aws_recon 0.2.24 → 0.2.25
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws_recon/collectors/codepipeline.rb +26 -9
- data/lib/aws_recon/collectors/ecr.rb +5 -1
- data/lib/aws_recon/collectors/iam.rb +8 -2
- data/lib/aws_recon/collectors/kms.rb +4 -1
- data/lib/aws_recon/collectors/organizations.rb +4 -1
- data/lib/aws_recon/collectors/rds.rb +2 -0
- data/lib/aws_recon/collectors/s3.rb +5 -1
- data/lib/aws_recon/collectors/securityhub.rb +4 -1
- data/lib/aws_recon/collectors/servicequotas.rb +4 -1
- data/lib/aws_recon/collectors/shield.rb +4 -1
- data/lib/aws_recon/collectors/support.rb +4 -1
- data/lib/aws_recon/options.rb +7 -0
- data/lib/aws_recon/services.yaml +23 -0
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +14 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8786af60d08967c2203b1f4417480b135ae32b9a40ec05810afc9c2ae126f49d
|
4
|
+
data.tar.gz: fbd4741002a54dc15f2b2716dee6e1b6efcec48edfdf3e101d9c7bcb19105a4e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2c11e60d61cf9fcf894b8e38cb136e934b03fd7e9ef1bd349ce27c41c9943e75cb146893d14374167d7f2eb73b40d97a901fbaebd6e6aee5ac93ef8095b1d0b4
|
7
|
+
data.tar.gz: 9510a49029fbc382fefc50ad8ae0de0351b6f8648a1044abbebdf695459ef5a4845014057618387549546876c10ea1eb09cba55f4692a0405f41b96810c0dce5
|
@@ -8,20 +8,37 @@ class CodePipeline < Mapper
|
|
8
8
|
#
|
9
9
|
# list_pipelines
|
10
10
|
#
|
11
|
-
|
12
|
-
|
11
|
+
begin
|
12
|
+
@client.list_pipelines.each_with_index do |response, page|
|
13
|
+
log(response.context.operation_name, page)
|
13
14
|
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
15
|
+
# get_pipeline
|
16
|
+
response.pipelines.each do |pipeline|
|
17
|
+
resp = @client.get_pipeline(name: pipeline.name)
|
18
|
+
struct = OpenStruct.new(resp.pipeline.to_h)
|
19
|
+
struct.type = 'pipeline'
|
20
|
+
struct.arn = resp.metadata.pipeline_arn
|
20
21
|
|
21
|
-
|
22
|
+
resources.push(struct.to_h)
|
23
|
+
end
|
24
|
+
end
|
25
|
+
rescue Aws::CodePipeline::Errors::ServiceError => e
|
26
|
+
log_error(e.code)
|
27
|
+
|
28
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
29
|
+
raise e
|
22
30
|
end
|
23
31
|
end
|
24
32
|
|
25
33
|
resources
|
26
34
|
end
|
35
|
+
|
36
|
+
private
|
37
|
+
|
38
|
+
# not an error
|
39
|
+
def suppressed_errors
|
40
|
+
%w[
|
41
|
+
AccessDeniedException
|
42
|
+
]
|
43
|
+
end
|
27
44
|
end
|
@@ -19,7 +19,11 @@ class ECR < Mapper
|
|
19
19
|
.get_repository_policy({ repository_name: repo.repository_name }).policy_text.parse_policy
|
20
20
|
|
21
21
|
rescue Aws::ECR::Errors::ServiceError => e
|
22
|
-
|
22
|
+
log_error(e.code)
|
23
|
+
|
24
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
25
|
+
raise e
|
26
|
+
end
|
23
27
|
ensure
|
24
28
|
resources.push(struct.to_h)
|
25
29
|
end
|
@@ -101,7 +101,10 @@ class IAM < Mapper
|
|
101
101
|
end
|
102
102
|
rescue Aws::IAM::Errors::ServiceError => e
|
103
103
|
log_error(e.code)
|
104
|
-
|
104
|
+
|
105
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
106
|
+
raise e
|
107
|
+
end
|
105
108
|
end
|
106
109
|
|
107
110
|
#
|
@@ -183,7 +186,10 @@ class IAM < Mapper
|
|
183
186
|
end
|
184
187
|
rescue Aws::IAM::Errors::ServiceError => e
|
185
188
|
log_error(e.code)
|
186
|
-
|
189
|
+
|
190
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
191
|
+
raise e
|
192
|
+
end
|
187
193
|
end
|
188
194
|
|
189
195
|
resources
|
@@ -29,7 +29,10 @@ class KMS < Mapper
|
|
29
29
|
.key_rotation_enabled
|
30
30
|
rescue Aws::KMS::Errors::ServiceError => e
|
31
31
|
log_error(e.code)
|
32
|
-
|
32
|
+
|
33
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
34
|
+
raise e
|
35
|
+
end
|
33
36
|
end
|
34
37
|
|
35
38
|
# list_grants
|
@@ -48,7 +48,10 @@ class Organizations < Mapper
|
|
48
48
|
end
|
49
49
|
rescue Aws::Organizations::Errors::ServiceError => e
|
50
50
|
log_error(e.code)
|
51
|
-
|
51
|
+
|
52
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
53
|
+
raise e
|
54
|
+
end
|
52
55
|
end
|
53
56
|
|
54
57
|
resources
|
@@ -61,7 +61,11 @@ class S3 < Mapper
|
|
61
61
|
end
|
62
62
|
|
63
63
|
rescue Aws::S3::Errors::ServiceError => e
|
64
|
-
|
64
|
+
log_error(e.code)
|
65
|
+
|
66
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
67
|
+
raise e
|
68
|
+
end
|
65
69
|
end
|
66
70
|
|
67
71
|
resources.push(struct.to_h)
|
@@ -20,7 +20,10 @@ class SecurityHub < Mapper
|
|
20
20
|
end
|
21
21
|
rescue Aws::SecurityHub::Errors::ServiceError => e
|
22
22
|
log_error(e.code)
|
23
|
-
|
23
|
+
|
24
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
25
|
+
raise e
|
26
|
+
end
|
24
27
|
end
|
25
28
|
|
26
29
|
resources
|
@@ -27,7 +27,10 @@ class ServiceQuotas < Mapper
|
|
27
27
|
end
|
28
28
|
rescue Aws::ServiceQuotas::Errors::ServiceError => e
|
29
29
|
log_error(e.code, service)
|
30
|
-
|
30
|
+
|
31
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
32
|
+
raise e
|
33
|
+
end
|
31
34
|
end
|
32
35
|
|
33
36
|
resources
|
@@ -51,7 +51,10 @@ class Shield < Mapper
|
|
51
51
|
resources
|
52
52
|
rescue Aws::Shield::Errors::ServiceError => e
|
53
53
|
log_error(e.code)
|
54
|
-
|
54
|
+
|
55
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
56
|
+
raise e
|
57
|
+
end
|
55
58
|
|
56
59
|
[] # no access or service isn't enabled
|
57
60
|
end
|
@@ -27,7 +27,10 @@ class Support < Mapper
|
|
27
27
|
resources
|
28
28
|
rescue Aws::Support::Errors::ServiceError => e
|
29
29
|
log_error(e.code)
|
30
|
-
|
30
|
+
|
31
|
+
unless suppressed_errors.include?(e.code) && !@options.quit_on_exception
|
32
|
+
raise e
|
33
|
+
end
|
31
34
|
|
32
35
|
[] # no Support subscription
|
33
36
|
end
|
data/lib/aws_recon/options.rb
CHANGED
@@ -20,6 +20,7 @@ class Parser
|
|
20
20
|
:skip_credential_report,
|
21
21
|
:stream_output,
|
22
22
|
:verbose,
|
23
|
+
:quit_on_exception,
|
23
24
|
:debug
|
24
25
|
)
|
25
26
|
|
@@ -47,6 +48,7 @@ class Parser
|
|
47
48
|
false,
|
48
49
|
false,
|
49
50
|
false,
|
51
|
+
false,
|
50
52
|
false
|
51
53
|
)
|
52
54
|
|
@@ -135,6 +137,11 @@ class Parser
|
|
135
137
|
args.verbose = true unless args.stream_output
|
136
138
|
end
|
137
139
|
|
140
|
+
# re-raise exceptions
|
141
|
+
opts.on('-q', '--quit-on-exception', 'Stop collection if an API error is encountered (default: false)') do
|
142
|
+
args.quit_on_exception = true
|
143
|
+
end
|
144
|
+
|
138
145
|
# debug
|
139
146
|
opts.on('-d', '--debug', 'Output debug with wire trace info') do
|
140
147
|
unless args.stream_output
|
data/lib/aws_recon/services.yaml
CHANGED
@@ -12,8 +12,13 @@
|
|
12
12
|
alias: config
|
13
13
|
- name: CodeBuild
|
14
14
|
alias: codebuild
|
15
|
+
excluded_regions:
|
16
|
+
- af-south-1
|
15
17
|
- name: CodePipeline
|
16
18
|
alias: codepipeline
|
19
|
+
excluded_regions:
|
20
|
+
- af-south-1
|
21
|
+
- me-south-1
|
17
22
|
- name: AutoScaling
|
18
23
|
alias: autoscaling
|
19
24
|
- name: CloudTrail
|
@@ -94,12 +99,17 @@
|
|
94
99
|
- eu-north-1
|
95
100
|
- eu-west-3
|
96
101
|
- us-west-1
|
102
|
+
- ap-east-1
|
103
|
+
- af-south-1
|
104
|
+
- eu-south-1
|
97
105
|
- name: CloudWatch
|
98
106
|
alias: cloudwatch
|
99
107
|
- name: CloudWatchLogs
|
100
108
|
alias: cloudwatchlogs
|
101
109
|
- name: Kafka
|
102
110
|
alias: kafka
|
111
|
+
excluded_regions:
|
112
|
+
- af-south-1
|
103
113
|
- name: SecretsManager
|
104
114
|
alias: sm
|
105
115
|
- name: SecurityHub
|
@@ -125,6 +135,10 @@
|
|
125
135
|
- eu-north-1
|
126
136
|
- us-west-1
|
127
137
|
- sa-east-1
|
138
|
+
- ap-east-1
|
139
|
+
- af-south-1
|
140
|
+
- eu-south-1
|
141
|
+
- me-south-1
|
128
142
|
- name: WorkSpaces
|
129
143
|
alias: workspaces
|
130
144
|
excluded_regions:
|
@@ -133,12 +147,21 @@
|
|
133
147
|
- eu-west-3
|
134
148
|
- us-east-2
|
135
149
|
- us-west-1
|
150
|
+
- ap-east-1
|
151
|
+
- af-south-1
|
152
|
+
- eu-south-1
|
153
|
+
- me-south-1
|
136
154
|
- name: SageMaker
|
137
155
|
alias: sagemaker
|
138
156
|
- name: ServiceQuotas
|
139
157
|
alias: servicequotas
|
140
158
|
- name: Transfer
|
141
159
|
alias: transfer
|
160
|
+
excluded_regions:
|
161
|
+
- ap-east-1
|
162
|
+
- af-south-1
|
163
|
+
- eu-south-1
|
164
|
+
- me-south-1
|
142
165
|
- name: DirectConnect
|
143
166
|
alias: dc
|
144
167
|
- name: DirectoryService
|
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
@@ -215,6 +215,20 @@ Usage: aws_recon [options]
|
|
215
215
|
|
216
216
|
Output is always some form of JSON - either JSON lines or plain JSON. The output is either written to a file (the default), or written to stdout (with `-j`).
|
217
217
|
|
218
|
+
## Support for Manually Enabled Regions
|
219
|
+
|
220
|
+
If you have enabled manually enabled regions:
|
221
|
+
|
222
|
+
- me-south-1 - Middle East (Bahrain)
|
223
|
+
- af-south-1 - Africa (Cape Town)
|
224
|
+
- ap-east-1 - Asia Pacific (Hong Kong)
|
225
|
+
- eu-south-1 - Europe (Milan)
|
226
|
+
|
227
|
+
and you are using STS to assume a role into an account, you will need to [enable v2 STS tokens](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the account you are assuming the role **from** to be able to run AWS Recon against those regions.
|
228
|
+
|
229
|
+
> Version 1 tokens are valid only in AWS Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong). Version 2 tokens are valid in all Regions. However, version 2 tokens are longer and might affect systems where you temporarily store tokens.
|
230
|
+
|
231
|
+
If you are using a static access key/secret, you can collect from these regions with either `v1` or `v2` STS tokens.
|
218
232
|
|
219
233
|
## Supported Services & Resources
|
220
234
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws_recon
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.25
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Josh Larsen
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2020-12-
|
12
|
+
date: 2020-12-06 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: aws-sdk
|