-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathSecConfig.py
More file actions
executable file
·189 lines (154 loc) · 7.1 KB
/
SecConfig.py
File metadata and controls
executable file
·189 lines (154 loc) · 7.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
#! /usr/bin/python
# Example code to output account security config
__author__ = 'Greg Roth'
import boto3
import urllib
import hashlib
import argparse
parser = argparse.ArgumentParser(description='outputs security configuration of an AWS account')
parser.add_argument('-a', '--access_key_id', required=True, help='access key id')
parser.add_argument('-k', '--secret_access_key', required=True, help='secret access key')
parser.add_argument('-t', '--security_token', help='security token (for use with temporary security credentials)')
parser.add_argument('-r', '--role', help='role to assume')
parser.add_argument('-v', '--verbose', action="store_true", help='enable verbose mode')
parser.add_argument('-d', '--debug', action="store_true", help='enable debug mode')
args = parser.parse_args()
access_key_id = args.access_key_id
secret_access_key = args.secret_access_key
security_token = args.security_token
sts = boto3.connect_sts(access_key_id, secret_access_key)
if args.role:
assumed_role = sts.assume_role(args.role, "SecAudit")
access_key_id = assumed_role.credentials.access_key
secret_access_key = assumed_role.credentials.secret_key
security_token = assumed_role.credentials.session_token
def debug(str):
if args.debug:
print str
def verbose(str):
if args.verbose or args.debug:
print str
def sha256(m):
return hashlib.sha256(m).hexdigest()
def config_line(header, name, detail, data):
return header + ", " + name + ", " + detail + ", " + data
def config_line_policy(header, name, detail, data):
verbose("===== " + header + ": " + name + ": " + detail + "=====")
verbose(data)
verbose("=========================================================")
return config_line(header, name, detail, sha256(data))
def output_lines(lines):
lines.sort()
for line in lines:
print line
iam = boto3.connect_iam(access_key_id, secret_access_key, security_token=security_token)
verbose("Getting account summary:")
summary = iam.get_account_summary()
debug(summary)
output_lines([config_line("iam:accountsummary", "AccountMFAEnabled", "", str(summary["AccountMFAEnabled"]))])
# IAM user info
verbose("Getting IAM user info:")
user_info = []
users = iam.get_all_users().list_users_response.list_users_result.users
debug(users)
for user in users:
verbose("User: " + user.user_name)
# User policies
policies = iam.get_all_user_policies(user.user_name)
policies = policies.list_user_policies_response.list_user_policies_result.policy_names
for policy_name in policies:
policy = iam.get_user_policy(user.user_name, policy_name) \
.get_user_policy_response.get_user_policy_result.policy_document
policy = urllib.unquote(policy)
user_info.append(config_line_policy("iam:userpolicy", user.user_name, policy_name, policy))
# access keys
access_keys = iam.get_all_access_keys(user.user_name)
access_keys = access_keys.list_access_keys_response.list_access_keys_result.access_key_metadata
for access_key in access_keys:
user_info.append(
config_line("iam:accesskey", access_key.user_name, access_key.status, access_key.access_key_id))
# group membership
groups = iam.get_groups_for_user(user.user_name)
groups = groups.list_groups_for_user_response.list_groups_for_user_result.groups
for group in groups:
user_info.append(config_line("iam:useringroup", user.user_name, "", group.group_name))
output_lines(user_info)
# IAM groups
verbose("Getting IAM group info:")
group_policy = []
groups = iam.get_all_groups().list_groups_response.list_groups_result.groups
for group in groups:
verbose("Group " + group.group_name)
# Policies attached to groups
policies = iam.get_all_group_policies(group.group_name)
policies = policies.list_group_policies_response.list_group_policies_result.policy_names
for policy_name in policies:
policy = iam.get_group_policy(group.group_name, policy_name)
policy = policy.get_group_policy_response.get_group_policy_result.policy_document
policy = urllib.unquote(policy)
group_policy.append(config_line_policy("iam:grouppolicy", group.group_name, policy_name, policy))
output_lines(group_policy)
# IAM Roles
verbose("Getting IAM role info:")
role_policy = []
roles = iam.list_roles().list_roles_response.list_roles_result.roles
for role in roles:
verbose("Role: " + role.role_name)
# Policy controling use of the role (always present)
assume_role_policy = role.assume_role_policy_document
assume_role_policy = urllib.unquote(policy)
role_policy.append(config_line_policy("iam:assumerolepolicy", role.role_name, role.arn, assume_role_policy))
#Policies around what the assumed role can do
policies = iam.list_role_policies(role.role_name)
policies = policies.list_role_policies_response.list_role_policies_result.policy_names
for policy_name in policies:
policy = iam.get_role_policy(role.role_name, policy_name)
policy = policy.get_role_policy_response.get_role_policy_result.policy_document
policy = urllib.unquote(policy)
role_policy.append(config_line_policy("iam:rolepolicy", role.role_name, policy_name, policy))
debug(policies)
output_lines(role_policy)
# S3 bucket policies
verbose("Getting S3 bucket policies:")
s3 = boto3.connect_s3(access_key_id, secret_access_key, security_token=security_token)
bucket_info = []
buckets = s3.get_all_buckets()
for bucket in buckets:
try:
policy = bucket.get_policy()
bucket_info.append(config_line_policy("s3:bucketpolicy", bucket.name, "", policy))
except boto3.exception.S3ResponseError as e:
bucket_info.append(config_line("s3:bucketpolicy", bucket.name, "", e.code))
output_lines(bucket_info)
# SQS queue policies
verbose("Getting SQS queue policies:")
sqs = boto3.connect_sqs(access_key_id, secret_access_key, security_token=security_token)
queue_info = []
queues = sqs.get_all_queues()
for queue in queues:
try:
policy = sqs.get_queue_attributes(queue, "Policy")["Policy"]
queue_info.append(config_line_policy("sqs:queuepolicy", queue.url, "", policy))
except KeyError:
queue_info.append(config_line("sqs:queuepolicy", queue.url, "", "NoPolicy"))
output_lines(queue_info)
# SNS topic policies
verbose("Getting SNS topic policies:")
sns = boto3.connect_sns(access_key_id, secret_access_key, security_token=security_token)
topic_info = []
topics = sns.get_all_topics()
topics = topics["ListTopicsResponse"]["ListTopicsResult"]["Topics"]
for topic in topics:
policy = sns.get_topic_attributes(topic["TopicArn"])
policy = policy["GetTopicAttributesResponse"]["GetTopicAttributesResult"]["Attributes"]["Policy"]
topic_info.append(config_line_policy("sns:topicpolicy", topic["TopicArn"], "", policy))
output_lines(topic_info)
# EC2 security groups
sg_info = []
ec2 = boto3.connect_ec2(access_key_id, secret_access_key, security_token=security_token)
groups = ec2.get_all_security_groups()
for group in groups:
for rule in group.rules:
for grant in rule.grants:
sg_info.append(config_line("ec2:security_group", group.name, str(rule), str(grant)))
output_lines(sg_info)