def get_redshift_clusters(account, region):
""" Get all redshift clusters from all accounts. """
redshift_data = []
aws_accounts = AwsAccounts()
accounts = aws_accounts.all()
if not account:
session = boto3.session.Session()
for acc in accounts:
alias = None
assume = rolesession.assume_crossact_audit_role(
session,
acc['accountNum'],
region)
if assume:
client = assume.client('redshift')
redshift_list = mp_wrappers.describe_clusters(client)[
'Clusters']
alias = acc.get('alias')
for cluster in redshift_list:
redshift_data.append(
dict(Region=region,
ClusterId=(cluster['ClusterIdentifier']),
Username=(cluster['MasterUsername']),
DBName=(cluster['DBName']),
Endpoint=(cluster['Endpoint']),
PubliclyAccessible=(
cluster['PubliclyAccessible']),
Encrypted=(cluster['Encrypted']),
AccountNum=acc['accountNum'],
AccountAlias=alias))
else:
pass
elif account.isdigit() and len(account) == 12:
session = boto3.session.Session()
assume = rolesession.assume_crossact_audit_role(
session,
account,
region)
alias = None
if assume:
client = assume.client('redshift')
redshift_list = mp_wrappers.describe_clusters(client)['Clusters']
alias = account.get('alias')
for cluster in redshift_list:
redshift_data.append(
dict(Region=region,
ClusterId=(cluster['ClusterIdentifier']),
Username=(cluster['MasterUsername']),
DBName=(cluster['DBName']),
Endpoint=(cluster['Endpoint']),
PubliclyAccessible=(cluster['PubliclyAccessible']),
Encrypted=(cluster['Encrypted']),
AccountNum=account,
AccountAlias=alias))
else:
return dict(Error='Account not found'), 404
return dict(Clusters=redshift_data), 200
def get_security_groups(account, region='us-east-1'):
sg_data = []
aws_accounts = AwsAccounts()
accounts = aws_accounts.all()
session = boto3.session.Session(region_name=region)
if not account:
for acc in accounts:
if acc['accountNum']:
assume = rolesession.assume_crossact_audit_role(
session, acc['accountNum'], region)
if assume:
ec2 = assume.client('ec2')
security_groups = ec2.describe_security_groups(
)['SecurityGroups']
for group in security_groups:
sg_name = None
try:
for tag in group['Tags']:
if tag['Key'] == 'Name':
sg_name = tag['Value']
except:
sg_name = None
sg_data.append(
dict(Region=region,
GroupName=sg_name,
GroupId=(group['GroupId']),
AccountNum=acc['accountNum'],
AccountAlias=acc['alias']))
elif account.isdigit() and len(account) == 12:
assume = rolesession.assume_crossact_audit_role(
session, account, region)
alias = aws_accounts.with_number(account)['alias']
if assume:
ec2 = assume.client('ec2')
security_groups = ec2.describe_security_groups()['SecurityGroups']
for group in security_groups:
sg_name = None
for tag in group['Tags']:
if tag['Key'] == 'Name':
sg_name = tag['Value']
sg_id = group['GroupId']
sg_data.append(
dict(GroupName=sg_name,
GroupId=sg_id,
AccountNum=account,
AccountAlias=alias))
else:
return (dict(Message='Account not found'), 404)
# print(sg_data)
return dict(SecurityGroups=sg_data), 200
def get_dynamo_tables(account, region):
"""Provide an event that contains the following keys:
-account: account to look in or all for all security groups
-region: region to pull from
"""
dynamo_data = []
aws_accounts = AwsAccounts()
if not account:
accounts = aws_accounts.all()
session = boto3.session.Session()
for account in accounts:
assume = rolesession.assume_crossact_audit_role(
session, account['accountNum'], region)
if assume:
client = assume.client('dynamodb')
dynamo_list = client.list_tables()['TableNames']
for table in dynamo_list:
dynamo_data.append(
dict(Region=region,
TableName=table,
AccountNum=account['accountNum'],
AccountAlias=account['alias']))
else:
pass
elif account.isdigit() and len(account) == 12:
account_number = account
accounts_matching = aws_accounts.with_number(account_number)
alias = accounts_matching['alias']
session = boto3.session.Session()
assume = rolesession.assume_crossact_audit_role(
session, account_number, region)
if assume:
account = aws_accounts.with_number(account_number)
client = assume.client('dynamodb')
dynamo_list = client.list_tables()['TableNames']
for table in dynamo_list:
dynamo_data.append(
dict(Region=region,
TableName=table,
AccountNum=account['accountNum'],
AccountAlias=account['alias']))
else:
print("[D] Assume: %s" % assume)
return {"Error": "Unable to assume role"}, 500
else:
return dict(Error='Account not found.'), 404
return dict(Tables=dynamo_data), 200
def get_users_for_account(account):
session = boto3.session.Session() # create session for Thread Safety
assume = rolesession.assume_crossact_audit_role(session,
account['accountNum'],
'us-east-1')
users_info = []
if assume:
iam = assume.client('iam')
users_info = iam.list_users().get('Users')
if users_info is None:
return dict(Account=dict(accountNum=account),
Instance=dict(message='Error'))
else:
print("[X] Assume failed.")
data = []
for user in users_info:
if user.get('PasswordLastUsed'):
password_set = True
else:
password_set = False
data.append(
dict(Username=user.get('UserName'),
CreateDate=user['CreateDate'].isoformat(),
PasswordSet=password_set,
AccountNum=account['accountNum'],
AccountAlias=account['alias']))
return data
def get_s3_buckets_for_account(account, region='us-east-1'):
session = boto3.session.Session() # create session for Thread Safety
assume = rolesession.assume_crossact_audit_role(session,
account['accountNum'],
region)
s3_data = []
if assume:
s3 = assume.client('s3')
s3_info = s3.list_buckets()['Buckets']
for bucket in s3_info:
s3_global = False
try:
s3_acls = s3.get_bucket_acl(Bucket=bucket)['Grants']
for acl in s3_acls:
try:
s3_global = s3_acl_is_global(acl)
except:
pass
except Exception, e:
print "[X] Exception: %s" % e
pass
s3_data.append(
dict(BucketName=bucket['Name'],
AccountNum=account['accountNum'],
AccountAlias=account.get('alias'),
GlobalAccess=s3_global))
def get_account_stats(account_rec):
""" Get account statistics for dashboard.
:param account_rec: AWS account
"""
session = boto3.session.Session()
account = account_rec['accountNum']
assume = rolesession.assume_crossact_audit_role(session, account,
'us-east-1', ASSUME_ROLE)
instance_count = 0
sg_count = 0
user_count = 0
elb_count = 0
if assume:
ec2 = assume.client('ec2')
instances = ec2.describe_instances()['Reservations']
for res in instances:
instance_count += len(res['Instances'])
sg_count += len(ec2.describe_security_groups()['SecurityGroups'])
iam = assume.client('iam')
user_count += len(iam.list_users()['Users'])
elb = assume.client('elb')
elb_count += len(
elb.describe_load_balancers()['LoadBalancerDescriptions'])
return dict(InstanceCount=instance_count,
UserCount=user_count,
SecurityGroupCount=sg_count,
ELBCount=elb_count)
def get_instances_for_account(account,region):
instance_data = []
session = boto3.session.Session(region_name=region)
try:
assume = rolesession.assume_crossact_audit_role(
session, account['accountNum'], region)
except Exception,e:
assume = None
print "Exception: %e" % e
def get_s3_bucket(account, bucket, region='us-east-1'):
if account.isdigit() and len(account) == 12:
account = account
else:
return dict(Error='Account Not Found.'), 404
obj_data = []
session = boto3.session.Session()
assume = rolesession.assume_crossact_audit_role(session, account, region)
if assume:
s3 = assume.client('s3')
s3_global = False
try:
s3_acls = s3.get_bucket_acl(Bucket=bucket)['Grants']
except Exception as e:
return dict(Error=e), 500
for acl in s3_acls:
try:
if s3_acl_is_global(acl):
s3_global = True
except:
pass
try:
s3_objects = s3.list_objects(Bucket=bucket)['Contents']
except Exception as e:
#Exception is likely a key error when the bucket has no contents.
#There may be a better way to handle it.
s3_objects = []
if len(s3_objects) > 0:
for obj in s3_objects: # definately a bug,
# if we get no buckets, this still happens
s3_obj = s3.head_object(Bucket=bucket, Key=obj['Key'])
obj_key = obj['Key']
obj_last_modified = s3_obj['LastModified'].isoformat()
obj_size = s3_obj['ContentLength']
obj_enc = s3_obj.get('ServerSideEncryption')
obj_storage = s3_obj.get('StorageClass')
obj_data.append(
dict(Key=obj_key,
ModifiedDate=obj_last_modified,
Size=obj_size,
Encryption=obj_enc,
StorageType=obj_storage))
else:
print("Bucket has no contents")
result = dict(Bucket=dict(Name=bucket,
GlobalAccess=s3_global,
AccountNum=account),
Objects=obj_data)
else:
result = dict(Bucket=dict(Error='Unable to assume account'))
return result, 200
def get_security_group(account, group, region):
""" Get security group details.
:param account: AWS account
:param group: security group id
:param region: AWS region
"""
session = boto3.session.Session(region_name=region)
assume = rolesession.assume_crossact_audit_role(session, account, region)
if assume:
ec2 = assume.client('ec2')
try:
sg_info = ec2.describe_security_groups(
GroupIds=[group])['SecurityGroups'][0]
except ClientError:
print "Security group not found"
return dict(Account=dict(accountNum=account),
Instance=dict(message='Security group not found'))
instance_data = get_instance_info(assume, account, sg_info['GroupId'])
client = assume.client('elb')
elb_data = []
for elb in client.describe_load_balancers(
)['LoadBalancerDescriptions']:
for sec_group in elb['SecurityGroups']:
if sec_group == sg_info['GroupId']:
elb_data.append(
dict(Name=elb['LoadBalancerName'], AccountNum=account))
return dict(Account=dict(accountNum=account),
SecurityGroup=dict(GroupName=sg_info['GroupName'],
GroupId=sg_info['GroupId'],
Description=sg_info['Description'],
Tags=sg_info.get('Tags', None),
InboundRules=format_inbound_rules(
sg_info['IpPermissions']),
OutboundRules=format_outbound_rules(
sg_info['IpPermissionsEgress']),
VpcId=sg_info['VpcId'],
Region=region),
Instances=instance_data,
ELB=elb_data)
else:
print '{"message":"Account not assumable"}'
return dict(Account=dict(accountNum=account),
Message='Account not assumable')
def get_roles_for_account(account):
session = boto3.session.Session() # create session for Thread Safety
assume = rolesession.assume_crossact_audit_role(session,
account['accountNum'],
'us-east-1')
role_data = []
if assume:
iam = assume.client('iam')
for role in iam.list_roles().get('Roles'):
role_data.append(
dict(Name=(role['RoleName']),
CreateDate=(role['CreateDate'].isoformat()),
Id=(role['RoleId']),
Arn=(role['Arn']),
AssumePolicy=(role['AssumeRolePolicyDocument']),
AccountNum=account['accountNum'],
AccountAlias=account['alias']))
return role_data
def get_s3_bucket(account, bucket, region='us-east-1'):
""" Get s3 bucket from specific account.
:param account: AWS account
:param bucket: S3 bucket
:param region: AWS region
"""
if account.isdigit() and len(account) == 12:
account = account
else:
return dict(Error='Account Not Found.'), 404
obj_data = []
session = boto3.session.Session()
assume = rolesession.assume_crossact_audit_role(session, account, region)
if assume:
s3_client = assume.client('s3')
s3_global = False
try:
s3_acls = s3_client.get_bucket_acl(Bucket=bucket)['Grants']
except ClientError as err:
return dict(Error=err), 500
for acl in s3_acls:
s3_global = s3_acl_is_global(acl)
s3_objects = s3_client.list_objects(Bucket=bucket).get('Contents')
if s3_objects:
for obj in s3_objects: # definately a bug,
# if we get no buckets, this still happens
s3_obj = s3_client.head_object(Bucket=bucket, Key=obj['Key'])
obj_data.append(
dict(Key=obj['Key'],
ModifiedDate=s3_obj['LastModified'].isoformat(),
Size=s3_obj['ContentLength'],
Encryption=s3_obj.get('ServerSideEncryption'),
StorageType=s3_obj.get('StorageClass')))
else:
print "Bucket has no contents"
result = dict(Bucket=dict(Name=bucket,
GlobalAccess=s3_global,
AccountNum=account),
Objects=obj_data)
else:
result = dict(Bucket=dict(Error='Unable to assume account'))
return result, 200
def get_instances_for_account(account, region):
""" Get instances for a specific account.
:param account: AWS account
"""
instance_data = []
session = boto3.session.Session(region_name=region)
assume = rolesession.assume_crossact_audit_role(
session, account['accountNum'], region)
if assume:
age_lookup = ImageAgeLookup(assume)
membership_lookup = LookupInstanceMembership(assume)
ec2 = assume.client('ec2')
instances = ec2.describe_instances().get('Reservations')
if not instances:
instances = []
for res in instances:
for instance in res['Instances']:
tags = {x['Key']: x['Value']
for x in instance.get('Tags', [])} # Extract tags as a dict
if not tags:
tags = dict()
instance_prof = instance.get('IamInstanceProfile')
if instance_prof:
profile_name = instance_prof['Arn'].split('/')[-1]
else:
profile_name = None
instance_data.append(
dict(Name=tags.get('Name'),
CreateDate=json.dumps(
instance['LaunchTime'], cls=MyEncoder),
Region=region,
InstanceId=instance['InstanceId'],
State=instance['State']['Name'],
AccountNum=account['accountNum'],
IamInstanceProfile=profile_name,
ImageId=instance.get('ImageId'),
Membership=membership_lookup.lookup(
instance['InstanceId'], tags),
Runtime=runtime(instance),
ImageAge=age_lookup.lookup(instance.get('ImageId')),
AccountAlias=account.get('alias')))
return instance_data
def get_instance_count_for_account(account):
regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']
data = []
instance_count = 0
session = boto3.session.Session() # create session for Thread Safety
instance_info = []
for region in regions:
try:
assume = rolesession.assume_crossact_audit_role(
session, account['accountNum'], region)
except Exception, e:
print "[X] ERROR: %s" % e
assume = None
if assume:
print "Assumed into %s" % str(account)
ec2 = assume.client('ec2')
instances = ec2.describe_instances()['Reservations']
for res in instances:
instance_count += len(res['Instances'])
def query_elbs_for_account(account, region, session):
list = []
assume = rolesession.assume_crossact_audit_role(session,
account['accountNum'],
region)
if assume:
client = assume.client('elb')
elbs = client.describe_load_balancers()['LoadBalancerDescriptions']
for elb in elbs:
elb_name = elb['LoadBalancerName']
elb_dns = elb['DNSName']
list.append(
dict(Region=region,
ELBName=elb_name,
DNSName=elb_dns,
AccountNum=account['accountNum'],
AccountAlias=account['alias']))
return list
def get_usercount_for_account(account):
data = []
user_count = 0
session = boto3.session.Session()
#user_info = []
try:
assume = rolesession.assume_crossact_audit_role(
session, account['accountNum'], 'us-east-1')
except:
assume = None
if assume:
iam = assume.client('iam')
users_info = mp_wrappers.list_users(iam)
user_count += len(users_info)
data.append(
dict(Account=account.get('accountNum'),
Alias=(account.get('alias')),
UserCount=user_count))
return data
def get_usercount_for_account(account):
""" Get user count for specific AWS account.
:param account: Get usercount for a specific account
"""
data = []
user_count = 0
session = boto3.session.Session()
assume = rolesession.assume_crossact_audit_role(session,
account['accountNum'],
'us-east-1')
if assume:
iam = assume.client('iam')
users_info = mp_wrappers.list_users(iam)
user_count += len(users_info)
data.append(
dict(Account=account.get('accountNum'),
Alias=(account.get('alias')),
UserCount=user_count))
return data
def get_s3_buckets_for_account(account, region='us-east-1'):
""" Get S3 buckets for a specific account.
:param account: AWS account
:param region: AWS region
"""
session = boto3.session.Session() # create session for Thread Safety
assume = rolesession.assume_crossact_audit_role(session,
account['accountNum'],
region)
s3_data = []
if assume:
s3_client = assume.client('s3')
s3_info = s3_client.list_buckets().get('Buckets')
if s3_info:
for bucket in s3_info:
s3_global = is_s3_bucket_global(assume, bucket)
s3_data.append(
dict(BucketName=bucket['Name'],
AccountNum=account['accountNum'],
AccountAlias=account.get('alias'),
GlobalAccess=s3_global))
return s3_data
def get_elb(account, elb, region):
""" Get elastic loadbalancer info. """
# aws_accounts = AwsAccounts()
session = boto3.session.Session(region_name=region)
assume = rolesession.assume_crossact_audit_role(session, account,
region)
client = assume.client('elb')
try:
elb_info = client.describe_load_balancers(
LoadBalancerNames=[elb])['LoadBalancerDescriptions'][0]
except ClientError:
return dict(Account=dict(accountNum=account),
LoadBalancer=dict(message='ELB not found')), 404
elb_dns = elb_info['DNSName']
elb_subnets = elb_info['Subnets']
elb_vpc = elb_info['VPCId']
elb_instances = elb_info['Instances']
elb_sg = elb_info['SecurityGroups']
gatewayid, nat_gatewayid = get_gateway_ids(assume, elb_subnets)
if gatewayid:
internet_facing = bool(gatewayid.startswith("igw-"))
else:
gatewayid = nat_gatewayid
internet_facing = False
return dict(
Account=dict(AccountNum=account),
LoadBalancer=dict(
ELBName=elb,
DNSName=elb_dns,
Subnets=elb_subnets,
VpcId=elb_vpc,
InternetFacing=internet_facing,
SecurityGroups=elb_sg,
Region=region),
Routes=dict(GatewayId=gatewayid), Instances=elb_instances)
def get_instance_count_for_account(account):
""" Get EC2 instance count for a specific account.
:param account: AWS account
"""
regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2']
data = []
instance_count = 0
session = boto3.session.Session() # create session for Thread Safety
for region in regions:
assume = rolesession.assume_crossact_audit_role(
session, account['accountNum'], region)
if assume:
print "Assumed into %s" % str(account)
ec2 = assume.client('ec2')
instances = ec2.describe_instances()['Reservations']
for res in instances:
instance_count += len(res['Instances'])
data.append(dict(
Account=account.get('accountNum'),
Alias=account.get('alias'),
InstanceCount=instance_count))
return data
def query_for_account(account_rec, region):
""" Performs the public ip query for the given account
:param account: Account number to query
:param session: Initial session
:param region: Region to query
:param ip_data: Initial list. Appended to and returned
:return: update ip_data list
"""
ip_data = []
session = boto3.session.Session(region_name=region)
assume = rolesession.assume_crossact_audit_role(session,
account_rec['accountNum'],
region)
if assume:
for ip_addr in assume.client('ec2').describe_addresses()['Addresses']:
ip_data.append(
dict(
PublicIP=(ip_addr.get('PublicIp')),
InstanceId=(ip_addr.get('InstanceId')), # Prevents a crash
PrivateIP=(ip_addr.get('PrivateIpAddress')),
NetworkInterface=(ip_addr.get('NetworkInterfaceId')),
AccountNum=account_rec['accountNum'],
AccountAlias=(account_rec['alias'])))
for instance in assume.resource('ec2').instances.filter():
if instance.public_ip_address:
ip_data.append(
dict(InstanceId=(instance.instance_id),
PublicIP=(instance.public_ip_address),
PrivateIP=(instance.private_ip_address),
AccountNum=account_rec['accountNum'],
AccountAlias=(account_rec['alias'])))
else:
pass
return ip_data
def get_instance(account, instance, region='us-east-1'):
""" Get specific instance information.
:param account: AWS account
:param instance: AWS EC2 instance id
:param region: AWS region
"""
if account:
session = boto3.session.Session(region_name=region)
assume = rolesession.assume_crossact_audit_role(
session, account, region)
ec2 = assume.client('ec2')
instance_info = get_instance_info(assume, instance)
if not instance_info:
return dict(Account=dict(accountNum=account),
Instance=dict(message='Instance not found')), 404
public_ip = instance_info.get('PublicIpAddress')
subnet_id = instance_info.get('SubnetId')
route_tags = None
try:
# todo: The following line bombs if their are no
# explicit route tables.. Seems like a bug
describe_route_table_filter = []
if subnet_id:
describe_route_table_filter.append(
dict(Name='association.subnet-id', Values=[subnet_id]))
ec2_describe_route_tables = ec2.describe_route_tables(
Filters=describe_route_table_filter)
route_info = ec2_describe_route_tables['RouteTables'][0]
route_tags = route_info['Tags']
routes = route_info['Routes']
gateway_id = get_gateway_id(routes)
except (ClientError, IndexError) as err:
print "[X] No explicit route table found: %s" % err
gateway_id = None
data_vpcid = instance_info.get('VpcId')
route_filter = [dict(Name='association.main', Values=['true'])]
if data_vpcid:
route_filter.append(dict(Name='vpc-id', Values=[data_vpcid]))
route_table_description = ec2.describe_route_tables(
Filters=route_filter)
if route_table_description.get('RouteTables'):
route_info = route_table_description['RouteTables'][0]
route_tags = route_info['Tags']
routes = route_info['Routes']
gateway_id = get_gateway_id(routes)
internet_facing = bool(gateway_id.startswith("igw-"))
instance_elb = get_elb_associations(assume, instance)
try:
image_name = ec2.describe_images(
ImageIds=[instance_info['ImageId']])['Images'][0]['Name']
except (ClientError, IndexError):
image_name = None
try:
net_acl = ec2.describe_network_acls(Filters=[
dict(Name='association.subnet-id', Values=[subnet_id])
])['NetworkAcls'][0]['NetworkAclId']
except ClientError:
net_acl = None
return dict(Account=dict(accountNum=account),
Instance=dict(
InstanceId=instance,
ImageId=instance_info.get('ImageId'),
ImageName=image_name,
PublicDnsName=instance_info.get('PublicDnsName'),
PublicIpAddress=public_ip,
InternetFacing=internet_facing,
ElasticLoadBalancer=instance_elb,
PrivateIpAddress=instance_info.get('PrivateIpAddress'),
InstanceType=instance_info['InstanceType'],
SubnetId=subnet_id,
SecurityGroups=instance_info.get('SecurityGroups'),
Tags=(instance_info.get('Tags')),
NetworkACL=net_acl,
CreateDate=json.dumps(instance_info['LaunchTime'],
cls=MyEncoder),
Region=region),
Routes=dict(GatewayId=gateway_id, Tags=route_tags))
else:
print '{"message":"Account not found"}'
return dict(Message='Account not found'), 404
def get_user(account, user):
aws_accounts = AwsAccounts()
if not(account.isdigit() and len(account) == 12):
alias = account
account = aws_accounts.with_alias(alias)
if account:
print("Account "+str(account))
policies = []
session = boto3.session.Session()
assume = rolesession.assume_crossact_audit_role(
session, account, 'us-east-1')
iam = assume.client('iam')
try:
try:
#user_info = iam.list_user_policies(UserName=user)[
# 'PolicyNames']
user_info = mp_wrappers.list_user_policies(iam, user)['PolicyNames']
except Exception as e:
print(e)
final = dict(Account=dict(accountNum=account),
User=dict(Username=user),
Message='User not found'), 404
return final
for pol_name in user_info:
policy = iam.get_user_policy(UserName=user,
PolicyName=pol_name)
policies.append(policy['PolicyDocument'])
print(policies)
#user_info = iam.list_attached_user_policies(UserName=user)[
# 'AttachedPolicies']
user_info = mp_wrappers.list_attached_user_policies(iam, user)['AttachedPolicies']
for pol_name in user_info:
policies.append({"ManagedPolicy": pol_name['PolicyName']})
#create_date = iam.get_user(UserName=user)['User'][
# 'CreateDate'].isoformat()
create_date = mp_wrappers.get_user(iam, user)['User']['CreateDate'].isoformat()
try:
if user['PasswordLastUsed']:
password_set = True
else:
password_set = False
except:
password_set = False
access_keys = []
access_key_info = iam.list_access_keys(UserName=user)[
'AccessKeyMetadata']
for access_key in access_key_info:
last_used = iam.get_access_key_last_used(
AccessKeyId=access_key['AccessKeyId'])[
'AccessKeyLastUsed']
try:
last_used_date = last_used['LastUsedDate'].isoformat()
except:
last_used_date = None
last_used_service = last_used['ServiceName']
last_used_region = last_used['Region']
access_keys.append(dict(
KeyId=access_key['AccessKeyId'],
Status=access_key['Status'],
CreateDate=access_key['CreateDate'].isoformat(),
LastUsed=last_used_date,
LastService=last_used_service,
LastRegion=last_used_region))
except Exception as e:
print("Exception: %s" % e)
final = dict(Account=dict(accountNum=account),
Exception=dict(message=e))
return final
final = dict(Account=dict(accountNum=account),
User=dict(
Username=user,
CreateDate=create_date,
PasswordSet=password_set,
Policies=policies),
AccessKeys=access_keys)
return final
else:
# print('{"message":"Account not found"}')
return [dict(Message='Account not found'), ]
def get_security_group(account, group, region):
if account.isdigit() and len(account) == 12:
account = account
mode = 'account'
else:
alias = account
mode = 'alias'
aws_accounts = AwsAccounts()
#This should have error handling for cases when the
#alias/account does not exist.
if mode == 'alias':
account = aws_accounts.by_alias(alias)['accountNum']
elif mode == 'account':
print("Account mode")
else:
print('Error: Invalid option')
raise Exception('Error: Invalid option')
if account:
session = boto3.session.Session(region_name=region)
assume = rolesession.assume_crossact_audit_role(
session, account, region)
ec2 = assume.client('ec2')
try:
sg_info = ec2.describe_security_groups(
GroupIds=[group])['SecurityGroups'][0]
except Exception as e:
print("Security group not found")
return dict(Account=dict(accountNum=account),
Instance=dict(message='Security group not found'))
print(sg_info)
group_name = sg_info['GroupName']
group_id = sg_info['GroupId']
group_desc = sg_info['Description']
group_tags = sg_info.get('Tags', None)
group_ingress = format_inbound_rules(sg_info['IpPermissions'])
group_egress = format_outbound_rules(sg_info['IpPermissionsEgress'])
group_vpc = sg_info['VpcId']
instance_data = []
instance_info = ec2.describe_instances(
Filters=[dict(Name='instance.group-id', Values=[group_id])])
instances = instance_info['Reservations']
for res in instances:
instance_name = None
for instance in res['Instances']:
for tag in instance['Tags']:
if tag['Key'] == 'Name':
instance_name = tag.get('Value', None)
break
instance_data.append(
dict(Name=instance_name,
InstanceId=instance['InstanceId'],
AccountNum=account))
client = assume.client('elb')
elb_data = []
elb_info = client.describe_load_balancers()['LoadBalancerDescriptions']
for elb in elb_info:
for sg in elb['SecurityGroups']:
if sg == group_id:
elb_data.append(
dict(Name=elb['LoadBalancerName'], AccountNum=account))
return dict(Account=dict(accountNum=account),
SecurityGroup=dict(GroupName=group_name,
GroupId=group_id,
Description=group_desc,
Tags=group_tags,
InboundRules=group_ingress,
OutboundRules=group_egress,
VpcId=group_vpc,
Region=region),
Instances=instance_data,
ELB=elb_data)
else:
print('{"message":"Account not found"}')
return [
dict(Message='Account not found'),
]
def get_user(account, user):
""" Grab metadata about a particular AWS user in an AWS account.
:param account: AWS account
:param user: AWS user to get
"""
aws_accounts = AwsAccounts()
if not (account.isdigit() and len(account) == 12):
account = aws_accounts.with_alias(account)
if account:
print "Account " + str(account)
policies = []
# Create an assumed session and IAM client in single call
session = boto3.session.Session()
iam = rolesession.assume_crossact_audit_role(session, account,
'us-east-1').client('iam')
try:
if not user_exists(iam, user):
final_data = dict(Account=dict(accountNum=account),
User=dict(Username=user),
Message='User not found')
return final_data
user_info = mp_wrappers.list_attached_user_policies(
iam, user)['AttachedPolicies']
for pol_name in user_info:
policies.append({"ManagedPolicy": pol_name['PolicyName']})
access_keys = []
access_key_info = iam.list_access_keys(
UserName=user)['AccessKeyMetadata']
for access_key in access_key_info:
last_used = iam.get_access_key_last_used(
AccessKeyId=access_key['AccessKeyId'])['AccessKeyLastUsed']
try:
last_used_date = last_used['LastUsedDate'].isoformat()
except AttributeError:
last_used_date = None
access_keys.append(
dict(KeyId=access_key['AccessKeyId'],
Status=access_key['Status'],
CreateDate=access_key['CreateDate'].isoformat(),
LastUsed=last_used_date,
LastService=last_used['ServiceName'],
LastRegion=last_used['Region']))
except AttributeError as err:
print "Exception: %s" % err
final_data = dict(Account=dict(accountNum=account),
Exception=dict(message=str(err)))
return final_data
final_data = dict(
Account=dict(accountNum=account),
User=dict(Username=user,
CreateDate=user_create_date(iam, user),
PasswordSet=bool(
mp_wrappers.get_user(
iam, user)['User'].get('PasswordLastUsed')),
Policies=policies),
AccessKeys=access_keys)
return final_data
else:
# print('{"message":"Account not found"}')
return [
dict(Message='Account not found'),
]
def get_elb(account, elb, region):
aws_accounts = AwsAccounts()
if account.isdigit() and len(account) == 12:
account = account
else:
alias = account
account = aws_accounts.with_alias(alias)['accountNum']
if not (account.isdigit() and len(account) == 12):
return dict(Error='Account not found'), 404
session = boto3.session.Session(region_name=region)
assume = rolesession.assume_crossact_audit_role(session, account, region)
client = assume.client('elb')
try:
elb_info = client.describe_load_balancers(
LoadBalancerNames=[elb])['LoadBalancerDescriptions'][0]
except:
return dict(Account=dict(accountNum=account),
LoadBalancer=dict(message='ELB not found')), 404
elb_dns = elb_info['DNSName']
# elb_listeners = elb_info['ListenerDescriptions']
elb_subnets = elb_info['Subnets']
elb_vpc = elb_info['VPCId']
elb_instances = elb_info['Instances']
elb_sg = elb_info['SecurityGroups']
ec2 = assume.client('ec2')
try:
route_info = ec2.describe_route_tables(
Filters=[dict(Name='association.subnet-id', Values=elb_subnets)
])['RouteTables']
gatewayid = None
nat_gatewayid = None
print(route_info)
for route_table in route_info:
routes = route_table['Routes']
for route in routes:
try:
if route['DestinationCidrBlock'] == '0.0.0.0/0':
try:
gatewayid = route['GatewayId']
except:
nat_gatewayid = route['NatGatewayId']
except Exception:
pass
except Exception as e:
print(e)
gatewayid = None
nat_gatewayid = None
route_info = ec2.describe_route_tables()['RouteTables'][0]
# todo: This follow code is definitely wrong - check route_table
for route_table in route_info:
routes = route_info['Routes']
for route in routes:
try:
if route['DestinationCidrBlock'] == '0.0.0.0/0':
try:
gatewayid = route['GatewayId']
except:
nat_gatewayid = route['NatGatewayId']
except Exception as e:
pass
if gatewayid:
if gatewayid.startswith("igw-"):
internet_facing = True
else:
internet_facing = False
else:
gatewayid = nat_gatewayid
internet_facing = False
return dict(Account=dict(AccountNum=account),
LoadBalancer=dict(ELBName=elb,
DNSName=elb_dns,
Subnets=elb_subnets,
VpcId=elb_vpc,
InternetFacing=internet_facing,
SecurityGroups=elb_sg,
Region=region),
Routes=dict(GatewayId=gatewayid),
Instances=elb_instances)
def get_instance(account, instance, region='us-east-1'):
mode = 'account'
if not (account.isdigit() and len(account) == 12):
alias = account
mode = 'alias'
aws_accounts = AwsAccounts()
if mode == 'alias':
account_item = aws_accounts.with_alias(alias)
elif mode == 'account':
print("Account mode")
account_item = aws_accounts.with_number(account)
else:
print("Error: Invalid option")
raise Exception("Error: Invalid option")
if account_item:
session = boto3.session.Session(region_name=region)
assume = rolesession.assume_crossact_audit_role(
session, account_item['accountNum'], region)
ec2 = assume.client('ec2')
try:
instance_description = ec2.describe_instances(
InstanceIds=[instance])
instance_info = \
instance_description['Reservations'][0]['Instances'][0]
except:
print("Instance not found")
return dict(
Account=dict(accountNum=account_item['accountNum']),
Instance=dict(message='Instance not found')), 404
public_ip = instance_info.get('PublicIpAddress')
subnet_id = instance_info.get('SubnetId')
route_tags = None
try:
# todo: The following line bombs if their are no
# explicit route tables.. Seems like a bug
describe_route_table_filter = []
if subnet_id:
describe_route_table_filter.append(
dict(Name='association.subnet-id', Values=[subnet_id]))
ec2_describe_route_tables = ec2.describe_route_tables(
Filters=describe_route_table_filter)
route_info = ec2_describe_route_tables['RouteTables'][0]
route_tags = route_info['Tags']
routes = route_info['Routes']
gateway_id = get_geteway_id(routes)
except Exception as e:
print("[X] No explicit route table found: %s" % e)
gateway_id = None
data_vpcid = instance_info.get('VpcId')
route_filter = [dict(Name='association.main', Values=['true'])]
if (data_vpcid):
route_filter.append(dict(Name='vpc-id', Values=[data_vpcid]))
route_table_description = ec2.describe_route_tables(
Filters=route_filter)
if len(route_table_description['RouteTables']) > 0:
route_info = route_table_description['RouteTables'][0]
route_tags = route_info['Tags']
routes = route_info['Routes']
try:
gateway_id = get_geteway_id(routes)
except:
gateway_id = ""
if gateway_id.startswith("igw-"):
internet_facing = True
else:
internet_facing = False
elb = assume.client('elb')
load_balancers = elb.describe_load_balancers()[
'LoadBalancerDescriptions']
instance_elb = []
for balancer in load_balancers:
for elb_instance in balancer['Instances']:
if elb_instance['InstanceId'] == instance:
instance_elb.append(balancer['LoadBalancerName'])
try:
image_name = ec2.describe_images(
ImageIds=[instance_info['ImageId']])['Images'][0]['Name']
except:
image_name = None
try:
net_acl = ec2.describe_network_acls(Filters=[
dict(Name='association.subnet-id',
Values=[subnet_id])])['NetworkAcls'][0]['NetworkAclId']
except:
net_acl = None
return dict(
Account=dict(accountNum=account_item['accountNum']),
Instance=dict(
InstanceId=instance,
ImageId=instance_info.get('ImageId'),
ImageName=image_name,
PublicDnsName=instance_info.get('PublicDnsName'),
PublicIpAddress=public_ip,
InternetFacing=internet_facing,
ElasticLoadBalancer=instance_elb,
PrivateIpAddress=instance_info.get('PrivateIpAddress'),
InstanceType=instance_info['InstanceType'],
SubnetId=subnet_id,
SecurityGroups=instance_info.get('SecurityGroups'),
Tags=(instance_info.get('Tags')),
NetworkACL=net_acl,
CreateDate=json.dumps(instance_info['LaunchTime'],
cls=MyEncoder),
Region=region),
Routes=dict(
GatewayId=gateway_id,
Tags=route_tags))
else:
print('{"message":"Account not found"}')
return dict(Message='Account not found'), 404
