def get_redshift_clusters(account, region): """ Get all redshift clusters from all accounts. """ redshift_data = [] aws_accounts = AwsAccounts() accounts = aws_accounts.all() if not account: session = boto3.session.Session() for acc in accounts: alias = None assume = rolesession.assume_crossact_audit_role( session, acc['accountNum'], region) if assume: client = assume.client('redshift') redshift_list = mp_wrappers.describe_clusters(client)[ 'Clusters'] alias = acc.get('alias') for cluster in redshift_list: redshift_data.append( dict(Region=region, ClusterId=(cluster['ClusterIdentifier']), Username=(cluster['MasterUsername']), DBName=(cluster['DBName']), Endpoint=(cluster['Endpoint']), PubliclyAccessible=( cluster['PubliclyAccessible']), Encrypted=(cluster['Encrypted']), AccountNum=acc['accountNum'], AccountAlias=alias)) else: pass elif account.isdigit() and len(account) == 12: session = boto3.session.Session() assume = rolesession.assume_crossact_audit_role( session, account, region) alias = None if assume: client = assume.client('redshift') redshift_list = mp_wrappers.describe_clusters(client)['Clusters'] alias = account.get('alias') for cluster in redshift_list: redshift_data.append( dict(Region=region, ClusterId=(cluster['ClusterIdentifier']), Username=(cluster['MasterUsername']), DBName=(cluster['DBName']), Endpoint=(cluster['Endpoint']), PubliclyAccessible=(cluster['PubliclyAccessible']), Encrypted=(cluster['Encrypted']), AccountNum=account, AccountAlias=alias)) else: return dict(Error='Account not found'), 404 return dict(Clusters=redshift_data), 200
def get_security_groups(account, region='us-east-1'): sg_data = [] aws_accounts = AwsAccounts() accounts = aws_accounts.all() session = boto3.session.Session(region_name=region) if not account: for acc in accounts: if acc['accountNum']: assume = rolesession.assume_crossact_audit_role( session, acc['accountNum'], region) if assume: ec2 = assume.client('ec2') security_groups = ec2.describe_security_groups( )['SecurityGroups'] for group in security_groups: sg_name = None try: for tag in group['Tags']: if tag['Key'] == 'Name': sg_name = tag['Value'] except: sg_name = None sg_data.append( dict(Region=region, GroupName=sg_name, GroupId=(group['GroupId']), AccountNum=acc['accountNum'], AccountAlias=acc['alias'])) elif account.isdigit() and len(account) == 12: assume = rolesession.assume_crossact_audit_role( session, account, region) alias = aws_accounts.with_number(account)['alias'] if assume: ec2 = assume.client('ec2') security_groups = ec2.describe_security_groups()['SecurityGroups'] for group in security_groups: sg_name = None for tag in group['Tags']: if tag['Key'] == 'Name': sg_name = tag['Value'] sg_id = group['GroupId'] sg_data.append( dict(GroupName=sg_name, GroupId=sg_id, AccountNum=account, AccountAlias=alias)) else: return (dict(Message='Account not found'), 404) # print(sg_data) return dict(SecurityGroups=sg_data), 200
def get_dynamo_tables(account, region): """Provide an event that contains the following keys: -account: account to look in or all for all security groups -region: region to pull from """ dynamo_data = [] aws_accounts = AwsAccounts() if not account: accounts = aws_accounts.all() session = boto3.session.Session() for account in accounts: assume = rolesession.assume_crossact_audit_role( session, account['accountNum'], region) if assume: client = assume.client('dynamodb') dynamo_list = client.list_tables()['TableNames'] for table in dynamo_list: dynamo_data.append( dict(Region=region, TableName=table, AccountNum=account['accountNum'], AccountAlias=account['alias'])) else: pass elif account.isdigit() and len(account) == 12: account_number = account accounts_matching = aws_accounts.with_number(account_number) alias = accounts_matching['alias'] session = boto3.session.Session() assume = rolesession.assume_crossact_audit_role( session, account_number, region) if assume: account = aws_accounts.with_number(account_number) client = assume.client('dynamodb') dynamo_list = client.list_tables()['TableNames'] for table in dynamo_list: dynamo_data.append( dict(Region=region, TableName=table, AccountNum=account['accountNum'], AccountAlias=account['alias'])) else: print("[D] Assume: %s" % assume) return {"Error": "Unable to assume role"}, 500 else: return dict(Error='Account not found.'), 404 return dict(Tables=dynamo_data), 200
def get_users_for_account(account): session = boto3.session.Session() # create session for Thread Safety assume = rolesession.assume_crossact_audit_role(session, account['accountNum'], 'us-east-1') users_info = [] if assume: iam = assume.client('iam') users_info = iam.list_users().get('Users') if users_info is None: return dict(Account=dict(accountNum=account), Instance=dict(message='Error')) else: print("[X] Assume failed.") data = [] for user in users_info: if user.get('PasswordLastUsed'): password_set = True else: password_set = False data.append( dict(Username=user.get('UserName'), CreateDate=user['CreateDate'].isoformat(), PasswordSet=password_set, AccountNum=account['accountNum'], AccountAlias=account['alias'])) return data
def get_s3_buckets_for_account(account, region='us-east-1'): session = boto3.session.Session() # create session for Thread Safety assume = rolesession.assume_crossact_audit_role(session, account['accountNum'], region) s3_data = [] if assume: s3 = assume.client('s3') s3_info = s3.list_buckets()['Buckets'] for bucket in s3_info: s3_global = False try: s3_acls = s3.get_bucket_acl(Bucket=bucket)['Grants'] for acl in s3_acls: try: s3_global = s3_acl_is_global(acl) except: pass except Exception, e: print "[X] Exception: %s" % e pass s3_data.append( dict(BucketName=bucket['Name'], AccountNum=account['accountNum'], AccountAlias=account.get('alias'), GlobalAccess=s3_global))
def get_account_stats(account_rec): """ Get account statistics for dashboard. :param account_rec: AWS account """ session = boto3.session.Session() account = account_rec['accountNum'] assume = rolesession.assume_crossact_audit_role(session, account, 'us-east-1', ASSUME_ROLE) instance_count = 0 sg_count = 0 user_count = 0 elb_count = 0 if assume: ec2 = assume.client('ec2') instances = ec2.describe_instances()['Reservations'] for res in instances: instance_count += len(res['Instances']) sg_count += len(ec2.describe_security_groups()['SecurityGroups']) iam = assume.client('iam') user_count += len(iam.list_users()['Users']) elb = assume.client('elb') elb_count += len( elb.describe_load_balancers()['LoadBalancerDescriptions']) return dict(InstanceCount=instance_count, UserCount=user_count, SecurityGroupCount=sg_count, ELBCount=elb_count)
def get_instances_for_account(account,region): instance_data = [] session = boto3.session.Session(region_name=region) try: assume = rolesession.assume_crossact_audit_role( session, account['accountNum'], region) except Exception,e: assume = None print "Exception: %e" % e
def get_s3_bucket(account, bucket, region='us-east-1'): if account.isdigit() and len(account) == 12: account = account else: return dict(Error='Account Not Found.'), 404 obj_data = [] session = boto3.session.Session() assume = rolesession.assume_crossact_audit_role(session, account, region) if assume: s3 = assume.client('s3') s3_global = False try: s3_acls = s3.get_bucket_acl(Bucket=bucket)['Grants'] except Exception as e: return dict(Error=e), 500 for acl in s3_acls: try: if s3_acl_is_global(acl): s3_global = True except: pass try: s3_objects = s3.list_objects(Bucket=bucket)['Contents'] except Exception as e: #Exception is likely a key error when the bucket has no contents. #There may be a better way to handle it. s3_objects = [] if len(s3_objects) > 0: for obj in s3_objects: # definately a bug, # if we get no buckets, this still happens s3_obj = s3.head_object(Bucket=bucket, Key=obj['Key']) obj_key = obj['Key'] obj_last_modified = s3_obj['LastModified'].isoformat() obj_size = s3_obj['ContentLength'] obj_enc = s3_obj.get('ServerSideEncryption') obj_storage = s3_obj.get('StorageClass') obj_data.append( dict(Key=obj_key, ModifiedDate=obj_last_modified, Size=obj_size, Encryption=obj_enc, StorageType=obj_storage)) else: print("Bucket has no contents") result = dict(Bucket=dict(Name=bucket, GlobalAccess=s3_global, AccountNum=account), Objects=obj_data) else: result = dict(Bucket=dict(Error='Unable to assume account')) return result, 200
def get_security_group(account, group, region): """ Get security group details. :param account: AWS account :param group: security group id :param region: AWS region """ session = boto3.session.Session(region_name=region) assume = rolesession.assume_crossact_audit_role(session, account, region) if assume: ec2 = assume.client('ec2') try: sg_info = ec2.describe_security_groups( GroupIds=[group])['SecurityGroups'][0] except ClientError: print "Security group not found" return dict(Account=dict(accountNum=account), Instance=dict(message='Security group not found')) instance_data = get_instance_info(assume, account, sg_info['GroupId']) client = assume.client('elb') elb_data = [] for elb in client.describe_load_balancers( )['LoadBalancerDescriptions']: for sec_group in elb['SecurityGroups']: if sec_group == sg_info['GroupId']: elb_data.append( dict(Name=elb['LoadBalancerName'], AccountNum=account)) return dict(Account=dict(accountNum=account), SecurityGroup=dict(GroupName=sg_info['GroupName'], GroupId=sg_info['GroupId'], Description=sg_info['Description'], Tags=sg_info.get('Tags', None), InboundRules=format_inbound_rules( sg_info['IpPermissions']), OutboundRules=format_outbound_rules( sg_info['IpPermissionsEgress']), VpcId=sg_info['VpcId'], Region=region), Instances=instance_data, ELB=elb_data) else: print '{"message":"Account not assumable"}' return dict(Account=dict(accountNum=account), Message='Account not assumable')
def get_roles_for_account(account): session = boto3.session.Session() # create session for Thread Safety assume = rolesession.assume_crossact_audit_role(session, account['accountNum'], 'us-east-1') role_data = [] if assume: iam = assume.client('iam') for role in iam.list_roles().get('Roles'): role_data.append( dict(Name=(role['RoleName']), CreateDate=(role['CreateDate'].isoformat()), Id=(role['RoleId']), Arn=(role['Arn']), AssumePolicy=(role['AssumeRolePolicyDocument']), AccountNum=account['accountNum'], AccountAlias=account['alias'])) return role_data
def get_s3_bucket(account, bucket, region='us-east-1'): """ Get s3 bucket from specific account. :param account: AWS account :param bucket: S3 bucket :param region: AWS region """ if account.isdigit() and len(account) == 12: account = account else: return dict(Error='Account Not Found.'), 404 obj_data = [] session = boto3.session.Session() assume = rolesession.assume_crossact_audit_role(session, account, region) if assume: s3_client = assume.client('s3') s3_global = False try: s3_acls = s3_client.get_bucket_acl(Bucket=bucket)['Grants'] except ClientError as err: return dict(Error=err), 500 for acl in s3_acls: s3_global = s3_acl_is_global(acl) s3_objects = s3_client.list_objects(Bucket=bucket).get('Contents') if s3_objects: for obj in s3_objects: # definately a bug, # if we get no buckets, this still happens s3_obj = s3_client.head_object(Bucket=bucket, Key=obj['Key']) obj_data.append( dict(Key=obj['Key'], ModifiedDate=s3_obj['LastModified'].isoformat(), Size=s3_obj['ContentLength'], Encryption=s3_obj.get('ServerSideEncryption'), StorageType=s3_obj.get('StorageClass'))) else: print "Bucket has no contents" result = dict(Bucket=dict(Name=bucket, GlobalAccess=s3_global, AccountNum=account), Objects=obj_data) else: result = dict(Bucket=dict(Error='Unable to assume account')) return result, 200
def get_instances_for_account(account, region): """ Get instances for a specific account. :param account: AWS account """ instance_data = [] session = boto3.session.Session(region_name=region) assume = rolesession.assume_crossact_audit_role( session, account['accountNum'], region) if assume: age_lookup = ImageAgeLookup(assume) membership_lookup = LookupInstanceMembership(assume) ec2 = assume.client('ec2') instances = ec2.describe_instances().get('Reservations') if not instances: instances = [] for res in instances: for instance in res['Instances']: tags = {x['Key']: x['Value'] for x in instance.get('Tags', [])} # Extract tags as a dict if not tags: tags = dict() instance_prof = instance.get('IamInstanceProfile') if instance_prof: profile_name = instance_prof['Arn'].split('/')[-1] else: profile_name = None instance_data.append( dict(Name=tags.get('Name'), CreateDate=json.dumps( instance['LaunchTime'], cls=MyEncoder), Region=region, InstanceId=instance['InstanceId'], State=instance['State']['Name'], AccountNum=account['accountNum'], IamInstanceProfile=profile_name, ImageId=instance.get('ImageId'), Membership=membership_lookup.lookup( instance['InstanceId'], tags), Runtime=runtime(instance), ImageAge=age_lookup.lookup(instance.get('ImageId')), AccountAlias=account.get('alias'))) return instance_data
def get_instance_count_for_account(account): regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2'] data = [] instance_count = 0 session = boto3.session.Session() # create session for Thread Safety instance_info = [] for region in regions: try: assume = rolesession.assume_crossact_audit_role( session, account['accountNum'], region) except Exception, e: print "[X] ERROR: %s" % e assume = None if assume: print "Assumed into %s" % str(account) ec2 = assume.client('ec2') instances = ec2.describe_instances()['Reservations'] for res in instances: instance_count += len(res['Instances'])
def query_elbs_for_account(account, region, session): list = [] assume = rolesession.assume_crossact_audit_role(session, account['accountNum'], region) if assume: client = assume.client('elb') elbs = client.describe_load_balancers()['LoadBalancerDescriptions'] for elb in elbs: elb_name = elb['LoadBalancerName'] elb_dns = elb['DNSName'] list.append( dict(Region=region, ELBName=elb_name, DNSName=elb_dns, AccountNum=account['accountNum'], AccountAlias=account['alias'])) return list
def get_usercount_for_account(account): data = [] user_count = 0 session = boto3.session.Session() #user_info = [] try: assume = rolesession.assume_crossact_audit_role( session, account['accountNum'], 'us-east-1') except: assume = None if assume: iam = assume.client('iam') users_info = mp_wrappers.list_users(iam) user_count += len(users_info) data.append( dict(Account=account.get('accountNum'), Alias=(account.get('alias')), UserCount=user_count)) return data
def get_usercount_for_account(account): """ Get user count for specific AWS account. :param account: Get usercount for a specific account """ data = [] user_count = 0 session = boto3.session.Session() assume = rolesession.assume_crossact_audit_role(session, account['accountNum'], 'us-east-1') if assume: iam = assume.client('iam') users_info = mp_wrappers.list_users(iam) user_count += len(users_info) data.append( dict(Account=account.get('accountNum'), Alias=(account.get('alias')), UserCount=user_count)) return data
def get_s3_buckets_for_account(account, region='us-east-1'): """ Get S3 buckets for a specific account. :param account: AWS account :param region: AWS region """ session = boto3.session.Session() # create session for Thread Safety assume = rolesession.assume_crossact_audit_role(session, account['accountNum'], region) s3_data = [] if assume: s3_client = assume.client('s3') s3_info = s3_client.list_buckets().get('Buckets') if s3_info: for bucket in s3_info: s3_global = is_s3_bucket_global(assume, bucket) s3_data.append( dict(BucketName=bucket['Name'], AccountNum=account['accountNum'], AccountAlias=account.get('alias'), GlobalAccess=s3_global)) return s3_data
def get_elb(account, elb, region): """ Get elastic loadbalancer info. """ # aws_accounts = AwsAccounts() session = boto3.session.Session(region_name=region) assume = rolesession.assume_crossact_audit_role(session, account, region) client = assume.client('elb') try: elb_info = client.describe_load_balancers( LoadBalancerNames=[elb])['LoadBalancerDescriptions'][0] except ClientError: return dict(Account=dict(accountNum=account), LoadBalancer=dict(message='ELB not found')), 404 elb_dns = elb_info['DNSName'] elb_subnets = elb_info['Subnets'] elb_vpc = elb_info['VPCId'] elb_instances = elb_info['Instances'] elb_sg = elb_info['SecurityGroups'] gatewayid, nat_gatewayid = get_gateway_ids(assume, elb_subnets) if gatewayid: internet_facing = bool(gatewayid.startswith("igw-")) else: gatewayid = nat_gatewayid internet_facing = False return dict( Account=dict(AccountNum=account), LoadBalancer=dict( ELBName=elb, DNSName=elb_dns, Subnets=elb_subnets, VpcId=elb_vpc, InternetFacing=internet_facing, SecurityGroups=elb_sg, Region=region), Routes=dict(GatewayId=gatewayid), Instances=elb_instances)
def get_instance_count_for_account(account): """ Get EC2 instance count for a specific account. :param account: AWS account """ regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2'] data = [] instance_count = 0 session = boto3.session.Session() # create session for Thread Safety for region in regions: assume = rolesession.assume_crossact_audit_role( session, account['accountNum'], region) if assume: print "Assumed into %s" % str(account) ec2 = assume.client('ec2') instances = ec2.describe_instances()['Reservations'] for res in instances: instance_count += len(res['Instances']) data.append(dict( Account=account.get('accountNum'), Alias=account.get('alias'), InstanceCount=instance_count)) return data
def query_for_account(account_rec, region): """ Performs the public ip query for the given account :param account: Account number to query :param session: Initial session :param region: Region to query :param ip_data: Initial list. Appended to and returned :return: update ip_data list """ ip_data = [] session = boto3.session.Session(region_name=region) assume = rolesession.assume_crossact_audit_role(session, account_rec['accountNum'], region) if assume: for ip_addr in assume.client('ec2').describe_addresses()['Addresses']: ip_data.append( dict( PublicIP=(ip_addr.get('PublicIp')), InstanceId=(ip_addr.get('InstanceId')), # Prevents a crash PrivateIP=(ip_addr.get('PrivateIpAddress')), NetworkInterface=(ip_addr.get('NetworkInterfaceId')), AccountNum=account_rec['accountNum'], AccountAlias=(account_rec['alias']))) for instance in assume.resource('ec2').instances.filter(): if instance.public_ip_address: ip_data.append( dict(InstanceId=(instance.instance_id), PublicIP=(instance.public_ip_address), PrivateIP=(instance.private_ip_address), AccountNum=account_rec['accountNum'], AccountAlias=(account_rec['alias']))) else: pass return ip_data
def get_instance(account, instance, region='us-east-1'): """ Get specific instance information. :param account: AWS account :param instance: AWS EC2 instance id :param region: AWS region """ if account: session = boto3.session.Session(region_name=region) assume = rolesession.assume_crossact_audit_role( session, account, region) ec2 = assume.client('ec2') instance_info = get_instance_info(assume, instance) if not instance_info: return dict(Account=dict(accountNum=account), Instance=dict(message='Instance not found')), 404 public_ip = instance_info.get('PublicIpAddress') subnet_id = instance_info.get('SubnetId') route_tags = None try: # todo: The following line bombs if their are no # explicit route tables.. Seems like a bug describe_route_table_filter = [] if subnet_id: describe_route_table_filter.append( dict(Name='association.subnet-id', Values=[subnet_id])) ec2_describe_route_tables = ec2.describe_route_tables( Filters=describe_route_table_filter) route_info = ec2_describe_route_tables['RouteTables'][0] route_tags = route_info['Tags'] routes = route_info['Routes'] gateway_id = get_gateway_id(routes) except (ClientError, IndexError) as err: print "[X] No explicit route table found: %s" % err gateway_id = None data_vpcid = instance_info.get('VpcId') route_filter = [dict(Name='association.main', Values=['true'])] if data_vpcid: route_filter.append(dict(Name='vpc-id', Values=[data_vpcid])) route_table_description = ec2.describe_route_tables( Filters=route_filter) if route_table_description.get('RouteTables'): route_info = route_table_description['RouteTables'][0] route_tags = route_info['Tags'] routes = route_info['Routes'] gateway_id = get_gateway_id(routes) internet_facing = bool(gateway_id.startswith("igw-")) instance_elb = get_elb_associations(assume, instance) try: image_name = ec2.describe_images( ImageIds=[instance_info['ImageId']])['Images'][0]['Name'] except (ClientError, IndexError): image_name = None try: net_acl = ec2.describe_network_acls(Filters=[ dict(Name='association.subnet-id', Values=[subnet_id]) ])['NetworkAcls'][0]['NetworkAclId'] except ClientError: net_acl = None return dict(Account=dict(accountNum=account), Instance=dict( InstanceId=instance, ImageId=instance_info.get('ImageId'), ImageName=image_name, PublicDnsName=instance_info.get('PublicDnsName'), PublicIpAddress=public_ip, InternetFacing=internet_facing, ElasticLoadBalancer=instance_elb, PrivateIpAddress=instance_info.get('PrivateIpAddress'), InstanceType=instance_info['InstanceType'], SubnetId=subnet_id, SecurityGroups=instance_info.get('SecurityGroups'), Tags=(instance_info.get('Tags')), NetworkACL=net_acl, CreateDate=json.dumps(instance_info['LaunchTime'], cls=MyEncoder), Region=region), Routes=dict(GatewayId=gateway_id, Tags=route_tags)) else: print '{"message":"Account not found"}' return dict(Message='Account not found'), 404
def get_user(account, user): aws_accounts = AwsAccounts() if not(account.isdigit() and len(account) == 12): alias = account account = aws_accounts.with_alias(alias) if account: print("Account "+str(account)) policies = [] session = boto3.session.Session() assume = rolesession.assume_crossact_audit_role( session, account, 'us-east-1') iam = assume.client('iam') try: try: #user_info = iam.list_user_policies(UserName=user)[ # 'PolicyNames'] user_info = mp_wrappers.list_user_policies(iam, user)['PolicyNames'] except Exception as e: print(e) final = dict(Account=dict(accountNum=account), User=dict(Username=user), Message='User not found'), 404 return final for pol_name in user_info: policy = iam.get_user_policy(UserName=user, PolicyName=pol_name) policies.append(policy['PolicyDocument']) print(policies) #user_info = iam.list_attached_user_policies(UserName=user)[ # 'AttachedPolicies'] user_info = mp_wrappers.list_attached_user_policies(iam, user)['AttachedPolicies'] for pol_name in user_info: policies.append({"ManagedPolicy": pol_name['PolicyName']}) #create_date = iam.get_user(UserName=user)['User'][ # 'CreateDate'].isoformat() create_date = mp_wrappers.get_user(iam, user)['User']['CreateDate'].isoformat() try: if user['PasswordLastUsed']: password_set = True else: password_set = False except: password_set = False access_keys = [] access_key_info = iam.list_access_keys(UserName=user)[ 'AccessKeyMetadata'] for access_key in access_key_info: last_used = iam.get_access_key_last_used( AccessKeyId=access_key['AccessKeyId'])[ 'AccessKeyLastUsed'] try: last_used_date = last_used['LastUsedDate'].isoformat() except: last_used_date = None last_used_service = last_used['ServiceName'] last_used_region = last_used['Region'] access_keys.append(dict( KeyId=access_key['AccessKeyId'], Status=access_key['Status'], CreateDate=access_key['CreateDate'].isoformat(), LastUsed=last_used_date, LastService=last_used_service, LastRegion=last_used_region)) except Exception as e: print("Exception: %s" % e) final = dict(Account=dict(accountNum=account), Exception=dict(message=e)) return final final = dict(Account=dict(accountNum=account), User=dict( Username=user, CreateDate=create_date, PasswordSet=password_set, Policies=policies), AccessKeys=access_keys) return final else: # print('{"message":"Account not found"}') return [dict(Message='Account not found'), ]
def get_security_group(account, group, region): if account.isdigit() and len(account) == 12: account = account mode = 'account' else: alias = account mode = 'alias' aws_accounts = AwsAccounts() #This should have error handling for cases when the #alias/account does not exist. if mode == 'alias': account = aws_accounts.by_alias(alias)['accountNum'] elif mode == 'account': print("Account mode") else: print('Error: Invalid option') raise Exception('Error: Invalid option') if account: session = boto3.session.Session(region_name=region) assume = rolesession.assume_crossact_audit_role( session, account, region) ec2 = assume.client('ec2') try: sg_info = ec2.describe_security_groups( GroupIds=[group])['SecurityGroups'][0] except Exception as e: print("Security group not found") return dict(Account=dict(accountNum=account), Instance=dict(message='Security group not found')) print(sg_info) group_name = sg_info['GroupName'] group_id = sg_info['GroupId'] group_desc = sg_info['Description'] group_tags = sg_info.get('Tags', None) group_ingress = format_inbound_rules(sg_info['IpPermissions']) group_egress = format_outbound_rules(sg_info['IpPermissionsEgress']) group_vpc = sg_info['VpcId'] instance_data = [] instance_info = ec2.describe_instances( Filters=[dict(Name='instance.group-id', Values=[group_id])]) instances = instance_info['Reservations'] for res in instances: instance_name = None for instance in res['Instances']: for tag in instance['Tags']: if tag['Key'] == 'Name': instance_name = tag.get('Value', None) break instance_data.append( dict(Name=instance_name, InstanceId=instance['InstanceId'], AccountNum=account)) client = assume.client('elb') elb_data = [] elb_info = client.describe_load_balancers()['LoadBalancerDescriptions'] for elb in elb_info: for sg in elb['SecurityGroups']: if sg == group_id: elb_data.append( dict(Name=elb['LoadBalancerName'], AccountNum=account)) return dict(Account=dict(accountNum=account), SecurityGroup=dict(GroupName=group_name, GroupId=group_id, Description=group_desc, Tags=group_tags, InboundRules=group_ingress, OutboundRules=group_egress, VpcId=group_vpc, Region=region), Instances=instance_data, ELB=elb_data) else: print('{"message":"Account not found"}') return [ dict(Message='Account not found'), ]
def get_user(account, user): """ Grab metadata about a particular AWS user in an AWS account. :param account: AWS account :param user: AWS user to get """ aws_accounts = AwsAccounts() if not (account.isdigit() and len(account) == 12): account = aws_accounts.with_alias(account) if account: print "Account " + str(account) policies = [] # Create an assumed session and IAM client in single call session = boto3.session.Session() iam = rolesession.assume_crossact_audit_role(session, account, 'us-east-1').client('iam') try: if not user_exists(iam, user): final_data = dict(Account=dict(accountNum=account), User=dict(Username=user), Message='User not found') return final_data user_info = mp_wrappers.list_attached_user_policies( iam, user)['AttachedPolicies'] for pol_name in user_info: policies.append({"ManagedPolicy": pol_name['PolicyName']}) access_keys = [] access_key_info = iam.list_access_keys( UserName=user)['AccessKeyMetadata'] for access_key in access_key_info: last_used = iam.get_access_key_last_used( AccessKeyId=access_key['AccessKeyId'])['AccessKeyLastUsed'] try: last_used_date = last_used['LastUsedDate'].isoformat() except AttributeError: last_used_date = None access_keys.append( dict(KeyId=access_key['AccessKeyId'], Status=access_key['Status'], CreateDate=access_key['CreateDate'].isoformat(), LastUsed=last_used_date, LastService=last_used['ServiceName'], LastRegion=last_used['Region'])) except AttributeError as err: print "Exception: %s" % err final_data = dict(Account=dict(accountNum=account), Exception=dict(message=str(err))) return final_data final_data = dict( Account=dict(accountNum=account), User=dict(Username=user, CreateDate=user_create_date(iam, user), PasswordSet=bool( mp_wrappers.get_user( iam, user)['User'].get('PasswordLastUsed')), Policies=policies), AccessKeys=access_keys) return final_data else: # print('{"message":"Account not found"}') return [ dict(Message='Account not found'), ]
def get_elb(account, elb, region): aws_accounts = AwsAccounts() if account.isdigit() and len(account) == 12: account = account else: alias = account account = aws_accounts.with_alias(alias)['accountNum'] if not (account.isdigit() and len(account) == 12): return dict(Error='Account not found'), 404 session = boto3.session.Session(region_name=region) assume = rolesession.assume_crossact_audit_role(session, account, region) client = assume.client('elb') try: elb_info = client.describe_load_balancers( LoadBalancerNames=[elb])['LoadBalancerDescriptions'][0] except: return dict(Account=dict(accountNum=account), LoadBalancer=dict(message='ELB not found')), 404 elb_dns = elb_info['DNSName'] # elb_listeners = elb_info['ListenerDescriptions'] elb_subnets = elb_info['Subnets'] elb_vpc = elb_info['VPCId'] elb_instances = elb_info['Instances'] elb_sg = elb_info['SecurityGroups'] ec2 = assume.client('ec2') try: route_info = ec2.describe_route_tables( Filters=[dict(Name='association.subnet-id', Values=elb_subnets) ])['RouteTables'] gatewayid = None nat_gatewayid = None print(route_info) for route_table in route_info: routes = route_table['Routes'] for route in routes: try: if route['DestinationCidrBlock'] == '0.0.0.0/0': try: gatewayid = route['GatewayId'] except: nat_gatewayid = route['NatGatewayId'] except Exception: pass except Exception as e: print(e) gatewayid = None nat_gatewayid = None route_info = ec2.describe_route_tables()['RouteTables'][0] # todo: This follow code is definitely wrong - check route_table for route_table in route_info: routes = route_info['Routes'] for route in routes: try: if route['DestinationCidrBlock'] == '0.0.0.0/0': try: gatewayid = route['GatewayId'] except: nat_gatewayid = route['NatGatewayId'] except Exception as e: pass if gatewayid: if gatewayid.startswith("igw-"): internet_facing = True else: internet_facing = False else: gatewayid = nat_gatewayid internet_facing = False return dict(Account=dict(AccountNum=account), LoadBalancer=dict(ELBName=elb, DNSName=elb_dns, Subnets=elb_subnets, VpcId=elb_vpc, InternetFacing=internet_facing, SecurityGroups=elb_sg, Region=region), Routes=dict(GatewayId=gatewayid), Instances=elb_instances)
def get_instance(account, instance, region='us-east-1'): mode = 'account' if not (account.isdigit() and len(account) == 12): alias = account mode = 'alias' aws_accounts = AwsAccounts() if mode == 'alias': account_item = aws_accounts.with_alias(alias) elif mode == 'account': print("Account mode") account_item = aws_accounts.with_number(account) else: print("Error: Invalid option") raise Exception("Error: Invalid option") if account_item: session = boto3.session.Session(region_name=region) assume = rolesession.assume_crossact_audit_role( session, account_item['accountNum'], region) ec2 = assume.client('ec2') try: instance_description = ec2.describe_instances( InstanceIds=[instance]) instance_info = \ instance_description['Reservations'][0]['Instances'][0] except: print("Instance not found") return dict( Account=dict(accountNum=account_item['accountNum']), Instance=dict(message='Instance not found')), 404 public_ip = instance_info.get('PublicIpAddress') subnet_id = instance_info.get('SubnetId') route_tags = None try: # todo: The following line bombs if their are no # explicit route tables.. Seems like a bug describe_route_table_filter = [] if subnet_id: describe_route_table_filter.append( dict(Name='association.subnet-id', Values=[subnet_id])) ec2_describe_route_tables = ec2.describe_route_tables( Filters=describe_route_table_filter) route_info = ec2_describe_route_tables['RouteTables'][0] route_tags = route_info['Tags'] routes = route_info['Routes'] gateway_id = get_geteway_id(routes) except Exception as e: print("[X] No explicit route table found: %s" % e) gateway_id = None data_vpcid = instance_info.get('VpcId') route_filter = [dict(Name='association.main', Values=['true'])] if (data_vpcid): route_filter.append(dict(Name='vpc-id', Values=[data_vpcid])) route_table_description = ec2.describe_route_tables( Filters=route_filter) if len(route_table_description['RouteTables']) > 0: route_info = route_table_description['RouteTables'][0] route_tags = route_info['Tags'] routes = route_info['Routes'] try: gateway_id = get_geteway_id(routes) except: gateway_id = "" if gateway_id.startswith("igw-"): internet_facing = True else: internet_facing = False elb = assume.client('elb') load_balancers = elb.describe_load_balancers()[ 'LoadBalancerDescriptions'] instance_elb = [] for balancer in load_balancers: for elb_instance in balancer['Instances']: if elb_instance['InstanceId'] == instance: instance_elb.append(balancer['LoadBalancerName']) try: image_name = ec2.describe_images( ImageIds=[instance_info['ImageId']])['Images'][0]['Name'] except: image_name = None try: net_acl = ec2.describe_network_acls(Filters=[ dict(Name='association.subnet-id', Values=[subnet_id])])['NetworkAcls'][0]['NetworkAclId'] except: net_acl = None return dict( Account=dict(accountNum=account_item['accountNum']), Instance=dict( InstanceId=instance, ImageId=instance_info.get('ImageId'), ImageName=image_name, PublicDnsName=instance_info.get('PublicDnsName'), PublicIpAddress=public_ip, InternetFacing=internet_facing, ElasticLoadBalancer=instance_elb, PrivateIpAddress=instance_info.get('PrivateIpAddress'), InstanceType=instance_info['InstanceType'], SubnetId=subnet_id, SecurityGroups=instance_info.get('SecurityGroups'), Tags=(instance_info.get('Tags')), NetworkACL=net_acl, CreateDate=json.dumps(instance_info['LaunchTime'], cls=MyEncoder), Region=region), Routes=dict( GatewayId=gateway_id, Tags=route_tags)) else: print('{"message":"Account not found"}') return dict(Message='Account not found'), 404