aws_recon 0.2.8 → 0.2.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Dockerfile +1 -1
- data/LICENSE.txt +1 -1
- data/binstub/aws_recon +0 -0
- data/lib/aws_recon/collectors/iam.rb +39 -16
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +24 -16
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 748e27233aa80e92e6f74f5685c9620315a649cc425c96186d234650b7c56242
|
|
4
|
+
data.tar.gz: ebb4fd703ffa348040d6659b9095c5a8c5ac49e60707f08958a84f43fa46440c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8bf432c66917846ca2982d566b570d8b1930dff31168847732132ca033c679c9595b2c0729e6d48da13814ef84e76ec4809af288ebb6097e27183b224d8cf30e
|
|
7
|
+
data.tar.gz: cd2694d0a363bf37ad38e0ec1c3d0f1dfd9488e85541169ba2cf3c56a078ce9088406e4f58d8dee2b3b87240969532d8dfaf87fa666413cf2c55da69eeeaea9d
|
data/Dockerfile
CHANGED
|
@@ -11,7 +11,7 @@ ARG BUNDLER_VERSION=2.1.4
|
|
|
11
11
|
# Install new Bundler version
|
|
12
12
|
RUN rm /usr/local/lib/ruby/gems/*/specifications/default/bundler-*.gemspec && \
|
|
13
13
|
gem uninstall bundler && \
|
|
14
|
-
gem install bundler -v $BUNDLER_VERSION
|
|
14
|
+
gem install bundler -v ${BUNDLER_VERSION}
|
|
15
15
|
|
|
16
16
|
# Install gem
|
|
17
17
|
RUN gem install ${GEM} -v ${VERSION}
|
data/LICENSE.txt
CHANGED
data/binstub/aws_recon
CHANGED
|
File without changes
|
|
@@ -10,7 +10,10 @@ class IAM < Mapper
|
|
|
10
10
|
# list_mfa_devices
|
|
11
11
|
# list_ssh_public_keys
|
|
12
12
|
#
|
|
13
|
-
|
|
13
|
+
opts = {
|
|
14
|
+
filter: %w[User Role Group LocalManagedPolicy AWSManagedPolicy]
|
|
15
|
+
}
|
|
16
|
+
@client.get_account_authorization_details(opts).each_with_index do |response, page|
|
|
14
17
|
log(response.context.operation_name, page)
|
|
15
18
|
|
|
16
19
|
# users
|
|
@@ -19,6 +22,14 @@ class IAM < Mapper
|
|
|
19
22
|
struct.type = 'user'
|
|
20
23
|
struct.mfa_devices = @client.list_mfa_devices({ user_name: user.user_name }).mfa_devices.map(&:to_h)
|
|
21
24
|
struct.ssh_keys = @client.list_ssh_public_keys({ user_name: user.user_name }).ssh_public_keys.map(&:to_h)
|
|
25
|
+
struct.user_policy_list = if user.user_policy_list
|
|
26
|
+
user.user_policy_list.map do |p|
|
|
27
|
+
{
|
|
28
|
+
policy_name: p.policy_name,
|
|
29
|
+
policy_document: JSON.parse(CGI.unescape(p.policy_document))
|
|
30
|
+
}
|
|
31
|
+
end
|
|
32
|
+
end
|
|
22
33
|
|
|
23
34
|
resources.push(struct.to_h)
|
|
24
35
|
end
|
|
@@ -27,6 +38,14 @@ class IAM < Mapper
|
|
|
27
38
|
response.group_detail_list.each do |group|
|
|
28
39
|
struct = OpenStruct.new(group.to_h)
|
|
29
40
|
struct.type = 'group'
|
|
41
|
+
struct.group_policy_list = if group.group_policy_list
|
|
42
|
+
group.group_policy_list.map do |p|
|
|
43
|
+
{
|
|
44
|
+
policy_name: p.policy_name,
|
|
45
|
+
policy_document: JSON.parse(CGI.unescape(p.policy_document))
|
|
46
|
+
}
|
|
47
|
+
end
|
|
48
|
+
end
|
|
30
49
|
|
|
31
50
|
resources.push(struct.to_h)
|
|
32
51
|
end
|
|
@@ -35,6 +54,15 @@ class IAM < Mapper
|
|
|
35
54
|
response.role_detail_list.each do |role|
|
|
36
55
|
struct = OpenStruct.new(role.to_h)
|
|
37
56
|
struct.type = 'role'
|
|
57
|
+
struct.assume_role_policy_document = JSON.parse(CGI.unescape(role.assume_role_policy_document))
|
|
58
|
+
struct.role_policy_list = if role.role_policy_list
|
|
59
|
+
role.role_policy_list.map do |p|
|
|
60
|
+
{
|
|
61
|
+
policy_name: p.policy_name,
|
|
62
|
+
policy_document: JSON.parse(CGI.unescape(p.policy_document))
|
|
63
|
+
}
|
|
64
|
+
end
|
|
65
|
+
end
|
|
38
66
|
|
|
39
67
|
resources.push(struct.to_h)
|
|
40
68
|
end
|
|
@@ -43,21 +71,16 @@ class IAM < Mapper
|
|
|
43
71
|
response.policies.each do |policy|
|
|
44
72
|
struct = OpenStruct.new(policy.to_h)
|
|
45
73
|
struct.type = 'policy'
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
# managed policies
|
|
58
|
-
response.policies.each do |policy|
|
|
59
|
-
struct = OpenStruct.new(policy.to_h)
|
|
60
|
-
struct.type = 'managed_policy'
|
|
74
|
+
struct.policy_version_list = if policy.policy_version_list
|
|
75
|
+
policy.policy_version_list.map do |p|
|
|
76
|
+
{
|
|
77
|
+
version_id: p.version_id,
|
|
78
|
+
document: JSON.parse(CGI.unescape(p.document)),
|
|
79
|
+
is_default_version: p.is_default_version,
|
|
80
|
+
create_date: p.create_date
|
|
81
|
+
}
|
|
82
|
+
end
|
|
83
|
+
end
|
|
61
84
|
|
|
62
85
|
resources.push(struct.to_h)
|
|
63
86
|
end
|
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
|
@@ -32,14 +32,14 @@ To run locally, first install the gem:
|
|
|
32
32
|
|
|
33
33
|
```
|
|
34
34
|
$ gem install aws_recon
|
|
35
|
-
Fetching aws_recon-0.2.
|
|
35
|
+
Fetching aws_recon-0.2.8.gem
|
|
36
36
|
Fetching aws-sdk-resources-3.76.0.gem
|
|
37
37
|
Fetching aws-sdk-3.0.1.gem
|
|
38
38
|
Fetching parallel-1.19.2.gem
|
|
39
39
|
...
|
|
40
40
|
Successfully installed aws-sdk-3.0.1
|
|
41
41
|
Successfully installed parallel-1.19.2
|
|
42
|
-
Successfully installed aws_recon-0.2.
|
|
42
|
+
Successfully installed aws_recon-0.2.8
|
|
43
43
|
```
|
|
44
44
|
|
|
45
45
|
Or add it to your Gemfile using `bundle`:
|
|
@@ -51,20 +51,20 @@ Resolving dependencies...
|
|
|
51
51
|
...
|
|
52
52
|
Using aws-sdk 3.0.1
|
|
53
53
|
Using parallel 1.19.2
|
|
54
|
-
Using aws_recon 0.2.
|
|
54
|
+
Using aws_recon 0.2.8
|
|
55
55
|
```
|
|
56
56
|
|
|
57
57
|
To run via a Docker a container, pass the necessary AWS credentials into the Docker `run` command. For example:
|
|
58
58
|
|
|
59
59
|
```
|
|
60
|
-
$ docker run --rm \
|
|
60
|
+
$ docker run -t --rm \
|
|
61
61
|
-e AWS_REGION \
|
|
62
62
|
-e AWS_ACCESS_KEY_ID \
|
|
63
63
|
-e AWS_SECRET_ACCESS_KEY \
|
|
64
64
|
-e AWS_SESSION_TOKEN \
|
|
65
65
|
-v $(pwd)/output.json:/recon/output.json \
|
|
66
|
-
aws_recon:latest \
|
|
67
|
-
aws_recon -v -s EC2 -r us-east-1,us-east-2
|
|
66
|
+
darkbitio/aws_recon:latest \
|
|
67
|
+
aws_recon -v -s EC2 -r global,us-east-1,us-east-2
|
|
68
68
|
```
|
|
69
69
|
|
|
70
70
|
|
|
@@ -82,29 +82,37 @@ Plain environment variables will work fine too.
|
|
|
82
82
|
$ AWS_PROFILE=<profile> aws_recon
|
|
83
83
|
```
|
|
84
84
|
|
|
85
|
-
To run from a Docker container using `aws-vault` managed credentials (output to
|
|
85
|
+
To run from a Docker container using `aws-vault` managed credentials (output to stdout):
|
|
86
86
|
|
|
87
87
|
```
|
|
88
|
-
$ aws-vault exec
|
|
88
|
+
$ aws-vault exec <vault_profile> -- docker run -t --rm \
|
|
89
89
|
-e AWS_REGION \
|
|
90
90
|
-e AWS_ACCESS_KEY_ID \
|
|
91
91
|
-e AWS_SECRET_ACCESS_KEY \
|
|
92
92
|
-e AWS_SESSION_TOKEN \
|
|
93
|
-
|
|
94
|
-
aws_recon
|
|
95
|
-
aws_recon -s EC2 -v -r us-east-1,us-east-2
|
|
93
|
+
darkbitio/aws_recon:latest \
|
|
94
|
+
aws_recon -j -s EC2 -r global,us-east-1,us-east-2
|
|
96
95
|
```
|
|
97
96
|
|
|
98
|
-
To run from a Docker container using `aws-vault` managed credentials
|
|
97
|
+
To run from a Docker container using `aws-vault` managed credentials and output to a file, you will need to satisfy a couple of requirements. First, Docker needs access to bind mount the path you specify (or a parent path above). Second, you need to create an empty file to save the output into (e.g. `output.json`). This is because we are only mounting that one file into the Docker container at run time. For example:
|
|
99
98
|
|
|
99
|
+
Create an empty file.
|
|
100
|
+
|
|
101
|
+
```
|
|
102
|
+
$ touch output.json
|
|
100
103
|
```
|
|
101
|
-
|
|
104
|
+
|
|
105
|
+
Run the `aws_recon` container, specifying the output file.
|
|
106
|
+
|
|
107
|
+
```
|
|
108
|
+
$ aws-vault exec <vault_profile> -- docker run -t --rm \
|
|
102
109
|
-e AWS_REGION \
|
|
103
110
|
-e AWS_ACCESS_KEY_ID \
|
|
104
111
|
-e AWS_SECRET_ACCESS_KEY \
|
|
105
112
|
-e AWS_SESSION_TOKEN \
|
|
106
|
-
|
|
107
|
-
aws_recon
|
|
113
|
+
-v $(pwd)/output.json:/recon/output.json \
|
|
114
|
+
darkbitio/aws_recon:latest \
|
|
115
|
+
aws_recon -s EC2 -v -r global,us-east-1,us-east-2
|
|
108
116
|
```
|
|
109
117
|
|
|
110
118
|
You may want to use the `-v` or `--verbose` flag initially to see status and activity while collection is running.
|
|
@@ -176,7 +184,7 @@ Most users will want to limit collection to relevant services and regions. Runni
|
|
|
176
184
|
```
|
|
177
185
|
$ aws_recon -h
|
|
178
186
|
|
|
179
|
-
AWS Recon - AWS Inventory Collector (0.2.
|
|
187
|
+
AWS Recon - AWS Inventory Collector (0.2.8)
|
|
180
188
|
|
|
181
189
|
Usage: aws_recon [options]
|
|
182
190
|
-r, --regions [REGIONS] Regions to scan, separated by comma (default: all)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws_recon
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Josh Larsen
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2020-11-
|
|
12
|
+
date: 2020-11-10 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: aws-sdk
|