def slurp(self):
"""
:returns: item_list - list of configs.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
for region in regions():
app.logger.debug(
"Checking {}/{}/{}".format(self.index, account, region.name))
if region.name not in AVAILABLE_REGIONS:
continue
try:
configService = connect(
account, 'boto3.config.client', region=region)
response = self.wrap_aws_rate_limited_call(
configService.describe_config_rules
)
config_rules = response.get('ConfigRules', [])
except Exception as e:
app.logger.debug("Exception found: {}".format(e))
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(
str(e), self.index, account, region.name)
self.slurp_exception(
(self.index, account, region.name), exc, exception_map)
continue
app.logger.debug("Found {} {}.".format(
len(config_rules), self.i_am_plural))
for config_rule in config_rules:
name = config_rule.get('ConfigRuleName')
if self.check_ignore_list(name):
continue
item_config = {
'config_rule': name,
'config_rule_arn': config_rule.get('ConfigRuleArn'),
'config_rule_id': config_rule.get('ConfigRuleId'),
'scope': config_rule.get('Scope', {}),
'source': config_rule.get('Source', {}),
'imput_parameters': config_rule.get('InputParameters'),
'maximum_execution_frequency': config_rule.get('MaximumExecutionFrequency'),
'config_rule_state': config_rule.get('ConfigRuleState'),
}
item = ConfigItem(
region=region.name, account=account, name=name,
arn=config_rule.get('ConfigRuleArn'), config=item_config)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS Cluster Snapshots.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
from security_monkey.common.sts_connect import connect
item_list = []
exception_map = {}
for account in self.accounts:
for region in regions():
app.logger.debug(
"Checking {}/{}/{}".format(self.index, account, region.name))
rds_cluster_snapshots = []
try:
rds = connect(account, 'boto3.rds.client', region=region)
marker = None
while True:
if marker:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_cluster_snapshots,
Marker=marker
)
else:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_cluster_snapshots
)
rds_cluster_snapshots.extend(
response.get('DBClusterSnapshots'))
if response.get('Marker'):
marker = response.get('Marker')
else:
break
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(
str(e), self.index, account, region.name)
self.slurp_exception(
(self.index, account, region.name), exc, exception_map)
continue
app.logger.debug("Found {} {}".format(
len(rds_cluster_snapshots), self.i_am_plural))
for cluster_snapshot in rds_cluster_snapshots:
name = cluster_snapshot.get('DBClusterSnapshotIdentifier')
if self.check_ignore_list(name):
continue
config = {
'db_cluster_snapshot_identifier': name,
'db_cluster_identifier': cluster_snapshot.get('DBClusterIdentifier'),
'snapshot_create_time': str(cluster_snapshot.get('SnapshotCreateTime')),
'availability_zones': cluster_snapshot.get('AvailabilityZones'),
'engine': cluster_snapshot.get('Engine'),
'allocated_storage': cluster_snapshot.get('AllocatedStorage'),
'status': cluster_snapshot.get('Status'),
'port': cluster_snapshot.get('Port'),
'vpc_id': cluster_snapshot.get('VpcId'),
'cluster_create_time': str(cluster_snapshot.get('ClusterCreateTime')),
'master_username': cluster_snapshot.get('MasterUsername'),
'engine_version': cluster_snapshot.get('EngineVersion'),
'license_model': cluster_snapshot.get('LicenseModel'),
'snapshot_type': cluster_snapshot.get('SnapshotType'),
'percent_progress': cluster_snapshot.get('PercentProgress'),
'storage_encrypted': cluster_snapshot.get('StorageEncrypted'),
'kms_key_id': cluster_snapshot.get('KmsKeyId')
}
item = RDSClusterSnapshotItem(
region=region.name, account=account, name=name, config=dict(config), source_watcher=self)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of configs.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
for region in regions():
app.logger.debug(
"Checking {}/{}/{}".format(self.index, account, region.name))
if region.name not in AVAILABLE_REGIONS:
continue
try:
configService = connect(
account, 'boto3.config.client', region=region)
app.logger.debug(
"Config policy is: {}".format(configService))
response = self.wrap_aws_rate_limited_call(
configService.describe_config_rules
)
config_rules = response.get('ConfigRules', [])
except Exception as e:
app.logger.debug("Exception found: {}".format(e))
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(
str(e), self.index, account, region.name)
self.slurp_exception(
(self.index, account, region.name), exc, exception_map)
continue
app.logger.debug("Found {} {}.".format(
len(config_rules), self.i_am_plural))
for config_rule in config_rules:
name = config_rule.get('ConfigRuleName')
if self.check_ignore_list(name):
continue
item_config = {
'config_rule': name,
'config_rule_arn': config_rule.get('ConfigRuleArn'),
'config_rule_id': config_rule.get('ConfigRuleId'),
'scope': config_rule.get('Scope', {}),
'source': config_rule.get('Source', {}),
'imput_parameters': config_rule.get('InputParameters'),
'maximum_execution_frequency': config_rule.get('MaximumExecutionFrequency'),
'config_rule_state': config_rule.get('ConfigRuleState'),
}
item = ConfigItem(
region=region.name, account=account, name=name,
arn=config_rule.get('ConfigRuleArn'), config=item_config)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS DB Clusters.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
for region in regions():
app.logger.debug("Checking {}/{}/{}".format(
self.index, account, region.name))
clusters = []
try:
rds = connect(account, 'boto3.rds.client', region=region)
marker = None
while True:
if marker:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_clusters, Marker=marker)
else:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_clusters)
clusters.extend(response.get('DBClusters', []))
if response.get('Marker'):
marker = response.get('Marker')
else:
break
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), self.index, account,
region.name)
self.slurp_exception(
(self.index, account, region.name), exc,
exception_map)
continue
app.logger.debug("Found {} {}".format(len(clusters),
self.i_am_plural))
for cluster in clusters:
name = cluster.get('DBClusterIdentifier')
if self.check_ignore_list(name):
continue
item_config = {
'name':
name,
'allocated_storage':
cluster.get('AllocatedStorage'),
'availability_zones':
cluster.get('AvailabilityZones'),
'backup_retention_period':
cluster.get('BackupRetentionPeriod'),
'character_set_name':
cluster.get('CharacterSetName'),
'database_name':
cluster.get('DatabaseName'),
'db_cluster_parameter_group':
cluster.get('DBClusterParameterGroup'),
'db_subnet_group':
cluster.get('DBSubnetGroup'),
'status':
cluster.get('Status'),
'percent_progress':
cluster.get('PercentProgress'),
'earliest_restorable_time':
str(cluster.get('EarliestRestorableTime')),
'endpoint':
cluster.get('Endpoint'),
'engine':
cluster.get('Engine'),
'engine_version':
cluster.get('EngineVersion'),
'latest_restorable_time':
str(cluster.get('LatestRestorableTime')),
'port':
cluster.get('Port'),
'master_username':
cluster.get('MasterUsername'),
'db_cluster_option_group_memberships':
cluster.get('DBClusterOptionGroupMemberships', []),
'preferred_backup_window':
cluster.get('PreferredBackupWindow'),
'preferred_maintenance_window':
cluster.get('PreferredMaintenanceWindow'),
'db_cluster_members':
cluster.get('DBClusterMembers', []),
'vpc_security_groups':
cluster.get('VpcSecurityGroups', []),
'hosted_zoneId':
cluster.get('HostedZoneId'),
'storage_encrypted':
cluster.get('StorageEncrypted', False),
'kms_key_id':
cluster.get('KmsKeyId'),
'db_cluster_resourceId':
cluster.get('DbClusterResourceId'),
'arn':
cluster.get('DBClusterArn')
}
item = RDSClusterItem(region=region.name,
account=account,
name=name,
arn=cluster.get('DBClusterArn'),
config=item_config)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS Security Groups.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
for region in regions():
app.logger.debug("Checking {}/{}/{}".format(
self.index, account, region.name))
sgs = []
try:
rds = connect(account, 'rds', region=region)
marker = None
while True:
response = self.wrap_aws_rate_limited_call(
rds.get_all_dbsecurity_groups, marker=marker)
sgs.extend(response)
if response.marker:
marker = response.marker
else:
break
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), self.index, account,
region.name)
self.slurp_exception(
(self.index, account, region.name), exc,
exception_map)
continue
app.logger.debug("Found {} {}".format(len(sgs),
self.i_am_plural))
for sg in sgs:
if self.check_ignore_list(sg.name):
continue
name = sg.name
vpc_id = None
if hasattr(sg, 'VpcId'):
vpc_id = sg.VpcId
name = "{} (in {})".format(sg.name, vpc_id)
item_config = {
"name": sg.name,
"description": sg.description,
"owner_id": sg.owner_id,
"region": region.name,
"ec2_groups": [],
"ip_ranges": [],
"vpc_id": vpc_id
}
for ipr in sg.ip_ranges:
ipr_config = {
"cidr_ip": ipr.cidr_ip,
"status": ipr.status,
}
item_config["ip_ranges"].append(ipr_config)
item_config["ip_ranges"] = sorted(item_config["ip_ranges"])
for ec2_sg in sg.ec2_groups:
ec2sg_config = {
"name": ec2_sg.name,
"owner_id": ec2_sg.owner_id,
"Status": ec2_sg.Status,
}
item_config["ec2_groups"].append(ec2sg_config)
item_config["ec2_groups"] = sorted(
item_config["ec2_groups"])
item = RDSSecurityGroupItem(region=region.name,
account=account,
name=name,
config=item_config)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS Security Groups.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
account_db = Account.query.filter(Account.name == account).first()
account_number = account_db.number
for region in regions():
app.logger.debug("Checking {}/{}/{}".format(self.index, account, region.name))
sgs = []
try:
rds = connect(account, 'rds', region=region)
marker = None
while True:
response = self.wrap_aws_rate_limited_call(
rds.get_all_dbsecurity_groups,
marker=marker
)
sgs.extend(response)
if response.marker:
marker = response.marker
else:
break
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), self.index, account, region.name)
self.slurp_exception((self.index, account, region.name), exc, exception_map,
source="{}-watcher".format(self.index))
continue
app.logger.debug("Found {} {}".format(len(sgs), self.i_am_plural))
for sg in sgs:
if self.check_ignore_list(sg.name):
continue
name = sg.name
vpc_id = None
if hasattr(sg, 'VpcId'):
vpc_id = sg.VpcId
name = "{} (in {})".format(sg.name, vpc_id)
item_config = {
"name": sg.name,
"description": sg.description,
"owner_id": sg.owner_id,
"region": region.name,
"ec2_groups": [],
"ip_ranges": [],
"vpc_id": vpc_id
}
for ipr in sg.ip_ranges:
ipr_config = {
"cidr_ip": ipr.cidr_ip,
"status": ipr.status,
}
item_config["ip_ranges"].append(ipr_config)
item_config["ip_ranges"] = sorted(item_config["ip_ranges"])
for ec2_sg in sg.ec2_groups:
ec2sg_config = {
"name": ec2_sg.name,
"owner_id": ec2_sg.owner_id,
"Status": ec2_sg.Status,
}
item_config["ec2_groups"].append(ec2sg_config)
item_config["ec2_groups"] = sorted(item_config["ec2_groups"])
arn = 'arn:aws:rds:{region}:{account_number}:secgrp:{name}'.format(
region=region.name,
account_number=account_number,
name=name)
item_config['arn'] = arn
item = RDSSecurityGroupItem(region=region.name, account=account, name=name, arn=arn, config=item_config)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS Security Groups.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
for region in regions():
app.logger.debug("Checking {}/{}/{}".format(self.index, account, region.name))
try:
rds = connect(account, 'rds', region=region)
sgs = rds.get_all_dbsecurity_groups()
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), self.index, account, region.name)
self.slurp_exception((self.index, account, region.name), exc, exception_map)
continue
app.logger.debug("Found {} {}".format(len(sgs), self.i_am_plural))
for sg in sgs:
### Check if this SG is on the Ignore List ###
ignore_item = False
for ignore_item_name in IGNORE_PREFIX[self.index]:
if sg.name.lower().startswith(ignore_item_name.lower()):
ignore_item = True
break
if ignore_item:
continue
item_config = {
"name": sg.name,
"description": sg.description,
"owner_id": sg.owner_id,
"region": region.name,
"ec2_groups": [],
"ip_ranges": []
}
for ipr in sg.ip_ranges:
ipr_config = {
"cidr_ip": ipr.cidr_ip,
"status": ipr.status,
}
item_config["ip_ranges"].append(ipr_config)
item_config["ip_ranges"] = sorted(item_config["ip_ranges"])
for ec2_sg in sg.ec2_groups:
ec2sg_config = {
"name": ec2_sg.name,
"owner_id": ec2_sg.owner_id,
"Status": ec2_sg.Status,
}
item_config["ec2_groups"].append(ec2sg_config)
item_config["ec2_groups"] = sorted(item_config["ec2_groups"])
item = RDSSecurityGroupItem(region=region.name, account=account, name=sg.name, config=item_config)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS DB Clusters.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
for region in regions():
app.logger.debug(
"Checking {}/{}/{}".format(self.index, account, region.name))
clusters = []
try:
rds = connect(account, 'boto3.rds.client', region=region)
marker = None
while True:
if marker:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_clusters,
Marker=marker
)
else:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_clusters
)
clusters.extend(response.get('DBClusters', []))
if response.get('Marker'):
marker = response.get('Marker')
else:
break
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(
str(e), self.index, account, region.name)
self.slurp_exception(
(self.index, account, region.name), exc, exception_map)
continue
app.logger.debug("Found {} {}".format(
len(clusters), self.i_am_plural))
for cluster in clusters:
name = cluster.get('DBClusterIdentifier')
if self.check_ignore_list(name):
continue
item_config = {
'name': name,
'allocated_storage': cluster.get('AllocatedStorage'),
'availability_zones': cluster.get('AvailabilityZones'),
'backup_retention_period': cluster.get('BackupRetentionPeriod'),
'character_set_name': cluster.get('CharacterSetName'),
'database_name': cluster.get('DatabaseName'),
'db_cluster_parameter_group': cluster.get('DBClusterParameterGroup'),
'db_subnet_group': cluster.get('DBSubnetGroup'),
'status': cluster.get('Status'),
'percent_progress': cluster.get('PercentProgress'),
'earliest_restorable_time': str(cluster.get('EarliestRestorableTime')),
'endpoint': cluster.get('Endpoint'),
'engine': cluster.get('Engine'),
'engine_version': cluster.get('EngineVersion'),
'latest_restorable_time': str(cluster.get('LatestRestorableTime')),
'port': cluster.get('Port'),
'master_username': cluster.get('MasterUsername'),
'db_cluster_option_group_memberships': cluster.get('DBClusterOptionGroupMemberships', []),
'preferred_backup_window': cluster.get('PreferredBackupWindow'),
'preferred_maintenance_window': cluster.get('PreferredMaintenanceWindow'),
'db_cluster_members': cluster.get('DBClusterMembers', []),
'vpc_security_groups': cluster.get('VpcSecurityGroups', []),
'hosted_zoneId': cluster.get('HostedZoneId'),
'storage_encrypted': cluster.get('StorageEncrypted', False),
'kms_key_id': cluster.get('KmsKeyId'),
'db_cluster_resourceId': cluster.get('DbClusterResourceId'),
'arn': cluster.get('DBClusterArn')
}
item = RDSClusterItem(
region=region.name, account=account, name=name, arn=cluster.get('DBClusterArn'),
config=item_config, source_watcher=self)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS snapshots in use by account
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
from security_monkey.common.sts_connect import connect
item_list = []
exception_map = {}
for account in self.accounts:
for region in regions():
app.logger.debug("Checking {}/{}/{}".format(
self.index, account, region.name))
snapshots = []
try:
rds = connect(account, 'boto3.rds.client', region=region)
marker = ''
while True:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_snapshots, Marker=marker)
snapshots.extend(response.get('DBSnapshots'))
if response.get('Marker'):
marker = response.get('Marker')
else:
break
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), self.index, account,
region.name)
self.slurp_exception(
(self.index, account, region.name), exc,
exception_map)
continue
app.logger.debug("Found {} {}".format(len(snapshots),
self.i_am_plural))
for snapshot in snapshots:
name = snapshot.get('DBSnapshotIdentifier')
if self.check_ignore_list(name):
continue
config = dict(snapshot)
config['InstanceCreateTime'] = str(
config.get('InstanceCreateTime'))
config['SnapshotCreateTime'] = str(
config.get('SnapshotCreateTime'))
config['Arn'] = str(config.get('DBSnapshotArn'))
config['Attributes'] = dict()
try:
attributes = self.wrap_aws_rate_limited_call(
rds.describe_db_snapshot_attributes,
DBSnapshotIdentifier=snapshot.get(
'DBSnapshotIdentifier'))
for attribute in attributes[
'DBSnapshotAttributesResult'][
'DBSnapshotAttributes']:
config['Attributes'][
attribute['AttributeName']] = attribute[
'AttributeValues']
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), self.index,
account, region.name)
self.slurp_exception(
(self.index, account, region.name, name), exc,
exception_map)
item = RDSSnapshotItem(region=region.name,
account=account,
name=name,
arn=snapshot.get('DBSnapshotArn'),
config=dict(config),
source_watcher=self)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS Cluster Snapshots.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
from security_monkey.common.sts_connect import connect
item_list = []
exception_map = {}
for account in self.accounts:
for region in regions():
app.logger.debug("Checking {}/{}/{}".format(
self.index, account, region.name))
rds_cluster_snapshots = []
try:
rds = connect(account, 'boto3.rds.client', region=region)
marker = None
while True:
if marker:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_cluster_snapshots,
Marker=marker)
else:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_cluster_snapshots)
rds_cluster_snapshots.extend(
response.get('DBClusterSnapshots'))
if response.get('Marker'):
marker = response.get('Marker')
else:
break
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), self.index, account,
region.name)
self.slurp_exception(
(self.index, account, region.name), exc,
exception_map)
continue
app.logger.debug("Found {} {}".format(
len(rds_cluster_snapshots), self.i_am_plural))
for cluster_snapshot in rds_cluster_snapshots:
name = cluster_snapshot.get('DBClusterSnapshotIdentifier')
if self.check_ignore_list(name):
continue
config = {
'db_cluster_snapshot_identifier':
name,
'db_cluster_identifier':
cluster_snapshot.get('DBClusterIdentifier'),
'snapshot_create_time':
str(cluster_snapshot.get('SnapshotCreateTime')),
'availability_zones':
cluster_snapshot.get('AvailabilityZones'),
'engine':
cluster_snapshot.get('Engine'),
'allocated_storage':
cluster_snapshot.get('AllocatedStorage'),
'status':
cluster_snapshot.get('Status'),
'port':
cluster_snapshot.get('Port'),
'vpc_id':
cluster_snapshot.get('VpcId'),
'cluster_create_time':
str(cluster_snapshot.get('ClusterCreateTime')),
'master_username':
cluster_snapshot.get('MasterUsername'),
'engine_version':
cluster_snapshot.get('EngineVersion'),
'license_model':
cluster_snapshot.get('LicenseModel'),
'snapshot_type':
cluster_snapshot.get('SnapshotType'),
'percent_progress':
cluster_snapshot.get('PercentProgress'),
'storage_encrypted':
cluster_snapshot.get('StorageEncrypted'),
'kms_key_id':
cluster_snapshot.get('KmsKeyId')
}
item = RDSClusterSnapshotItem(region=region.name,
account=account,
name=name,
config=dict(config),
source_watcher=self)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS snapshots in use by account
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
from security_monkey.common.sts_connect import connect
item_list = []
exception_map = {}
for account in self.accounts:
for region in regions():
app.logger.debug(
"Checking {}/{}/{}".format(self.index, account, region.name))
snapshots = []
try:
rds = connect(account, 'boto3.rds.client', region=region)
marker = ''
while True:
response = self.wrap_aws_rate_limited_call(
rds.describe_db_snapshots,
Marker=marker)
snapshots.extend(response.get('DBSnapshots'))
if response.get('Marker'):
marker = response.get('Marker')
else:
break
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(
str(e), self.index, account, region.name)
self.slurp_exception(
(self.index, account, region.name), exc, exception_map)
continue
app.logger.debug("Found {} {}".format(
len(snapshots), self.i_am_plural))
for snapshot in snapshots:
name = snapshot.get('DBSnapshotIdentifier')
if self.check_ignore_list(name):
continue
config = dict(snapshot)
config['InstanceCreateTime'] = str(config.get('InstanceCreateTime'))
config['SnapshotCreateTime'] = str(config.get('SnapshotCreateTime'))
config['Arn'] = str(config.get('DBSnapshotArn'))
config['Attributes'] = dict()
try:
attributes = self.wrap_aws_rate_limited_call(
rds.describe_db_snapshot_attributes,
DBSnapshotIdentifier=snapshot.get('DBSnapshotIdentifier'))
for attribute in attributes['DBSnapshotAttributesResult']['DBSnapshotAttributes']:
config['Attributes'][attribute['AttributeName']] = attribute['AttributeValues']
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), self.index, account, region.name)
self.slurp_exception((self.index, account, region.name, name), exc, exception_map)
item = RDSSnapshotItem(
region=region.name, account=account, name=name,
arn=snapshot.get('DBSnapshotArn'), config=dict(config), source_watcher=self)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of RDS Security Groups.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
for region in regions():
app.logger.debug("Checking {}/{}/{}".format(self.index, account, region.name))
try:
rds = connect(account, 'rds', region=region)
sgs = self.wrap_aws_rate_limited_call(
rds.get_all_dbsecurity_groups
)
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), self.index, account, region.name)
self.slurp_exception((self.index, account, region.name), exc, exception_map)
continue
app.logger.debug("Found {} {}".format(len(sgs), self.i_am_plural))
for sg in sgs:
### Check if this SG is on the Ignore List ###
ignore_item = False
for ignore_item_name in IGNORE_PREFIX[self.index]:
if sg.name.lower().startswith(ignore_item_name.lower()):
ignore_item = True
break
if ignore_item:
continue
item_config = {
"name": sg.name,
"description": sg.description,
"owner_id": sg.owner_id,
"region": region.name,
"ec2_groups": [],
"ip_ranges": []
}
for ipr in sg.ip_ranges:
ipr_config = {
"cidr_ip": ipr.cidr_ip,
"status": ipr.status,
}
item_config["ip_ranges"].append(ipr_config)
item_config["ip_ranges"] = sorted(item_config["ip_ranges"])
for ec2_sg in sg.ec2_groups:
ec2sg_config = {
"name": ec2_sg.name,
"owner_id": ec2_sg.owner_id,
"Status": ec2_sg.Status,
}
item_config["ec2_groups"].append(ec2sg_config)
item_config["ec2_groups"] = sorted(item_config["ec2_groups"])
item = RDSSecurityGroupItem(region=region.name, account=account, name=sg.name, config=item_config)
item_list.append(item)
return item_list, exception_map
