def _get_sns_policy(self, attrs, account, region, arn, exception_map):
try:
json_str = attrs['GetTopicAttributesResponse']['GetTopicAttributesResult']['Attributes']['Policy']
return json.loads(json_str)
except:
self.slurp_exception((self.index, account, region, arn), InvalidAWSJSON(json_str), exception_map)
raise
def build_item(self,
arn=None,
attrs=None,
region=None,
account=None,
exception_map={}):
config = {}
try:
json_str = attrs['GetTopicAttributesResponse'][
'GetTopicAttributesResult']['Attributes']['Policy']
policy = json.loads(json_str)
config['SNSPolicy'] = policy
except:
self.slurp_exception((self.index, account, region, arn),
InvalidAWSJSON(json_str), exception_map)
return None
try:
sns_name = re.search(
'arn:aws:sns:[a-z0-9-]+:[0-9]+:([a-zA-Z0-9-]+)', arn).group(1)
config['Name'] = {'Name': sns_name}
except Exception:
self.slurp_exception((self.index, account, region, arn),
InvalidARN(arn), exception_map)
return None
return SNSItem(region=region, account=account, name=arn, config=config)
def slurp(self):
"""
:returns: item_list - list of SQS Policies.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
for region in regions():
app.logger.debug("Checking {}/{}/{}".format(SQS.index, account, region.name))
try:
sqs = connect(account, 'sqs', region=region)
all_queues = self.wrap_aws_rate_limited_call(
sqs.get_all_queues
)
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), 'sqs', account, region.name)
self.slurp_exception((self.index, account, region.name), exc, exception_map)
continue
app.logger.debug("Found {} {}".format(len(all_queues), SQS.i_am_plural))
for q in all_queues:
### Check if this Queue is on the Ignore List ###
ignore_item = False
for ignore_item_name in IGNORE_PREFIX[self.index]:
if q.name.lower().startswith(ignore_item_name.lower()):
ignore_item = True
break
if ignore_item:
continue
try:
policy = self.wrap_aws_rate_limited_call(
q.get_attributes,
attributes='Policy'
)
if 'Policy' in policy:
try:
json_str = policy['Policy']
policy = json.loads(json_str)
item = SQSItem(region=region.name, account=account, name=q.name,
config=policy)
item_list.append(item)
except:
self.slurp_exception((self.index, account, region, q.name), InvalidAWSJSON(json_str), exception_map)
except boto.exception.SQSError:
# A number of Queues are so ephemeral that they may be gone by the time
# the code reaches here. Just ignore them and move on.
pass
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of IAM Groups.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
all_users = []
try:
iam_b3 = connect(account, 'iam_boto3')
managed_policies = all_managed_policies(iam_b3)
iam = connect(account, 'iam')
marker = None
while True:
users_response = self.wrap_aws_rate_limited_call(
iam.get_all_users, marker=marker)
# build our iam user list
all_users.extend(users_response.users)
# ensure that we get every iam user
if hasattr(users_response, 'marker'):
marker = users_response.marker
else:
break
except Exception as e:
exc = BotoConnectionIssue(str(e), 'iamuser', account, None)
self.slurp_exception((self.index, account, 'universal'), exc,
exception_map)
continue
for user in all_users:
if self.check_ignore_list(user.user_name):
continue
item_config = {
'user': {},
'userpolicies': {},
'accesskeys': {},
'mfadevices': {},
'signingcerts': {}
}
app.logger.debug("Slurping %s (%s) from %s" %
(self.i_am_singular, user.user_name, account))
item_config['user'] = dict(user)
if managed_policies.has_key(user.arn):
item_config['managed_policies'] = managed_policies.get(
user.arn)
### USER POLICIES ###
policy_names = self.policy_names_for_user(iam, user)
for policy_name in policy_names:
policy_document = self.wrap_aws_rate_limited_call(
iam.get_user_policy, user.user_name, policy_name)
policy_document = policy_document.policy_document
policy = urllib.unquote(policy_document)
try:
policydict = json.loads(policy)
except:
exc = InvalidAWSJSON(policy)
self.slurp_exception(
(self.index, account, 'universal', user.user_name),
exc, exception_map)
item_config['userpolicies'][policy_name] = dict(policydict)
### ACCESS KEYS ###
access_keys = self.access_keys_for_user(iam, user)
for key in access_keys:
item_config['accesskeys'][key.access_key_id] = dict(key)
### Multi Factor Authentication Devices ###
mfas = self.mfas_for_user(iam, user)
for mfa in mfas:
item_config['mfadevices'][mfa.serial_number] = dict(mfa)
### LOGIN PROFILE ###
login_profile = 'undefined'
try:
login_profile = self.wrap_aws_rate_limited_call(
iam.get_login_profiles, user.user_name)
login_profile = login_profile.login_profile
item_config['loginprofile'] = dict(login_profile)
except:
pass
### SIGNING CERTIFICATES ###
certificates = self.certificates_for_user(iam, user)
for cert in certificates:
_cert = dict(cert)
del _cert['certificate_body']
item_config['signingcerts'][cert.certificate_id] = dict(
_cert)
item_list.append(
IAMUserItem(account=account,
name=user.user_name,
config=item_config))
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of IAM Groups.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
try:
iam = connect(account, 'iam')
groups = self.get_all_groups(iam)
except Exception as e:
exc = BotoConnectionIssue(str(e), 'iamgroup', account, None)
self.slurp_exception((self.index, account, 'universal'), exc,
exception_map)
continue
for group in groups:
app.logger.debug(
"Slurping %s (%s) from %s" %
(self.i_am_singular, group.group_name, account))
if self.check_ignore_list(group.group_name):
continue
item_config = {
'group': dict(group),
'grouppolicies': {},
'users': {}
}
### GROUP POLICIES ###
group_policies = self.get_all_group_policies(
iam, group.group_name)
for policy_name in group_policies:
policy = self.wrap_aws_rate_limited_call(
iam.get_group_policy, group.group_name, policy_name)
policy = policy.policy_document
policy = urllib.unquote(policy)
try:
policydict = json.loads(policy)
except:
exc = InvalidAWSJSON(policy)
self.slurp_exception((self.index, account, 'universal',
group.group_name), exc,
exception_map)
item_config['grouppolicies'][policy_name] = dict(
policydict)
### GROUP USERS ###
group_users = self.get_all_group_users(iam,
group['group_name'])
for user in group_users:
item_config['users'][user.arn] = user.user_name
item = IAMGroupItem(account=account,
name=group.group_name,
config=item_config)
item_list.append(item)
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of SQS Policies.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
self.prep_for_slurp()
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
account_db = Account.query.filter(Account.name == account).first()
account_number = account_db.identifier
for region in regions():
app.logger.debug("Checking {}/{}/{}".format(
SQS.index, account, region.name))
try:
sqs = connect(account, 'sqs', region=region)
all_queues = self.wrap_aws_rate_limited_call(
sqs.get_all_queues)
except Exception as e:
if region.name not in TROUBLE_REGIONS:
exc = BotoConnectionIssue(str(e), 'sqs', account,
region.name)
self.slurp_exception(
(self.index, account, region.name),
exc,
exception_map,
source="{}-watcher".format(self.index))
continue
app.logger.debug("Found {} {}".format(len(all_queues),
SQS.i_am_plural))
for q in all_queues:
if self.check_ignore_list(q.name):
continue
try:
policy = self.wrap_aws_rate_limited_call(
q.get_attributes, attributes='Policy')
if 'Policy' in policy:
try:
arn = 'arn:aws:sqs:{region}:{account_number}:{name}'.format(
region=region.name,
account_number=account_number,
name=q.name)
json_str = policy['Policy']
policy = json.loads(json_str)
policy['arn'] = arn
item = SQSItem(region=region.name,
account=account,
name=q.name,
arn=arn,
config=policy)
item_list.append(item)
except:
self.slurp_exception(
(self.index, account, region, q.name),
InvalidAWSJSON(json_str),
exception_map,
source="{}-watcher".format(self.index))
except boto.exception.SQSError:
# A number of Queues are so ephemeral that they may be gone by the time
# the code reaches here. Just ignore them and move on.
pass
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of IAM Groups.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
try:
iam = connect(account, 'iam')
users_response = self.wrap_aws_rate_limited_call(
iam.get_all_users)
except Exception as e:
exc = BotoConnectionIssue(str(e), 'iamgroup', account, None)
self.slurp_exception((self.index, account, 'universal'), exc,
exception_map)
continue
for user in users_response.users:
### Check if this User is on the Ignore List ###
ignore_item = False
for ignore_item_name in IGNORE_PREFIX[self.index]:
if user.user_name.lower().startswith(
ignore_item_name.lower()):
ignore_item = True
break
if ignore_item:
continue
item_config = {
'user': {},
'userpolicies': {},
'accesskeys': {},
'mfadevices': {},
'signingcerts': {}
}
app.logger.debug("Slurping %s (%s) from %s" %
(self.i_am_singular, user.user_name, account))
item_config['user'] = dict(user)
### USER POLICIES ###
policy_names = self.wrap_aws_rate_limited_call(
iam.get_all_user_policies, user.user_name)
policy_names = policy_names.policy_names
for policy_name in policy_names:
policy_document = self.wrap_aws_rate_limited_call(
iam.get_user_policy, user.user_name, policy_name)
policy_document = policy_document.policy_document
policy = urllib.unquote(policy_document)
try:
policydict = json.loads(policy)
except:
exc = InvalidAWSJSON(policy)
self.slurp_exception(
(self.index, account, 'universal', user.user_name),
exc, exception_map)
item_config['userpolicies'][policy_name] = dict(policydict)
### ACCESS KEYS ###
access_keys = self.wrap_aws_rate_limited_call(
iam.get_all_access_keys, user_name=user.user_name)
access_keys = access_keys.access_key_metadata
for key in access_keys:
item_config['accesskeys'][key.access_key_id] = dict(key)
### Multi Factor Authentication Devices ###
mfas = self.wrap_aws_rate_limited_call(
iam.get_all_mfa_devices, user_name=user.user_name)
mfas = mfas.mfa_devices
for mfa in mfas:
item_config['mfadevices'][mfa.serial_number] = dict(mfa)
### LOGIN PROFILE ###
login_profile = 'undefined'
try:
login_profile = self.wrap_aws_rate_limited_call(
iam.get_login_profiles, user.user_name)
login_profile = login_profile.login_profile
item_config['loginprofile'] = dict(login_profile)
except:
pass
### SIGNING CERTIFICATES ###
certificates = self.wrap_aws_rate_limited_call(
iam.get_all_signing_certs, user_name=user.user_name)
certificates = certificates.certificates
for cert in certificates:
_cert = dict(cert)
del _cert['certificate_body']
item_config['signingcerts'][cert.certificate_id] = dict(
_cert)
item_list.append(
IAMUserItem(account=account,
name=user.user_name,
config=item_config))
return item_list, exception_map
def slurp(self):
"""
:returns: item_list - list of IAM Groups.
:returns: exception_map - A dict where the keys are a tuple containing the
location of the exception and the value is the actual exception
"""
item_list = []
exception_map = {}
from security_monkey.common.sts_connect import connect
for account in self.accounts:
try:
iam = connect(account, 'iam')
groups_response = self.wrap_aws_rate_limited_call(iam.get_all_groups)
except Exception as e:
exc = BotoConnectionIssue(str(e), 'iamgroup', account, None)
self.slurp_exception((self.index, account, 'universal'), exc, exception_map)
continue
for group in groups_response.groups:
app.logger.debug("Slurping %s (%s) from %s" % (self.i_am_singular, group.group_name, account))
### Check if this Group is on the Ignore List ###
ignore_item = False
for ignore_item_name in IGNORE_PREFIX[self.index]:
if group.group_name.lower().startswith(ignore_item_name.lower()):
ignore_item = True
break
if ignore_item:
continue
item_config = {
'group': {},
'grouppolicies': {},
'users': {}
}
item_config['group'] = dict(group)
### GROUP POLICIES ###
group_policies = self.wrap_aws_rate_limited_call(iam.get_all_group_policies, group.group_name)
group_policies = group_policies.policy_names
for policy_name in group_policies:
policy = self.wrap_aws_rate_limited_call(iam.get_group_policy, group.group_name, policy_name)
policy = policy.policy_document
policy = urllib.unquote(policy)
try:
policydict = json.loads(policy)
except:
exc = InvalidAWSJSON(policy)
self.slurp_exception((self.index, account, 'universal', group.group_name), exc, exception_map)
item_config['grouppolicies'][policy_name] = dict(policydict)
### GROUP USERS ###
group_users = self.wrap_aws_rate_limited_call(iam.get_group, group_name=group['group_name'])
group_users = group_users.users
for user in group_users:
item_config['users'][user.arn] = user.user_name
item = IAMGroupItem(account=account, name=group.group_name, config=item_config)
item_list.append(item)
return item_list, exception_map