aws_recon 0.3.5 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +0 -1
- data/lib/aws_recon/aws_recon.rb +38 -7
- data/lib/aws_recon/collectors.rb +3 -1
- data/lib/aws_recon/options.rb +8 -0
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +32 -7
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9647cee32c4df1624a99cf180258f43e664e7ee62b8ceee5fe00b8d6b31a2803
|
|
4
|
+
data.tar.gz: aca9a6383263ca7add32682df25a633ad9db031a50d2f38f319f903b6dd75c45
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 426acf5937d26974c7a7c5bc26e84487fe8b76cc28bf0f51a7302d05897356e7007b877e26a47cc3af7b54044ac45bec23b409b1b66bef0336aaa1216d340437
|
|
7
|
+
data.tar.gz: 790fd25c65d4fe49c2e3857f65cddb590ecfe9f481b923bcdf8def9007ddf1ccb0b16f616164e7472b43a75eebe77698146d3d2e46204af1085b276afedf2099
|
data/.rubocop.yml
CHANGED
data/lib/aws_recon/aws_recon.rb
CHANGED
|
@@ -34,9 +34,9 @@ module AwsRecon
|
|
|
34
34
|
# formatter
|
|
35
35
|
@formatter = Formatter.new
|
|
36
36
|
|
|
37
|
-
unless @options.stream_output
|
|
38
|
-
|
|
39
|
-
|
|
37
|
+
return unless @options.stream_output
|
|
38
|
+
|
|
39
|
+
puts "\nStarting collection with #{@options.threads} threads...\n"
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
#
|
|
@@ -72,7 +72,7 @@ module AwsRecon
|
|
|
72
72
|
#
|
|
73
73
|
# global services
|
|
74
74
|
#
|
|
75
|
-
@aws_services.map { |x| OpenStruct.new(x) }.filter
|
|
75
|
+
@aws_services.map { |x| OpenStruct.new(x) }.filter(&:global).each do |service|
|
|
76
76
|
# user included this service in the args
|
|
77
77
|
next unless @services.include?(service.name)
|
|
78
78
|
|
|
@@ -104,14 +104,45 @@ module AwsRecon
|
|
|
104
104
|
|
|
105
105
|
puts "\nStopped early after \x1b[32m#{elapsed.to_i}\x1b[0m seconds.\n"
|
|
106
106
|
ensure
|
|
107
|
+
elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
|
|
108
|
+
|
|
109
|
+
puts "\nFinished in \x1b[32m#{elapsed.to_i}\x1b[0m seconds.\n\n"
|
|
110
|
+
|
|
107
111
|
# write output file
|
|
108
112
|
if @options.output_file
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
puts "\nFinished in \x1b[32m#{elapsed.to_i}\x1b[0m seconds. Saving resources to \x1b[32m#{@options.output_file}\x1b[0m.\n\n"
|
|
113
|
+
puts "Saving resources to \x1b[32m#{@options.output_file}\x1b[0m.\n\n"
|
|
112
114
|
|
|
113
115
|
File.write(@options.output_file, @resources.to_json)
|
|
114
116
|
end
|
|
117
|
+
|
|
118
|
+
# write output file to S3 bucket
|
|
119
|
+
if @options.s3
|
|
120
|
+
t = Time.now.utc
|
|
121
|
+
|
|
122
|
+
s3_full_object_path = "AWSRecon/#{t.year}/#{t.month}/#{t.day}/#{@account_id}_aws_recon_#{t.to_i}.json.gz"
|
|
123
|
+
|
|
124
|
+
begin
|
|
125
|
+
# get bucket name (and region if not us-east-1)
|
|
126
|
+
s3_bucket, s3_region = @options.s3.split(':')
|
|
127
|
+
|
|
128
|
+
# build IO object and gzip it
|
|
129
|
+
io = StringIO.new
|
|
130
|
+
gzip_data = Zlib::GzipWriter.new(io)
|
|
131
|
+
gzip_data.write(@resources.to_json)
|
|
132
|
+
gzip_data.close
|
|
133
|
+
|
|
134
|
+
# send it to S3
|
|
135
|
+
s3_client = Aws::S3::Client.new(region: s3_region || 'us-east-1')
|
|
136
|
+
s3_resource = Aws::S3::Resource.new(client: s3_client)
|
|
137
|
+
obj = s3_resource.bucket(s3_bucket).object(s3_full_object_path)
|
|
138
|
+
obj.put(body: io.string)
|
|
139
|
+
|
|
140
|
+
puts "Saving resources to S3 \x1b[32ms3://#{s3_bucket}/#{s3_full_object_path}\x1b[0m\n\n"
|
|
141
|
+
rescue Aws::S3::Errors::ServiceError => e
|
|
142
|
+
puts "\x1b[35mError!\x1b[0m - could not save output S3 bucket\n\n"
|
|
143
|
+
puts "#{e.message} - #{e.code}\n"
|
|
144
|
+
end
|
|
145
|
+
end
|
|
115
146
|
end
|
|
116
147
|
end
|
|
117
148
|
end
|
data/lib/aws_recon/collectors.rb
CHANGED
data/lib/aws_recon/options.rb
CHANGED
|
@@ -6,6 +6,7 @@
|
|
|
6
6
|
class Parser
|
|
7
7
|
DEFAULT_CONFIG_FILE = nil
|
|
8
8
|
DEFAULT_OUTPUT_FILE = File.expand_path(File.join(Dir.pwd, 'output.json')).freeze
|
|
9
|
+
DEFAULT_S3_PATH = nil
|
|
9
10
|
SERVICES_CONFIG_FILE = File.join(File.dirname(__FILE__), 'services.yaml').freeze
|
|
10
11
|
DEFAULT_FORMAT = 'aws'
|
|
11
12
|
DEFAULT_THREADS = 8
|
|
@@ -15,6 +16,7 @@ class Parser
|
|
|
15
16
|
:regions,
|
|
16
17
|
:services,
|
|
17
18
|
:config_file,
|
|
19
|
+
:s3,
|
|
18
20
|
:output_file,
|
|
19
21
|
:output_format,
|
|
20
22
|
:threads,
|
|
@@ -43,6 +45,7 @@ class Parser
|
|
|
43
45
|
aws_regions,
|
|
44
46
|
aws_services.map { |service| service[:name] },
|
|
45
47
|
DEFAULT_CONFIG_FILE,
|
|
48
|
+
DEFAULT_S3_PATH,
|
|
46
49
|
DEFAULT_OUTPUT_FILE,
|
|
47
50
|
DEFAULT_FORMAT,
|
|
48
51
|
DEFAULT_THREADS,
|
|
@@ -93,6 +96,11 @@ class Parser
|
|
|
93
96
|
args.config_file = config
|
|
94
97
|
end
|
|
95
98
|
|
|
99
|
+
# write output file to S3 bucket
|
|
100
|
+
opts.on('-b', '--s3-bucket [BUCKET:REGION]', 'Write output file to S3 bucket (default: \'\')') do |bucket_with_region|
|
|
101
|
+
args.s3 = bucket_with_region
|
|
102
|
+
end
|
|
103
|
+
|
|
96
104
|
# output file
|
|
97
105
|
opts.on('-o', '--output [OUTPUT]', 'Specify output file (default: output.json)') do |output|
|
|
98
106
|
args.output_file = File.expand_path(File.join(Dir.pwd, output))
|
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
|
@@ -5,9 +5,9 @@
|
|
|
5
5
|
|
|
6
6
|
A multi-threaded AWS inventory collection tool.
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
This tool was created to facilitate efficient collection of a large amount of AWS resource attributes and metadata. It aims to collect nearly everything that is relevant to the security configuration and posture of an AWS environment.
|
|
9
9
|
|
|
10
|
-
Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity
|
|
10
|
+
Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity to accurately measure security posture (e.g. detailed attribute data and full policy documents).
|
|
11
11
|
|
|
12
12
|
Enter AWS Recon, multi-threaded AWS inventory collection tool written in plain Ruby. Though Python tends to dominate the AWS tooling landscape, the [Ruby SDK](https://aws.amazon.com/sdk-for-ruby/) has a few convenient advantages over the [other](https://aws.amazon.com/sdk-for-node-js/) [AWS](https://aws.amazon.com/sdk-for-python/) [SDKs](https://aws.amazon.com/sdk-for-go/) we tested. Specifically, easy handling of automatic retries, paging of large responses, and - with some help - threading huge numbers of requests.
|
|
13
13
|
|
|
@@ -15,7 +15,7 @@ Enter AWS Recon, multi-threaded AWS inventory collection tool written in plain R
|
|
|
15
15
|
|
|
16
16
|
- More complete resource coverage than available tools (especially for ECS & EKS)
|
|
17
17
|
- More granular resource detail, including nested related resources in the output
|
|
18
|
-
- Flexible output (console, JSON lines, plain JSON, file, standard out)
|
|
18
|
+
- Flexible output (console, JSON lines, plain JSON, file, S3 bucket, and standard out)
|
|
19
19
|
- Efficient (multi-threaded, rate limited, automatic retries, and automatic result paging)
|
|
20
20
|
- Easy to maintain and extend
|
|
21
21
|
|
|
@@ -54,13 +54,13 @@ To run locally, first install the gem:
|
|
|
54
54
|
|
|
55
55
|
```
|
|
56
56
|
$ gem install aws_recon
|
|
57
|
-
Fetching aws_recon-0.
|
|
57
|
+
Fetching aws_recon-0.4.0.gem
|
|
58
58
|
Fetching aws-sdk-3.0.1.gem
|
|
59
59
|
Fetching parallel-1.20.1.gem
|
|
60
60
|
...
|
|
61
61
|
Successfully installed aws-sdk-3.0.1
|
|
62
62
|
Successfully installed parallel-1.20.1
|
|
63
|
-
Successfully installed aws_recon-0.
|
|
63
|
+
Successfully installed aws_recon-0.4.0
|
|
64
64
|
```
|
|
65
65
|
|
|
66
66
|
Or add it to your Gemfile using `bundle`:
|
|
@@ -72,7 +72,7 @@ Resolving dependencies...
|
|
|
72
72
|
...
|
|
73
73
|
Using aws-sdk 3.0.1
|
|
74
74
|
Using parallel-1.20.1
|
|
75
|
-
Using aws_recon 0.
|
|
75
|
+
Using aws_recon 0.4.0
|
|
76
76
|
```
|
|
77
77
|
|
|
78
78
|
## Usage
|
|
@@ -158,13 +158,37 @@ Finished in 46 seconds. Saving resources to output.json.
|
|
|
158
158
|
#### Example command line options
|
|
159
159
|
|
|
160
160
|
```
|
|
161
|
+
# collect S3 and EC2 global resources, as well as us-east-1 and us-east-2
|
|
162
|
+
|
|
161
163
|
$ AWS_PROFILE=<profile> aws_recon -s S3,EC2 -r global,us-east-1,us-east-2
|
|
162
164
|
```
|
|
163
165
|
|
|
164
166
|
```
|
|
167
|
+
# collect S3 and EC2 global resources, as well as us-east-1 and us-east-2
|
|
168
|
+
|
|
165
169
|
$ AWS_PROFILE=<profile> aws_recon --services S3,EC2 --regions global,us-east-1,us-east-2
|
|
166
170
|
```
|
|
167
171
|
|
|
172
|
+
```
|
|
173
|
+
# save output to S3 bucket
|
|
174
|
+
|
|
175
|
+
$ AWS_PROFILE=<profile> aws_recon \
|
|
176
|
+
--services S3,EC2 \
|
|
177
|
+
--regions global,us-east-1,us-east-2 \
|
|
178
|
+
--verbose \
|
|
179
|
+
--s3-bucket my-recon-bucket
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
```
|
|
183
|
+
# save output to S3 bucket with a home region other than us-east-1
|
|
184
|
+
|
|
185
|
+
$ AWS_PROFILE=<profile> aws_recon \
|
|
186
|
+
--services S3,EC2 \
|
|
187
|
+
--regions global,us-east-1,us-east-2 \
|
|
188
|
+
--verbose \
|
|
189
|
+
--s3-bucket my-recon-bucket:us-west-2
|
|
190
|
+
```
|
|
191
|
+
|
|
168
192
|
Example [OpenCSPM](https://github.com/OpenCSPM/opencspm) formatted (NDJSON) output.
|
|
169
193
|
|
|
170
194
|
```
|
|
@@ -225,7 +249,7 @@ Most users will want to limit collection to relevant services and regions. Runni
|
|
|
225
249
|
```
|
|
226
250
|
$ aws_recon -h
|
|
227
251
|
|
|
228
|
-
AWS Recon - AWS Inventory Collector (0.
|
|
252
|
+
AWS Recon - AWS Inventory Collector (0.4.0)
|
|
229
253
|
|
|
230
254
|
Usage: aws_recon [options]
|
|
231
255
|
-r, --regions [REGIONS] Regions to scan, separated by comma (default: all)
|
|
@@ -233,6 +257,7 @@ Usage: aws_recon [options]
|
|
|
233
257
|
-s, --services [SERVICES] Services to scan, separated by comma (default: all)
|
|
234
258
|
-x, --not-services [SERVICES] Services to skip, separated by comma (default: none)
|
|
235
259
|
-c, --config [CONFIG] Specify config file for services & regions (e.g. config.yaml)
|
|
260
|
+
-b, --s3-bucket [BUCKET:REGION] Write output file to S3 bucket (default: '')
|
|
236
261
|
-o, --output [OUTPUT] Specify output file (default: output.json)
|
|
237
262
|
-f, --format [FORMAT] Specify output format (default: aws)
|
|
238
263
|
-t, --threads [THREADS] Specify max threads (default: 8, max: 128)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws_recon
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Josh Larsen
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2021-03-
|
|
12
|
+
date: 2021-03-30 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: aws-sdk
|