-1
152
+ - eu-south-1
153
+ - me-south-1
136
154
  - name: SageMaker
137
155
  alias: sagemaker
138
156
  - name: ServiceQuotas
139
157
  alias: servicequotas
140
158
  - name: Transfer
141
159
  alias: transfer
160
+ excluded_regions:
161
+ - ap-east-1
162
+ - af-south-1
163
+ - eu-south-1
164
+ - me-south-1
142
165
  - name: DirectConnect
143
166
  alias: dc
144
167
  - name: DirectoryService
data/lib/aws_recon/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module AwsRecon
2
- VERSION = "0.2.24"
2
+ VERSION = "0.2.25"
3
3
  end
data/readme.md CHANGED
@@ -215,6 +215,20 @@ Usage: aws_recon [options]
215
215
 
216
216
  Output is always some form of JSON - either JSON lines or plain JSON. The output is either written to a file (the default), or written to stdout (with `-j`).
217
217
 
218
+ ## Support for Manually Enabled Regions
219
+
220
+ If you have enabled manually enabled regions:
221
+
222
+ - me-south-1 - Middle East (Bahrain)
223
+ - af-south-1 - Africa (Cape Town)
224
+ - ap-east-1 - Asia Pacific (Hong Kong)
225
+ - eu-south-1 - Europe (Milan)
226
+
227
+ and you are using STS to assume a role into an account, you will need to [enable v2 STS tokens](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the account you are assuming the role **from** to be able to run AWS Recon against those regions.
228
+
229
+ > Version 1 tokens are valid only in AWS Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens are longer and might affect systems where you temporarily store tokens.
230
+
231
+ If you are using a static access key/secret, you can collect from these regions with either `v1` or `v2` STS tokens.
218
232
 
219
233
  ## Supported Services & Resources
220
234
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws_recon
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.24
4
+ version: 0.2.25
5
5
  platform: ruby
6
6
  authors:
7
7
  - Josh Larsen
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2020-12-05 00:00:00.000000000 Z
12
+ date: 2020-12-06 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: aws-sdk