aws_recon 0.3.5 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +0 -1
- data/lib/aws_recon/aws_recon.rb +38 -7
- data/lib/aws_recon/collectors.rb +3 -1
- data/lib/aws_recon/options.rb +8 -0
- data/lib/aws_recon/version.rb +1 -1
- data/readme.md +32 -7
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9647cee32c4df1624a99cf180258f43e664e7ee62b8ceee5fe00b8d6b31a2803
|
4
|
+
data.tar.gz: aca9a6383263ca7add32682df25a633ad9db031a50d2f38f319f903b6dd75c45
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 426acf5937d26974c7a7c5bc26e84487fe8b76cc28bf0f51a7302d05897356e7007b877e26a47cc3af7b54044ac45bec23b409b1b66bef0336aaa1216d340437
|
7
|
+
data.tar.gz: 790fd25c65d4fe49c2e3857f65cddb590ecfe9f481b923bcdf8def9007ddf1ccb0b16f616164e7472b43a75eebe77698146d3d2e46204af1085b276afedf2099
|
data/.rubocop.yml
CHANGED
data/lib/aws_recon/aws_recon.rb
CHANGED
@@ -34,9 +34,9 @@ module AwsRecon
|
|
34
34
|
# formatter
|
35
35
|
@formatter = Formatter.new
|
36
36
|
|
37
|
-
unless @options.stream_output
|
38
|
-
|
39
|
-
|
37
|
+
return unless @options.stream_output
|
38
|
+
|
39
|
+
puts "\nStarting collection with #{@options.threads} threads...\n"
|
40
40
|
end
|
41
41
|
|
42
42
|
#
|
@@ -72,7 +72,7 @@ module AwsRecon
|
|
72
72
|
#
|
73
73
|
# global services
|
74
74
|
#
|
75
|
-
@aws_services.map { |x| OpenStruct.new(x) }.filter
|
75
|
+
@aws_services.map { |x| OpenStruct.new(x) }.filter(&:global).each do |service|
|
76
76
|
# user included this service in the args
|
77
77
|
next unless @services.include?(service.name)
|
78
78
|
|
@@ -104,14 +104,45 @@ module AwsRecon
|
|
104
104
|
|
105
105
|
puts "\nStopped early after \x1b[32m#{elapsed.to_i}\x1b[0m seconds.\n"
|
106
106
|
ensure
|
107
|
+
elapsed = Process.clock_gettime(Process::CLOCK_MONOTONIC) - @starting
|
108
|
+
|
109
|
+
puts "\nFinished in \x1b[32m#{elapsed.to_i}\x1b[0m seconds.\n\n"
|
110
|
+
|
107
111
|
# write output file
|
108
112
|
if @options.output_file
|
109
|
-
|
110
|
-
|
111
|
-
puts "\nFinished in \x1b[32m#{elapsed.to_i}\x1b[0m seconds. Saving resources to \x1b[32m#{@options.output_file}\x1b[0m.\n\n"
|
113
|
+
puts "Saving resources to \x1b[32m#{@options.output_file}\x1b[0m.\n\n"
|
112
114
|
|
113
115
|
File.write(@options.output_file, @resources.to_json)
|
114
116
|
end
|
117
|
+
|
118
|
+
# write output file to S3 bucket
|
119
|
+
if @options.s3
|
120
|
+
t = Time.now.utc
|
121
|
+
|
122
|
+
s3_full_object_path = "AWSRecon/#{t.year}/#{t.month}/#{t.day}/#{@account_id}_aws_recon_#{t.to_i}.json.gz"
|
123
|
+
|
124
|
+
begin
|
125
|
+
# get bucket name (and region if not us-east-1)
|
126
|
+
s3_bucket, s3_region = @options.s3.split(':')
|
127
|
+
|
128
|
+
# build IO object and gzip it
|
129
|
+
io = StringIO.new
|
130
|
+
gzip_data = Zlib::GzipWriter.new(io)
|
131
|
+
gzip_data.write(@resources.to_json)
|
132
|
+
gzip_data.close
|
133
|
+
|
134
|
+
# send it to S3
|
135
|
+
s3_client = Aws::S3::Client.new(region: s3_region || 'us-east-1')
|
136
|
+
s3_resource = Aws::S3::Resource.new(client: s3_client)
|
137
|
+
obj = s3_resource.bucket(s3_bucket).object(s3_full_object_path)
|
138
|
+
obj.put(body: io.string)
|
139
|
+
|
140
|
+
puts "Saving resources to S3 \x1b[32ms3://#{s3_bucket}/#{s3_full_object_path}\x1b[0m\n\n"
|
141
|
+
rescue Aws::S3::Errors::ServiceError => e
|
142
|
+
puts "\x1b[35mError!\x1b[0m - could not save output S3 bucket\n\n"
|
143
|
+
puts "#{e.message} - #{e.code}\n"
|
144
|
+
end
|
145
|
+
end
|
115
146
|
end
|
116
147
|
end
|
117
148
|
end
|
data/lib/aws_recon/collectors.rb
CHANGED
data/lib/aws_recon/options.rb
CHANGED
@@ -6,6 +6,7 @@
|
|
6
6
|
class Parser
|
7
7
|
DEFAULT_CONFIG_FILE = nil
|
8
8
|
DEFAULT_OUTPUT_FILE = File.expand_path(File.join(Dir.pwd, 'output.json')).freeze
|
9
|
+
DEFAULT_S3_PATH = nil
|
9
10
|
SERVICES_CONFIG_FILE = File.join(File.dirname(__FILE__), 'services.yaml').freeze
|
10
11
|
DEFAULT_FORMAT = 'aws'
|
11
12
|
DEFAULT_THREADS = 8
|
@@ -15,6 +16,7 @@ class Parser
|
|
15
16
|
:regions,
|
16
17
|
:services,
|
17
18
|
:config_file,
|
19
|
+
:s3,
|
18
20
|
:output_file,
|
19
21
|
:output_format,
|
20
22
|
:threads,
|
@@ -43,6 +45,7 @@ class Parser
|
|
43
45
|
aws_regions,
|
44
46
|
aws_services.map { |service| service[:name] },
|
45
47
|
DEFAULT_CONFIG_FILE,
|
48
|
+
DEFAULT_S3_PATH,
|
46
49
|
DEFAULT_OUTPUT_FILE,
|
47
50
|
DEFAULT_FORMAT,
|
48
51
|
DEFAULT_THREADS,
|
@@ -93,6 +96,11 @@ class Parser
|
|
93
96
|
args.config_file = config
|
94
97
|
end
|
95
98
|
|
99
|
+
# write output file to S3 bucket
|
100
|
+
opts.on('-b', '--s3-bucket [BUCKET:REGION]', 'Write output file to S3 bucket (default: \'\')') do |bucket_with_region|
|
101
|
+
args.s3 = bucket_with_region
|
102
|
+
end
|
103
|
+
|
96
104
|
# output file
|
97
105
|
opts.on('-o', '--output [OUTPUT]', 'Specify output file (default: output.json)') do |output|
|
98
106
|
args.output_file = File.expand_path(File.join(Dir.pwd, output))
|
data/lib/aws_recon/version.rb
CHANGED
data/readme.md
CHANGED
@@ -5,9 +5,9 @@
|
|
5
5
|
|
6
6
|
A multi-threaded AWS inventory collection tool.
|
7
7
|
|
8
|
-
|
8
|
+
This tool was created to facilitate efficient collection of a large amount of AWS resource attributes and metadata. It aims to collect nearly everything that is relevant to the security configuration and posture of an AWS environment.
|
9
9
|
|
10
|
-
Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity
|
10
|
+
Existing tools (e.g. [AWS Config](https://aws.amazon.com/config)) that do some form of resource collection lack the coverage and specificity to accurately measure security posture (e.g. detailed attribute data and full policy documents).
|
11
11
|
|
12
12
|
Enter AWS Recon, multi-threaded AWS inventory collection tool written in plain Ruby. Though Python tends to dominate the AWS tooling landscape, the [Ruby SDK](https://aws.amazon.com/sdk-for-ruby/) has a few convenient advantages over the [other](https://aws.amazon.com/sdk-for-node-js/) [AWS](https://aws.amazon.com/sdk-for-python/) [SDKs](https://aws.amazon.com/sdk-for-go/) we tested. Specifically, easy handling of automatic retries, paging of large responses, and - with some help - threading huge numbers of requests.
|
13
13
|
|
@@ -15,7 +15,7 @@ Enter AWS Recon, multi-threaded AWS inventory collection tool written in plain R
|
|
15
15
|
|
16
16
|
- More complete resource coverage than available tools (especially for ECS & EKS)
|
17
17
|
- More granular resource detail, including nested related resources in the output
|
18
|
-
- Flexible output (console, JSON lines, plain JSON, file, standard out)
|
18
|
+
- Flexible output (console, JSON lines, plain JSON, file, S3 bucket, and standard out)
|
19
19
|
- Efficient (multi-threaded, rate limited, automatic retries, and automatic result paging)
|
20
20
|
- Easy to maintain and extend
|
21
21
|
|
@@ -54,13 +54,13 @@ To run locally, first install the gem:
|
|
54
54
|
|
55
55
|
```
|
56
56
|
$ gem install aws_recon
|
57
|
-
Fetching aws_recon-0.
|
57
|
+
Fetching aws_recon-0.4.0.gem
|
58
58
|
Fetching aws-sdk-3.0.1.gem
|
59
59
|
Fetching parallel-1.20.1.gem
|
60
60
|
...
|
61
61
|
Successfully installed aws-sdk-3.0.1
|
62
62
|
Successfully installed parallel-1.20.1
|
63
|
-
Successfully installed aws_recon-0.
|
63
|
+
Successfully installed aws_recon-0.4.0
|
64
64
|
```
|
65
65
|
|
66
66
|
Or add it to your Gemfile using `bundle`:
|
@@ -72,7 +72,7 @@ Resolving dependencies...
|
|
72
72
|
...
|
73
73
|
Using aws-sdk 3.0.1
|
74
74
|
Using parallel-1.20.1
|
75
|
-
Using aws_recon 0.
|
75
|
+
Using aws_recon 0.4.0
|
76
76
|
```
|
77
77
|
|
78
78
|
## Usage
|
@@ -158,13 +158,37 @@ Finished in 46 seconds. Saving resources to output.json.
|
|
158
158
|
#### Example command line options
|
159
159
|
|
160
160
|
```
|
161
|
+
# collect S3 and EC2 global resources, as well as us-east-1 and us-east-2
|
162
|
+
|
161
163
|
$ AWS_PROFILE=<profile> aws_recon -s S3,EC2 -r global,us-east-1,us-east-2
|
162
164
|
```
|
163
165
|
|
164
166
|
```
|
167
|
+
# collect S3 and EC2 global resources, as well as us-east-1 and us-east-2
|
168
|
+
|
165
169
|
$ AWS_PROFILE=<profile> aws_recon --services S3,EC2 --regions global,us-east-1,us-east-2
|
166
170
|
```
|
167
171
|
|
172
|
+
```
|
173
|
+
# save output to S3 bucket
|
174
|
+
|
175
|
+
$ AWS_PROFILE=<profile> aws_recon \
|
176
|
+
--services S3,EC2 \
|
177
|
+
--regions global,us-east-1,us-east-2 \
|
178
|
+
--verbose \
|
179
|
+
--s3-bucket my-recon-bucket
|
180
|
+
```
|
181
|
+
|
182
|
+
```
|
183
|
+
# save output to S3 bucket with a home region other than us-east-1
|
184
|
+
|
185
|
+
$ AWS_PROFILE=<profile> aws_recon \
|
186
|
+
--services S3,EC2 \
|
187
|
+
--regions global,us-east-1,us-east-2 \
|
188
|
+
--verbose \
|
189
|
+
--s3-bucket my-recon-bucket:us-west-2
|
190
|
+
```
|
191
|
+
|
168
192
|
Example [OpenCSPM](https://github.com/OpenCSPM/opencspm) formatted (NDJSON) output.
|
169
193
|
|
170
194
|
```
|
@@ -225,7 +249,7 @@ Most users will want to limit collection to relevant services and regions. Runni
|
|
225
249
|
```
|
226
250
|
$ aws_recon -h
|
227
251
|
|
228
|
-
AWS Recon - AWS Inventory Collector (0.
|
252
|
+
AWS Recon - AWS Inventory Collector (0.4.0)
|
229
253
|
|
230
254
|
Usage: aws_recon [options]
|
231
255
|
-r, --regions [REGIONS] Regions to scan, separated by comma (default: all)
|
@@ -233,6 +257,7 @@ Usage: aws_recon [options]
|
|
233
257
|
-s, --services [SERVICES] Services to scan, separated by comma (default: all)
|
234
258
|
-x, --not-services [SERVICES] Services to skip, separated by comma (default: none)
|
235
259
|
-c, --config [CONFIG] Specify config file for services & regions (e.g. config.yaml)
|
260
|
+
-b, --s3-bucket [BUCKET:REGION] Write output file to S3 bucket (default: '')
|
236
261
|
-o, --output [OUTPUT] Specify output file (default: output.json)
|
237
262
|
-f, --format [FORMAT] Specify output format (default: aws)
|
238
263
|
-t, --threads [THREADS] Specify max threads (default: 8, max: 128)
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws_recon
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Josh Larsen
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2021-03-
|
12
|
+
date: 2021-03-30 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: aws-sdk
|