def audit_ec2(findings, region):
json_blob = query_aws(region.account, "ec2-describe-instances", region)
route_table_json = query_aws(region.account, "ec2-describe-route-tables",
region)
for reservation in json_blob.get("Reservations", []):
for instance in reservation.get("Instances", []):
if instance.get("State", {}).get("Name", "") == "terminated":
# Ignore EC2's that are off
continue
# Check for old instances
if instance.get("LaunchTime", "") != "":
MAX_RESOURCE_AGE_DAYS = 365
collection_date = get_collection_date(region.account)
launch_time = instance["LaunchTime"].split(".")[0]
age_in_days = days_between(launch_time, collection_date)
if age_in_days > MAX_RESOURCE_AGE_DAYS:
findings.add(
Finding(
region,
"EC2_OLD",
instance["InstanceId"],
resource_details={
"Age in days": age_in_days,
"Name": get_name(instance, "InstanceId"),
"Tags": instance.get("Tags", {}),
},
))
# Check for EC2 Classic
if "vpc" not in instance.get("VpcId", ""):
findings.add(
Finding(region, "EC2_CLASSIC", instance["InstanceId"]))
if not instance.get("SourceDestCheck", True):
route_to_instance = None
for table in route_table_json["RouteTables"]:
if table["VpcId"] == instance.get("VpcId", ""):
for route in table["Routes"]:
if route.get("InstanceId",
"") == instance["InstanceId"]:
route_to_instance = route
break
if route_to_instance is not None:
break
findings.add(
Finding(
region,
"EC2_SOURCE_DEST_CHECK_OFF",
instance["InstanceId"],
resource_details={
"routes": route_to_instance,
"Name": get_name(instance, "InstanceId"),
"Tags": instance.get("Tags", {}),
},
))
def test_Account(self):
json_blob = {u'id': 111111111111, u'name': u'prod'}
account = Account(None, json_blob)
assert_equal(111111111111, account.local_id)
assert_equal("prod", account.name)
assert_equal("account", account.node_type)
assert_equal("arn:aws:::111111111111:", account.arn)
assert_false(account.isLeaf)
assert_equal("prod", get_name(json_blob, "name"))
assert_false(account.has_leaves)
assert_equal([], account.leaves)
assert_equal({'data': {'node_data': {u'id': 111111111111, u'name': u'prod'}, 'local_id': 111111111111,
'type': 'account', 'id': 'arn:aws:::111111111111:', 'name': u'prod'}}, account.cytoscape_data())
def test_Account(self):
json_blob = {u"id": 111111111111, u"name": u"prod"}
account = Account(None, json_blob)
assert_equal(111111111111, account.local_id)
assert_equal("prod", account.name)
assert_equal("account", account.node_type)
assert_equal("arn:aws:::111111111111:", account.arn)
assert_false(account.isLeaf)
assert_equal("prod", get_name(json_blob, "name"))
assert_false(account.has_leaves)
assert_equal([], account.leaves)
assert_equal(
{
"data": {
"node_data": {"id": 111111111111, "name": "prod"},
"local_id": 111111111111,
"type": "account",
"id": "arn:aws:::111111111111:",
"name": u"prod",
}
},
account.cytoscape_data(),
)