def list_bucket_acls(s3, account, output_bucket):
"""continue from multithread call
Args:
s3 (object): s3 client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
s3_bucket_list = s3.list_buckets().get('Buckets')
for s3_obj in s3_bucket_list:
grants = []
try:
grants = s3.get_bucket_acl(Bucket=s3_obj.get('Name')).get('Grants')
except Exception, e:
error_code = e
if grants:
for grant in grants:
if grant.get('Grantee').get('DisplayName'):
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(s3_obj.get('Name')),
misc.check_if(grant.get('Grantee').get('DisplayName')),
misc.check_if(grant.get('Permission'))
)))
if grant.get('Grantee').get('URI'):
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(s3_obj.get('Name')),
misc.check_if(grant.get('Grantee').get('URI')),
misc.check_if(grant.get('Permission'))
)))
def list_potential_exposed_files_header():
"""generate output header"""
#return misc.format_line((
print misc.format_line((
"Account",
"Permission",
"Grantee",
"Url"
))
def inventory_user_policies_header(encode):
"""generate output header"""
if encode == 'on':
return misc.format_line((base64.b64encode(str("Account")),
base64.b64encode(str("UserName")),
base64.b64encode(str("PolicyName")),
base64.b64encode(str("Policy"))))
else:
return misc.format_line((str("Account"), str("UserName"),
str("PolicyName"), str("Policy")))
def list_bucket_policies_header(encode):
"""generate output header"""
if encode == 'on':
return misc.format_line((base64.b64encode(str("Account")),
base64.b64encode(str("BucketName")),
base64.b64encode(str("PolicyType")),
base64.b64encode(str("Policy"))))
else:
return misc.format_line((str("Account"), str("BucketName"),
str("PolicyType"), str("Policy")))
def inventory_managed_policies_header(encode):
"""generate output header"""
if encode == 'on':
return misc.format_line((base64.b64encode(str("Account")),
base64.b64encode(str("AttachLevel")),
base64.b64encode(str("ObjectName")),
base64.b64encode(str("PolicyName")),
base64.b64encode(str("Policy"))))
else:
return misc.format_line(
(str("Account"), str("AttachLevel"), str("ObjectName"),
str("PolicyName"), str("Policy")))
def filter_log_events_header(encode):
"""generate output header"""
if encode == 'on':
return misc.format_line(
(base64.b64encode(str("Account")), base64.b64encode(str("Region")),
base64.b64encode(str("eventName")),
base64.b64encode(str("eventTime")), base64.b64encode(str("arn")),
base64.b64encode(str("sourceAddress")),
base64.b64encode(str("requestParameters")),
base64.b64encode(str("responseElements"))))
else:
return misc.format_line(
("Account", "Region", "eventName", "eventTime", "arn",
"sourceAddress", "requestParameters", "responseElements"))
def inventory_user_policies_header(encode):
"""generate output header"""
if encode == 'on':
return misc.format_line((
base64.b64encode(str("Account")),
base64.b64encode(str("UserName")),
base64.b64encode(str("PolicyName")),
base64.b64encode(str("Policy"))
))
else:
return misc.format_line((
str("Account"),
str("UserName"),
str("PolicyName"),
str("Policy")
))
def list_bucket_policies_header(encode):
"""generate output header"""
if encode == 'on':
return misc.format_line((
base64.b64encode(str("Account")),
base64.b64encode(str("BucketName")),
base64.b64encode(str("PolicyType")),
base64.b64encode(str("Policy"))
))
else:
return misc.format_line((
str("Account"),
str("BucketName"),
str("PolicyType"),
str("Policy")
))
def describe_snapshots(ec2, account, region, output_bucket):
"""continue from multithread describe_snapshots() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
'''extract owner_id from role'''
owner_id = str(re.split(':',account.get('role_arn'))[4])
'''get list of snapshots owned by owner_id'''
snap_list = ec2.describe_snapshots(OwnerIds=[owner_id]).get('Snapshots')
for snap_obj in snap_list:
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(str(snap_obj.get('SnapshotId'))),
misc.check_if(str(misc.date_to_days(snap_obj.get('StartTime')))),
misc.check_if(str(snap_obj.get('StartTime').strftime('%Y_%m_%d'))),
misc.check_if(str(snap_obj.get('VolumeSize'))),
misc.check_if(str(snap_obj.get('Encrypted'))),
#'''get rid of commas if present'''
misc.check_if(str(re.sub('[,]','', snap_obj.get('Description')))),
)))
def describe_rds_instances(rds, account, region, output_bucket):
"""continue from multithread call
Args:
rds (object): rds client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
rds_list = rds.describe_db_instances().get('DBInstances')
for rds_obj in rds_list:
#print rds_obj
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(rds_obj.get('DBSubnetGroup').get('VpcId')),
misc.check_if(rds_obj.get('DBInstanceIdentifier')),
misc.check_if(rds_obj.get('DBInstanceClass')),
misc.check_if(str(rds_obj.get('PubliclyAccessible'))),
misc.check_if(rds_obj.get('Endpoint').get('Address')),
misc.lookup(rds_obj.get('Endpoint').get('Address')),
misc.check_if(str(rds_obj.get('Endpoint').get('Port')))
)))
def describe_rds_instances(rds, account, region, output_bucket):
"""continue from multithread call
Args:
rds (object): rds client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
rds_list = rds.describe_db_instances().get('DBInstances')
for rds_obj in rds_list:
#print rds_obj
output_bucket.append(
misc.format_line(
(misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(rds_obj.get('DBSubnetGroup').get('VpcId')),
misc.check_if(rds_obj.get('DBInstanceIdentifier')),
misc.check_if(rds_obj.get('DBInstanceClass')),
misc.check_if(str(rds_obj.get('PubliclyAccessible'))),
misc.check_if(rds_obj.get('Endpoint').get('Address')),
misc.lookup(rds_obj.get('Endpoint').get('Address')),
misc.check_if(str(rds_obj.get('Endpoint').get('Port'))))))
def describe_elb_instances(elb, account, region, output_bucket):
"""continue from multithread call
Args:
elb (object): elb client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
elb_list = elb.describe_load_balancers().get('LoadBalancerDescriptions')
for elb_obj in elb_list:
#print elb_obj
"""dns lookup fqdn"""
elb_ip = misc.lookup(elb_obj.get('DNSName'))
"""get list of attached ec2 ids"""
ec2id = get_ec2s(elb_obj.get('Instances'))
for elb_listener in elb_obj.get('ListenerDescriptions'):
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(elb_obj.get('VPCId')),
misc.check_if(elb_obj.get('LoadBalancerName')),
misc.check_if(elb_obj.get('Scheme')),
misc.check_if(elb_ip),
misc.check_if(elb_obj.get('DNSName')),
misc.check_if(str(elb_listener.get('Listener').get('LoadBalancerPort'))),
misc.check_if(elb_listener.get('Listener').get('Protocol')),
misc.check_if(ec2id),
misc.check_if(str(elb_listener.get('Listener').get('InstancePort'))),
misc.check_if(elb_listener.get('Listener').get('InstanceProtocol'))
)))
def describe_vpc_peering(ec2, account, region, output_bucket):
"""continue from multithread ec2.describe_instances() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
peer_list = ec2.describe_vpc_peering_connections().get("VpcPeeringConnections")
for peer_obj in peer_list:
output_bucket.append(
misc.format_line(
(
misc.check_if(account.get("name")),
misc.check_if(region.get("RegionName")),
misc.check_if(check_tag(peer_obj, str("Name"))),
#'''redact account owner number'''
misc.check_if("..." + str(peer_obj.get("RequesterVpcInfo").get("OwnerId")[6:])),
misc.check_if(peer_obj.get("RequesterVpcInfo").get("VpcId")),
misc.check_if(peer_obj.get("RequesterVpcInfo").get("CidrBlock")),
#'''redact account owner number'''
misc.check_if("..." + str(peer_obj.get("AccepterVpcInfo").get("OwnerId")[6:])),
misc.check_if(peer_obj.get("AccepterVpcInfo").get("VpcId")),
misc.check_if(peer_obj.get("AccepterVpcInfo").get("CidrBlock")),
misc.check_if(peer_obj.get("Status").get("Message")),
misc.check_if(peer_obj.get("VpcPeeringConnectionId")),
)
)
)
def list_buckets(s3, account, output_bucket):
"""continue from multithread call
Args:
s3 (object): s3 client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
s3_bucket_list = s3.list_buckets().get('Buckets')
for s3_obj in s3_bucket_list:
site = []
try:
site = s3.get_bucket_website(Bucket=s3_obj.get('Name'))
except Exception, e:
error_code = e
if site:
site_enabled = 'true'
else:
site_enabled = 'false'
url = 'https://{0}.s3.amazonaws.com'.format(str(s3_obj.get('Name')))
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(site_enabled),
misc.check_if(s3_obj.get('Name')),
misc.check_if(url),
)))
def describe_route_tables(ec2, account, region, output_bucket):
"""continue from multithread ec2.describe_instances() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
rtable_list = ec2.describe_route_tables().get('RouteTables')
for rtable_obj in rtable_list:
#subnet_assocs = str(len(rtable_obj.get('Associations')))
subnet_assocs = rtable_q_assocs(rtable_obj)
r_entry_list = rtable_obj.get('Routes')
for r_entry in r_entry_list:
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(rtable_obj.get('VpcId')),
misc.check_if(subnet_assocs),
misc.check_if(rtable_obj.get('RouteTableId')),
misc.check_if(check_tag(rtable_obj, str('Name'))),
misc.check_if(rtable_q_dest(r_entry)),
misc.check_if(rtable_q_target(r_entry)),
misc.check_if(r_entry.get('State')),
misc.check_if(rtable_q_propagate(r_entry)),
)))
def describe_vpc_peering(ec2, account, region, output_bucket):
"""continue from multithread ec2.describe_instances() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
peer_list = ec2.describe_vpc_peering_connections().get(
'VpcPeeringConnections')
for peer_obj in peer_list:
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(check_tag(peer_obj, str('Name'))),
#'''redact account owner number'''
misc.check_if(
'...' +
str(peer_obj.get('RequesterVpcInfo').get('OwnerId')[6:])),
misc.check_if(peer_obj.get('RequesterVpcInfo').get('VpcId')),
misc.check_if(
peer_obj.get('RequesterVpcInfo').get('CidrBlock')),
#'''redact account owner number'''
misc.check_if(
'...' +
str(peer_obj.get('AccepterVpcInfo').get('OwnerId')[6:])),
misc.check_if(peer_obj.get('AccepterVpcInfo').get('VpcId')),
misc.check_if(
peer_obj.get('AccepterVpcInfo').get('CidrBlock')),
misc.check_if(peer_obj.get('Status').get('Message')),
misc.check_if(peer_obj.get('VpcPeeringConnectionId')),
)))
def describe_images(ec2, account, region, output_bucket):
"""continue from multithread describe_snapshots() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
'''extract owner_id from role'''
owner_id = str(re.split(':',account.get('role_arn'))[4])
'''get list of amis owned by owner_id'''
ami_list = ec2.describe_images(Owners=[owner_id]).get('Images')
for ami_obj in ami_list:
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(str(ami_obj.get('ImageId'))),
misc.check_if(str(ami_obj.get('State'))),
misc.check_if(str(date_to_days(ami_obj.get('CreationDate')))),
misc.check_if(str(ami_obj.get('Public'))),
#'''get rid of commas if present'''
misc.check_if(str(re.sub('[,]','', ami_obj.get('Name')))),
)))
def describe_network_acls(ec2, account, region, output_bucket):
"""continue from multithread call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
netacl_list = ec2.describe_network_acls().get('NetworkAcls')
for acl_obj in netacl_list:
for rule_obj in acl_obj.get('Entries'):
'''extract direction'''
direction = 'inbound'
if str(rule_obj.get('Egress')) == 'True':
direction = 'outbound'
output_bucket.append(
misc.format_line(
(misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(acl_obj.get('VpcId')),
misc.check_if(check_tag(acl_obj, str('Name'))),
misc.check_if(acl_obj.get('NetworkAclId')),
misc.check_if(str(acl_obj.get('IsDefault'))),
misc.check_if(str(rule_obj.get('RuleNumber'))),
misc.check_if(str(direction)),
misc.check_if(str(rule_obj.get('Protocol'))),
misc.check_if(str(rule_obj.get('CidrBlock'))),
misc.check_if(str(rule_obj.get('RuleAction'))))))
def list_buckets(s3, account, output_bucket):
"""continue from multithread call
Args:
s3 (object): s3 client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
s3_bucket_list = s3.list_buckets().get('Buckets')
for s3_obj in s3_bucket_list:
site = []
try:
site = s3.get_bucket_website(Bucket=s3_obj.get('Name'))
except Exception, e:
error_code = e
if site:
site_enabled = 'true'
else:
site_enabled = 'false'
url = 'https://{0}.s3.amazonaws.com'.format(
str(s3_obj.get('Name'))
)
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(site_enabled),
misc.check_if(s3_obj.get('Name')),
misc.check_if(url),
)))
def describe_instances(ec2, account, region, output_bucket):
"""continue from multithread ec2.describe_instances() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
ec2_list = [i for r in
ec2.describe_instances().get('Reservations') for i in
r.get('Instances')]
for ec2_obj in ec2_list:
#print ec2_obj
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(ec2_obj.get('VpcId')),
misc.check_if(ec2_obj.get('InstanceId')),
misc.check_if(ec2_obj.get('InstanceType')),
misc.check_if(ec2_obj.get('State').get('Name')),
misc.check_if(check_tag(ec2_obj, str('Name'))),
misc.check_if(ec2_obj.get('PrivateIpAddress')),
misc.check_if(ec2_obj.get('PublicIpAddress')),
misc.check_if(ec2_obj.get('KeyName'))
)))
def inventory_users(iam, account, output_bucket):
"""continue from multithread call
Args:
iam (object): iam client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
users_list = iam.list_users().get('Users')
for user in users_list:
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(user.get('UserName')),
misc.check_if(user.get('CreateDate').strftime('%Y_%m_%d')),
misc.check_if(is_password_set(iam, user.get('UserName'))),
misc.check_if(misc.date_to_days(user.get('PasswordLastUsed'))),
misc.check_if(count_active_keys(iam, user.get('UserName'))),
misc.check_if(mfa_enabled(iam, user.get('UserName'))),
misc.check_if(list_groups_for_user(iam, user.get('UserName'))),
misc.check_if(
list_user_policies_for_user(iam, user.get('UserName'))),
)))
def describe_route_tables(ec2, account, region, output_bucket):
"""continue from multithread ec2.describe_instances() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
rtable_list = ec2.describe_route_tables().get("RouteTables")
for rtable_obj in rtable_list:
# subnet_assocs = str(len(rtable_obj.get('Associations')))
subnet_assocs = rtable_q_assocs(rtable_obj)
r_entry_list = rtable_obj.get("Routes")
for r_entry in r_entry_list:
output_bucket.append(
misc.format_line(
(
misc.check_if(account.get("name")),
misc.check_if(region.get("RegionName")),
misc.check_if(rtable_obj.get("VpcId")),
misc.check_if(subnet_assocs),
misc.check_if(rtable_obj.get("RouteTableId")),
misc.check_if(check_tag(rtable_obj, str("Name"))),
misc.check_if(rtable_q_dest(r_entry)),
misc.check_if(rtable_q_target(r_entry)),
misc.check_if(r_entry.get("State")),
misc.check_if(rtable_q_propagate(r_entry)),
)
)
)
def describe_vpcs(ec2, account, region, output_bucket):
"""continue from multithread ec2.describe_instances() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
vpc_list = ec2.describe_vpcs().get("Vpcs")
for vpc_obj in vpc_list:
output_bucket.append(
misc.format_line(
(
misc.check_if(account.get("name")),
misc.check_if(region.get("RegionName")),
misc.check_if(vpc_obj.get("VpcId")),
misc.check_if(check_tag(vpc_obj, str("Name"))),
misc.check_if(vpc_obj.get("State")),
misc.check_if(vpc_obj.get("CidrBlock")),
misc.check_if(str(vpc_obj.get("IsDefault"))),
misc.check_if(vpc_obj.get("InstanceTenancy")),
misc.check_if(vpc_obj.get("DhcpOptionsId")),
)
)
)
def describe_key_pairs_header():
"""generate output header"""
return misc.format_line((
"Account",
"Region",
"KeyName",
"Fingerprint"
))
def list_buckets_header():
"""generate output header"""
return misc.format_line((
"Account",
"WebAccess",
"BucketName",
"Url"
))
def list_bucket_acls_header():
"""generate output header"""
return misc.format_line((
"Account",
"BucketName",
"Source",
"Permission"
))
def sg_rule_sets(ec2, account, region, output_bucket):
"""generate list of security group rule sets
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
"""generate security group list"""
sg_list = ec2.describe_security_groups().get('SecurityGroups')
for sg_obj in sg_list:
for rule in sg_obj.get('IpPermissions'):
"""cidr as source"""
for cidr in rule.get('IpRanges'):
if cidr.get('CidrIp'):
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(sg_obj.get('VpcId')),
misc.check_if(region.get('RegionName')),
misc.check_if(sg_obj.get('GroupId')),
misc.check_if(sg_obj.get('GroupName')),
misc.check_if(str(cidr.get('CidrIp'))),
misc.check_if(str(check_port(rule.get('FromPort')))),
misc.check_if(str(check_port(rule.get('ToPort')))),
misc.check_if(str(check_proto(rule.get('IpProtocol'))))
)))
"""security groups as source"""
for group in rule.get('UserIdGroupPairs'):
if group.get('GroupId'):
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(sg_obj.get('VpcId')),
misc.check_if(region.get('RegionName')),
misc.check_if(sg_obj.get('GroupId')),
misc.check_if(sg_obj.get('GroupName')),
misc.check_if(group.get('GroupId')),
misc.check_if(str(check_port(rule.get('FromPort')))),
misc.check_if(str(check_port(rule.get('ToPort')))),
misc.check_if(str(check_proto(rule.get('IpProtocol'))))
)))
def inventory_managed_policies_header(encode):
"""generate output header"""
if encode == 'on':
return misc.format_line((
base64.b64encode(str("Account")),
base64.b64encode(str("AttachLevel")),
base64.b64encode(str("ObjectName")),
base64.b64encode(str("PolicyName")),
base64.b64encode(str("Policy"))
))
else:
return misc.format_line((
str("Account"),
str("AttachLevel"),
str("ObjectName"),
str("PolicyName"),
str("Policy")
))
def describe_images_header():
"""generate output header"""
return misc.format_line((
"Account",
"Region",
"ImageId",
"State",
"Age",
"Public",
"Name"
))
def security_group_list_header():
"""return header for security group list"""
return misc.format_line((
"Account",
"VpcId",
"Region",
"GroupID",
"Instances",
"SG-GroupName",
"RFC",
"Description"))
def inventory_group_policies(iam, account, output_bucket, encode):
"""continue from multithread call
Args:
iam (object): iam client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
group_list = iam.list_groups().get('Groups')
for group in group_list:
"""pull out inline group policies"""
policies = iam.list_group_policies(
GroupName=group.get('GroupName')).get('PolicyNames')
for policy_name in policies:
policy = misc.json_pretty_print(
iam.get_group_policy(
GroupName=group.get('GroupName'),
PolicyName=policy_name).get('PolicyDocument'))
"""inline group policy entry"""
if encode == 'on':
output_bucket.append(
misc.format_line((
misc.check_if(base64.b64encode(account.get('name'))),
misc.check_if(base64.b64encode(
group.get('GroupName'))),
misc.check_if(base64.b64encode(str(policy_name))),
misc.check_if(
base64.b64encode(str('<pre>' + policy +
'</pre>'))),
)))
else:
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(group.get('GroupName')),
misc.check_if(str(policy_name)),
misc.check_if(str(policy)),
)))
def inventory_users_header():
"""generate output header"""
return misc.format_line((
"Account",
"UserName",
"CreateDate",
"PasswordSet",
"PasswordLastUsed",
"ActiveAccessKeys",
"MFA",
"GroupMemberships",
"UserPolicies"))
def list_cloudtrails_header():
"""generate output header"""
return misc.format_line((
"Account",
"Region",
"trailName",
"loggingOn",
"cloudwatchEnabled",
"latestDeliveryTime",
"cloudwatchLogGroupArn",
"cloudtrailS3BucketName",
))
def inventory_access_keys_header():
"""generate output header"""
return misc.format_line((
"Account",
"UserName",
"Key_ID",
"Age",
"CreationDate",
"Status",
"DaysLastUsed",
"LastUsed",
"ServiceName"))
def list_cloudtrails_header():
"""generate output header"""
return misc.format_line((
"Account",
"Region",
"trailName",
"loggingOn",
"cloudwatchEnabled",
"latestDeliveryTime",
"cloudwatchLogGroupArn",
"cloudtrailS3BucketName",
))
def describe_snapshots_header():
"""generate output header"""
return misc.format_line((
"Account",
"Region",
"SnapshotId",
"Age",
"CreateDate",
"Size",
"Encrypted",
"Description"
))
def sg_rule_sets_header():
"""returns header for sg rule sets"""
return misc.format_line((
"AccountId",
"VpcId",
"Region",
"GroupId",
"SG-GroupName",
"Source",
"FromPort",
"ToPort",
"Protocol"))
def inventory_user_policies(iam, account, output_bucket, encode):
"""continue from multithread call
Args:
iam (object): iam client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
user_list = iam.list_users().get('Users')
for user in user_list:
"""pull out inline user policies"""
policies = iam.list_user_policies(
UserName=user.get('UserName')).get('PolicyNames')
for policy_name in policies:
policy = misc.json_pretty_print(
iam.get_user_policy(
UserName=user.get('UserName'),
PolicyName=policy_name
).get('PolicyDocument')
)
"""inline user policy entry"""
if encode == 'on':
output_bucket.append(misc.format_line((
misc.check_if(base64.b64encode(account.get('name'))),
misc.check_if(base64.b64encode(user.get('UserName'))),
misc.check_if(base64.b64encode(str(policy_name))),
misc.check_if(base64.b64encode(str('<pre>' + policy + '</pre>'))),
)))
else:
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(user.get('UserName')),
misc.check_if(str(policy_name)),
misc.check_if(str(policy)),
)))
def describe_rds_instances_header():
"""generate output header"""
return misc.format_line((
"Account",
"Region",
"VpcId",
"rdsId",
"Type",
"PubliclyAccessible",
"rdsAddress",
"rdsIP",
"ListenPort"
))
def list_apps_header():
"""generate output header"""
return misc.format_line((
"Account",
"Region",
"AppName",
"linkedToGitHub",
"CreateDate",
"Age",
"DeployGroupName",
"RevisionType",
"Instances",
"serviceRoleArn"
))
def describe_instances_header():
"""generate output header"""
return misc.format_line((
"Account",
"Region",
"VpcId",
"ec2Id",
"Type",
"State",
"ec2Name",
"PrivateIPAddress",
"PublicIPAddress",
"KeyPair"
))
def list_bucket_policies(s3, account, output_bucket, encode):
"""continue from multithread call
Args:
s3 (object): s3 client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
s3_bucket_list = s3.list_buckets().get('Buckets')
for s3_obj in s3_bucket_list:
bucket_policy = []
"""get bucket policy if defined """
try:
bucket_policy = s3.get_bucket_policy(
Bucket=s3_obj.get('Name')).get('Policy')
except Exception, e:
error_code = e
if bucket_policy:
if encode == 'on':
output_bucket.append(
misc.format_line(
(misc.check_if(base64.b64encode(account.get('name'))),
misc.check_if(base64.b64encode(s3_obj.get('Name'))),
misc.check_if(base64.b64encode('s3:bucket_policy')),
misc.check_if(
base64.b64encode('<pre>' + misc.json_pretty_print(
json.loads(bucket_policy)) + '</pre>')))))
else:
output_bucket.append(
misc.format_line((misc.check_if(account.get('name')),
misc.check_if(s3_obj.get('Name')),
misc.check_if(str('s3:bucket_policy')),
misc.check_if(
misc.json_pretty_print(
json.loads(bucket_policy))))))
def list_bucket_policies(s3, account, output_bucket, encode):
"""continue from multithread call
Args:
s3 (object): s3 client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
s3_bucket_list = s3.list_buckets().get('Buckets')
for s3_obj in s3_bucket_list:
bucket_policy = []
"""get bucket policy if defined """
try:
bucket_policy = s3.get_bucket_policy(Bucket=s3_obj.get('Name')).get('Policy')
except Exception, e:
error_code = e
if bucket_policy:
if encode == 'on':
output_bucket.append(misc.format_line((
misc.check_if(base64.b64encode(account.get('name'))),
misc.check_if(base64.b64encode(s3_obj.get('Name'))),
misc.check_if(base64.b64encode('s3:bucket_policy')),
misc.check_if(base64.b64encode(
'<pre>' +
misc.json_pretty_print(json.loads(bucket_policy)) +
'</pre>'))
)))
else:
output_bucket.append(misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(s3_obj.get('Name')),
misc.check_if(str('s3:bucket_policy')),
misc.check_if(
misc.json_pretty_print(json.loads(bucket_policy)))
)))
def list_bucket_acls(s3, account, output_bucket):
"""continue from multithread call
Args:
s3 (object): s3 client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
s3_bucket_list = s3.list_buckets().get('Buckets')
for s3_obj in s3_bucket_list:
grants = []
try:
grants = s3.get_bucket_acl(Bucket=s3_obj.get('Name')).get('Grants')
except Exception, e:
error_code = e
if grants:
for grant in grants:
if grant.get('Grantee').get('DisplayName'):
output_bucket.append(
misc.format_line(
(misc.check_if(account.get('name')),
misc.check_if(s3_obj.get('Name')),
misc.check_if(
grant.get('Grantee').get('DisplayName')),
misc.check_if(grant.get('Permission')))))
if grant.get('Grantee').get('URI'):
output_bucket.append(
misc.format_line(
(misc.check_if(account.get('name')),
misc.check_if(s3_obj.get('Name')),
misc.check_if(grant.get('Grantee').get('URI')),
misc.check_if(grant.get('Permission')))))
def inventory_access_keys(iam, account, output_bucket):
"""continue from multithread call
Args:
iam (object): iam client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
"""get list of keys from the list of users"""
for user in iam.list_users().get('Users'):
for key in iam.list_access_keys(
UserName=user.get('UserName')).get('AccessKeyMetadata'):
"""find out which keys have been used"""
last_used = iam.get_access_key_last_used(
AccessKeyId=key.get('AccessKeyId')).get('AccessKeyLastUsed')
key_lastused = None
key_lastused_days = None
key_service = None
"""get info for active keys"""
if last_used.get('LastUsedDate'):
key_lastused = last_used.get('LastUsedDate').strftime(
'%Y_%m_%d')
key_lastused_days = misc.date_to_days(
last_used.get('LastUsedDate'))
key_service = last_used.get('ServiceName')
else:
"""mark inactive keys"""
key_lastused = 'Never'
key_lastused_days = '-1'
key_service = 'N/A'
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(user.get('UserName')),
misc.check_if(key.get('AccessKeyId')),
misc.check_if(str(misc.date_to_days(
key.get('CreateDate')))),
misc.check_if(key.get('CreateDate').strftime('%Y_%m_%d')),
misc.check_if(key.get('Status')),
misc.check_if(str(key_lastused_days)),
misc.check_if(key_lastused),
misc.check_if(key_service),
)))
def describe_elb_instances(elb, account, region, output_bucket):
"""continue from multithread call
Args:
elb (object): elb client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
elb_list = elb.describe_load_balancers().get('LoadBalancerDescriptions')
for elb_obj in elb_list:
#print elb_obj
"""dns lookup fqdn"""
elb_ip = misc.lookup(elb_obj.get('DNSName'))
"""get list of attached ec2 ids"""
ec2id = get_ec2s(elb_obj.get('Instances'))
for elb_listener in elb_obj.get('ListenerDescriptions'):
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(elb_obj.get('VPCId')),
misc.check_if(elb_obj.get('LoadBalancerName')),
misc.check_if(elb_obj.get('Scheme')),
misc.check_if(elb_ip),
misc.check_if(elb_obj.get('DNSName')),
misc.check_if(
str(
elb_listener.get('Listener').get(
'LoadBalancerPort'))),
misc.check_if(
elb_listener.get('Listener').get('Protocol')),
misc.check_if(ec2id),
misc.check_if(
str(elb_listener.get('Listener').get('InstancePort'))),
misc.check_if(
elb_listener.get('Listener').get('InstanceProtocol'))
)))
def describe_subnets(ec2, account, region, output_bucket):
"""continue from multithread call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
subnet_list = ec2.describe_subnets().get('Subnets')
for subnet_obj in subnet_list:
"""check if flow have been enabled for this subnet"""
sub_flow_logs = None
try:
sub_flow_logs = ec2.describe_flow_logs(
Filter=[{
'Name': 'resource-id',
'Values': [subnet_obj.get('SubnetId')]
}]).get('FlowLogs')
except Exception, e:
error_code = e
if sub_flow_logs:
flow_enabled = str('True')
else:
flow_enabled = str('False')
output_bucket.append(
misc.format_line(
(misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(subnet_obj.get('VpcId')),
misc.check_if(check_tag(subnet_obj, str('Name'))),
misc.check_if(subnet_obj.get('SubnetId')),
misc.check_if(subnet_obj.get('State')),
misc.check_if(flow_enabled),
misc.check_if(subnet_obj.get('CidrBlock')),
misc.check_if(str(subnet_obj.get('AvailableIpAddressCount'))),
misc.check_if(str(subnet_obj.get('DefaultForAz'))),
misc.check_if(str(subnet_obj.get('MapPublicIpOnLaunch'))))))
def describe_vpn_connections(ec2, account, region, output_bucket):
"""continue from multithread ec2.describe_instances() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
vpn_list = ec2.describe_vpn_connections().get('VpnConnections')
for vpn_obj in vpn_list:
'''extract VpcId from virtual private gateway information'''
vpn_cgw = ec2.describe_vpn_gateways(
VpnGatewayIds=[vpn_obj.get('VpnGatewayId')]).get('VpnGateways')
for cgw_attachment in vpn_cgw:
for vpc_obj in cgw_attachment.get('VpcAttachments'):
vpc_id = str(vpc_obj.get('VpcId'))
'''now extract vpc cidr info'''
vpc_obj2 = ec2.describe_vpcs(VpcIds=[vpc_id]).get('Vpcs')
for vpc_net in vpc_obj2:
vpc_cidr = str(vpc_net.get('CidrBlock'))
'''need customer gateway to extract remote customer ip'''
customer_gw = ec2.describe_customer_gateways(
CustomerGatewayIds=[vpn_obj.get('CustomerGatewayId')]).get(
'CustomerGateways')
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(vpc_id),
misc.check_if(vpc_cidr),
misc.check_if(check_tag(vpn_obj, str('Name'))),
misc.check_if(vpn_obj.get('VpnConnectionId')),
misc.check_if(vpn_obj.get('State')),
misc.check_if(vpn_obj.get('CustomerGatewayId')),
misc.check_if(
str('/'.join(i.get('IpAddress') for i in customer_gw))),
misc.check_if(vpn_obj.get('Type')),
)))
def list_potential_exposed_files(s3, account, output_bucket):
"""continue from multithread call
Args:
s3 (object): s3 client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
s3_bucket_list = s3.list_buckets().get('Buckets')
for s3_obj in s3_bucket_list:
object_list = []
try:
object_list = s3.list_objects(Bucket=s3_obj.get('Name'))
except Exception, e:
error_code = e
try:
for obj_keys in object_list.get('Contents'):
obj_acl_list = s3.get_object_acl(
Bucket=s3_obj.get('Name'),
Key=obj_keys.get('Key')).get('Grants')
if obj_acl_list:
for obj_acl in obj_acl_list:
if 'AllUsers' in str(obj_acl.get('Grantee')):
#output_bucket.append(misc.format_line((
url = 'http://{0}.s3.amazonaws.com/{1}'.format(
str(s3_obj.get('Name')),
str(obj_keys.get('Key')))
print(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(obj_acl.get('Permission')),
misc.check_if('AllUsers'),
misc.check_if(url),
)))
except Exception, e:
error_code = e
def describe_vpcs(ec2, account, region, output_bucket):
"""continue from multithread ec2.describe_instances() call
Args:
ec2 (object): ec2 client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
vpc_list = ec2.describe_vpcs().get('Vpcs')
for vpc_obj in vpc_list:
output_bucket.append(
misc.format_line((misc.check_if(account.get('name')),
misc.check_if(region.get('RegionName')),
misc.check_if(vpc_obj.get('VpcId')),
misc.check_if(check_tag(vpc_obj, str('Name'))),
misc.check_if(vpc_obj.get('State')),
misc.check_if(vpc_obj.get('CidrBlock')),
misc.check_if(str(vpc_obj.get('IsDefault'))),
misc.check_if(vpc_obj.get('InstanceTenancy')),
misc.check_if(vpc_obj.get('DhcpOptionsId')))))
def inventory_users_header():
"""generate output header"""
return misc.format_line(
("Account", "UserName", "CreateDate", "PasswordSet",
"PasswordLastUsed", "ActiveAccessKeys", "MFA", "GroupMemberships",
"UserPolicies"))
def inventory_managed_policies(iam, account, output_bucket, encode):
"""continue from multithread call
Args:
iam (object): iam client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
policy_list = iam.list_policies(OnlyAttached=True).get('Policies')
for policy in policy_list:
policy_body = iam.get_policy_version(
PolicyArn=policy.get('Arn'),
VersionId=policy.get('DefaultVersionId')).get('PolicyVersion').get(
'Document')
policy_body = misc.json_pretty_print(policy_body)
"""get list of groups using this policy"""
policy_groups = iam.list_entities_for_policy(
PolicyArn=policy.get('Arn')).get('PolicyGroups')
"""get list of roles using this policy"""
policy_roles = iam.list_entities_for_policy(
PolicyArn=policy.get('Arn')).get('PolicyRoles')
"""get list of users using this policy"""
policy_users = iam.list_entities_for_policy(
PolicyArn=policy.get('Arn')).get('PolicyUsers')
if policy_groups:
for group_entity in policy_groups:
if encode == 'on':
output_bucket.append(
misc.format_line((
misc.check_if(base64.b64encode(
account.get('name'))),
misc.check_if(base64.b64encode(
str('group_policy'))),
misc.check_if(
base64.b64encode(
group_entity.get('GroupName'))),
misc.check_if(
base64.b64encode(policy.get('PolicyName'))),
misc.check_if(
base64.b64encode(
str('<pre>' + policy_body + '</pre>'))),
)))
else:
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(str('group_policy')),
misc.check_if(group_entity.get('GroupName')),
misc.check_if(policy.get('PolicyName')),
misc.check_if(str(policy_body)),
)))
if policy_roles:
for role_entity in policy_roles:
if encode == 'on':
output_bucket.append(
misc.format_line((
misc.check_if(base64.b64encode(
account.get('name'))),
misc.check_if(base64.b64encode(
str('role_policy'))),
misc.check_if(
base64.b64encode(role_entity.get('RoleName'))),
misc.check_if(
base64.b64encode(policy.get('PolicyName'))),
misc.check_if(
base64.b64encode(
str('<pre>' + policy_body + '</pre>'))),
)))
else:
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(str('role_policy')),
misc.check_if(role_entity.get('RoleName')),
misc.check_if(policy.get('PolicyName')),
misc.check_if(str(policy_body)),
)))
if policy_users:
for user_entity in policy_users:
if encode == 'on':
output_bucket.append(
misc.format_line((
misc.check_if(base64.b64encode(
account.get('name'))),
misc.check_if(base64.b64encode(
str('user_policy'))),
misc.check_if(
base64.b64encode(user_entity.get('UserName'))),
misc.check_if(
base64.b64encode(policy.get('PolicyName'))),
misc.check_if(
base64.b64encode(
str('<pre>' + policy_body + '</pre>'))),
)))
else:
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(str('user_policy')),
misc.check_if(user_entity.get('UserName')),
misc.check_if(policy.get('PolicyName')),
misc.check_if(str(policy_body)),
)))
def inventory_role_policies(iam, account, output_bucket, encode):
"""continue from multithread call
Args:
iam (object): iam client object
account (dict): aws accounts
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
role_list = iam.list_roles().get('Roles')
for role in role_list:
assume_role_policy = misc.json_pretty_print(
role.get('AssumeRolePolicyDocument'))
"""trust relationship policy"""
if encode == 'on':
output_bucket.append(
misc.format_line((
misc.check_if(base64.b64encode(account.get('name'))),
misc.check_if(base64.b64encode(str('iam:trust_policy'))),
misc.check_if(base64.b64encode(role.get('RoleName'))),
misc.check_if(base64.b64encode(role.get('Arn'))),
misc.check_if(
base64.b64encode(
str('<pre>' + assume_role_policy + '</pre>'))),
)))
else:
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(str('iam:trust_policy')),
misc.check_if(role.get('RoleName')),
misc.check_if(role.get('Arn')),
misc.check_if(str(assume_role_policy)),
)))
"""pull out inline role policies"""
policies = iam.list_role_policies(
RoleName=role.get('RoleName')).get('PolicyNames')
for policy_name in policies:
policy = misc.json_pretty_print(
iam.get_role_policy(
RoleName=role.get('RoleName'),
PolicyName=policy_name).get('PolicyDocument'))
"""inline role policy entry"""
if encode == 'on':
output_bucket.append(
misc.format_line((
misc.check_if(base64.b64encode(account.get('name'))),
misc.check_if(
base64.b64encode(str('iam:inline_policy'))),
misc.check_if(base64.b64encode(role.get('RoleName'))),
misc.check_if(base64.b64encode(str(policy_name))),
misc.check_if(
base64.b64encode(str('<pre>' + policy +
'</pre>'))),
)))
else:
output_bucket.append(
misc.format_line((
misc.check_if(account.get('name')),
misc.check_if(str('iam:inline_policy')),
misc.check_if(role.get('RoleName')),
misc.check_if(str(policy_name)),
misc.check_if(str(policy)),
)))
def describe_elb_instances_header():
"""generate output header"""
return misc.format_line(("Account", "Region", "VpcId", "elbName", "Scheme",
"IPAddress", "dnsName", "elbPort", "elbProto",
"backInstances", "instancePort", "instanceProto"))
def list_potential_exposed_files_header():
"""generate output header"""
#return misc.format_line((
print misc.format_line(("Account", "Permission", "Grantee", "Url"))
def list_bucket_acls_header():
"""generate output header"""
return misc.format_line(("Account", "BucketName", "Source", "Permission"))
def sg_rule_sets_by_elb(elb, ec2, account, region, output_bucket):
"""generate list of security group rule sets by elb instance
Args:
elb (object): elb client object
account (dict): aws accounts
region (dict): regions
output_bucket (list): results bucket holder
Returns:
nothing. appends results to output_bucket
"""
"""generate list of elb instances"""
elb_list = elb.describe_load_balancers().get('LoadBalancerDescriptions')
"""generate list of security groups to get rule set details"""
sg_list = ec2.describe_security_groups().get('SecurityGroups')
for sg_obj in sg_list:
"""find out how many elbs are using a security group"""
for elb_obj in elb_list:
for elbsg in elb_obj.get('SecurityGroups'):
"""check if security group is associated to elb instance"""
if sg_obj.get('GroupId') == elbsg:
elb_ip = misc.lookup(elb_obj.get('DNSName'))
"""move on to rule entries"""
for rule in sg_obj.get('IpPermissions'):
"""cidr as source"""
for cidr in rule.get('IpRanges'):
if cidr.get('CidrIp'):
output_bucket.append(
misc.format_line(
(misc.check_if(account.get('name')),
misc.check_if(
region.get('RegionName')),
misc.check_if(elb_obj.get('VPCId')),
misc.check_if(
elb_obj.get('LoadBalancerName')),
misc.check_if(elb_obj.get('Scheme')),
misc.check_if(elb_ip),
misc.check_if(elb_obj.get('DNSName')),
misc.check_if(sg_obj.get('GroupId')),
misc.check_if(
sg_obj.get('GroupName')),
misc.check_if(str(
cidr.get('CidrIp'))),
misc.check_if(
str(
check_port(
rule.get('FromPort')))),
misc.check_if(
str(check_port(
rule.get('ToPort')))),
misc.check_if(
str(
check_proto(
rule.get('IpProtocol'))))
)))
"""security groups as source"""
for group in rule.get('UserIdGroupPairs'):
if group.get('GroupId'):
output_bucket.append(
misc.format_line(
(misc.check_if(account.get('name')),
misc.check_if(
region.get('RegionName')),
misc.check_if(elb_obj.get('VPCId')),
misc.check_if(
elb_obj.get('LoadBalancerName')),
misc.check_if(elb_obj.get('Scheme')),
misc.check_if(elb_ip),
misc.check_if(elb_obj.get('DNSName')),
misc.check_if(sg_obj.get('GroupId')),
misc.check_if(
sg_obj.get('GroupName')),
misc.check_if(group.get('GroupId')),
misc.check_if(
str(
check_port(
rule.get('FromPort')))),
misc.check_if(
str(check_port(
rule.get('ToPort')))),
misc.check_if(
str(
check_proto(
rule.get('IpProtocol'))))
)))
def sg_rule_sets_by_elb_header():
"""returns header for sg rule sets"""
return misc.format_line(("Account", "Region", "VpcId", "elbName", "Scheme",
"IPAddress", "dnsName", "GroupID", "GroupName",
"Source", "StartPort", "EndPort", "Protocol"))
def inventory_access_keys_header():
"""generate output header"""
return misc.format_line(
("Account", "UserName", "Key_ID", "Age", "CreationDate", "Status",
"DaysLastUsed", "LastUsed", "ServiceName"))
def list_buckets_header():
"""generate output header"""
return misc.format_line(("Account", "WebAccess", "BucketName", "Url"))
