From 89e758a4cfa5d9420c104d2e1579af9eb9a2a6e2 Mon Sep 17 00:00:00 2001 From: carnal0wnage Date: Wed, 11 Apr 2018 22:50:24 -0400 Subject: [PATCH] mostly fixes to handle a root key that has perms but shit isnt actually set up --- libs/aws_lambda.py | 18 +++++- libs/ce.py | 40 +++++++++++++ libs/cloudtrail.py | 84 ++++++++++++++++++++++++++ libs/cloudwatch.py | 16 ++++- libs/config.py | 4 ++ libs/datapipeline.py | 2 + libs/dynamodb.py | 6 ++ libs/dynamodbstreams.py | 2 + libs/ec2.py | 10 ++++ libs/ecr.py | 4 +- libs/elasticbeanstalk.py | 10 ++++ libs/emr.py | 4 ++ libs/firehose.py | 4 ++ libs/iam.py | 123 ++++++++++++++++++++++++++++++++++++++- libs/opsworks.py | 46 ++++++++++++++- libs/pricing.py | 39 +++++++++++++ libs/rds.py | 41 +++++++------ libs/route53.py | 4 ++ libs/s3.py | 24 ++++++-- libs/sqs.py | 2 + libs/sts.py | 19 ++++++ modules/ce.py | 12 ++++ modules/cloudtrail.py | 13 +++++ modules/iam.py | 22 +++++++ modules/opsworks.py | 4 ++ modules/pricing.py | 12 ++++ modules/route53.py | 10 ++++ 27 files changed, 543 insertions(+), 32 deletions(-) create mode 100644 libs/ce.py create mode 100644 libs/cloudtrail.py create mode 100644 libs/pricing.py create mode 100644 modules/ce.py create mode 100644 modules/cloudtrail.py create mode 100644 modules/iam.py create mode 100644 modules/pricing.py create mode 100644 modules/route53.py diff --git a/libs/aws_lambda.py b/libs/aws_lambda.py index fa4f4eb..d4299fb 100644 --- a/libs/aws_lambda.py +++ b/libs/aws_lambda.py @@ -37,7 +37,14 @@ def list_functions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): pp.pprint(r) print("\n") except botocore.exceptions.ClientError as e: - print(e) + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") @@ -65,6 +72,13 @@ def list_event_source_mappings(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): pp.pprint(r) print("\n") except botocore.exceptions.ClientError as e: - print(e) + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") diff --git a/libs/ce.py b/libs/ce.py new file mode 100644 index 0000000..3d61de3 --- /dev/null +++ b/libs/ce.py @@ -0,0 +1,40 @@ +''' +Cost Explorer Library +''' + +import boto3 +import botocore +import pprint +import sys + +pp = pprint.PrettyPrinter(indent=5, width=80) + +#from http://docs.aws.amazon.com/general/latest/gr/rande.html +regions = ['us-east-1', ] + +def ce_get_cost_and_usage(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + try: + for region in regions: + client = boto3.client('ce', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + response = client.get_cost_and_usage(TimePeriod={'Start': '2018-01-01', 'End': '2018-04-01'}, Granularity='MONTHLY', Metrics=["BlendedCost", "UnblendedCost", "UsageQuantity"],) + print(response) + #if response.get('Services') is None: + # print("{} likely does not have Pricing permissions\n" .format(AWS_ACCESS_KEY_ID)) + #elif len(response['Services']) <= 0: + # print("[-] Describe Pricing Services allowed for {} but no results [-]" .format(region)) + #else: + # print("### {} Services ###" .format(region)) + # for tables in response['ServiceCode']: + # pp.pprint(tables) + # print("\n") + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'UnauthorizedOperation': + print('{} : (UnauthorizedOperation) when calling the DescribeInstances -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDeniedException': + print('{} : (AccessDenied) when calling the Get Cost & Usage' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print(e) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") diff --git a/libs/cloudtrail.py b/libs/cloudtrail.py new file mode 100644 index 0000000..f1ce4ce --- /dev/null +++ b/libs/cloudtrail.py @@ -0,0 +1,84 @@ +''' +Cloudtrail functions +''' + +import boto3 +import botocore +import os +import pprint +import sys + +pp = pprint.PrettyPrinter(indent=5, width=80) + +# from http://docs.aws.amazon.com/general/latest/gr/rande.html +regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ap-northeast-1', 'ap-northeast-2', 'ap-northeast-3', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'sa-east-1' ] +# 'cn-north-1', 'cn-northwest-1', 'us-gov-west-1' throwing An error occurred (UnrecognizedClientException) when calling the DescribeTrails operation: The security token included in the request is invalid. + +def describe_trails(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print("### Printing CloudTrail DescribeTrails ###") + try: + for region in regions: + client = boto3.client('cloudtrail', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + + response = client.describe_trails() + + # print (response) + # print(region) + if response['trailList'] is None: + print("{} likely does not have CloudTrail permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['trailList']) <= 0: + print("[-] ListTrails allowed for {} but no results [-]" .format(region)) + else: + print("### {} CloudTrail Trails ###" .format(region)) + for trail in response['trailList']: + pp.pprint(trail) + print("\n") + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + #elif e.response['Error']['Code'] == 'UnrecognizedClientException': + # print('{} : UnrecognizedClientException error' .format(AWS_ACCESS_KEY_ID)) + # pass + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + pass + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + +def list_public_keys(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print("### Printing CloudTrail DescribeTrails ###") + try: + for region in regions: + client = boto3.client('cloudtrail', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + + response = client.list_public_keys() + + # print (response) + # print(region) + if response['PublicKeyList'] is None: + print("{} likely does not have CloudTrail permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['PublicKeyList']) <= 0: + print("[-] PublicKeyList allowed for {} but no results [-]" .format(region)) + else: + print("### {} CloudTrail Public Keys ###" .format(region)) + for keys in response['PublicKeyList']: + pp.pprint(keys) + print("\n") + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + pass + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + + diff --git a/libs/cloudwatch.py b/libs/cloudwatch.py index 9dc66c3..a718c77 100644 --- a/libs/cloudwatch.py +++ b/libs/cloudwatch.py @@ -28,8 +28,12 @@ def describe_alarms(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: - print ("Unexpected error: {}" .format(e)) + print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") @@ -55,8 +59,12 @@ def describe_alarm_history(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print ('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: - print ("Unexpected error: {}" .format(e)) + print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") @@ -82,6 +90,10 @@ def list_metrics(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print ('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print ("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/config.py b/libs/config.py index 56915a2..5ce143b 100644 --- a/libs/config.py +++ b/libs/config.py @@ -31,6 +31,8 @@ def describe_configuration_recorders(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, r elif e.response['Error']['Code'] == 'AccessDeniedException': print('[-] {} : does not have config access. Did you check first?' .format(AWS_ACCESS_KEY_ID)) pass + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -56,6 +58,8 @@ def describe_configuration_rules(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, regio elif e.response['Error']['Code'] == 'AccessDeniedException': print('[-] {} : does not have config access. Did you check first?' .format(AWS_ACCESS_KEY_ID)) pass + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/datapipeline.py b/libs/datapipeline.py index 2237938..d6343bb 100644 --- a/libs/datapipeline.py +++ b/libs/datapipeline.py @@ -34,6 +34,8 @@ def list_pipelines(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/dynamodb.py b/libs/dynamodb.py index 1fe885c..be2f5dc 100644 --- a/libs/dynamodb.py +++ b/libs/dynamodb.py @@ -35,6 +35,8 @@ def list_dynamodb_tables(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -64,6 +66,8 @@ def list_dynamodb_tables_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDeniedException': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -98,6 +102,8 @@ def describe_table(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, table, region): print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDeniedException': print('{} : Does not have the required DescribeTable permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/dynamodbstreams.py b/libs/dynamodbstreams.py index cd5b817..0821828 100644 --- a/libs/dynamodbstreams.py +++ b/libs/dynamodbstreams.py @@ -35,6 +35,8 @@ def list_dynamodbstreams(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/ec2.py b/libs/ec2.py index f2a2510..5c0afd7 100644 --- a/libs/ec2.py +++ b/libs/ec2.py @@ -46,6 +46,8 @@ def review_encrypted_volumes(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): except botocore.exceptions.ClientError as e: if e.response['Error']['Code'] == 'UnauthorizedOperation': print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print(e) except KeyboardInterrupt: @@ -68,6 +70,8 @@ def get_instance_details(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): except botocore.exceptions.ClientError as e: if e.response['Error']['Code'] == 'UnauthorizedOperation': print('{} : (UnauthorizedOperation) when calling the DescribeInstances -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print(e) except KeyboardInterrupt: @@ -95,6 +99,8 @@ def get_instance_details_basic(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): except botocore.exceptions.ClientError as e: if e.response['Error']['Code'] == 'UnauthorizedOperation': print('{} : (UnauthorizedOperation) when calling the DescribeInstances-- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print(e) except KeyboardInterrupt: @@ -118,6 +124,8 @@ def get_instance_volume_details(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): except botocore.exceptions.ClientError as e: if e.response['Error']['Code'] == 'UnauthorizedOperation': print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have required ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print(e) except KeyboardInterrupt: @@ -143,6 +151,8 @@ def get_instance_volume_details2(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): except botocore.exceptions.ClientError as e: if e.response['Error']['Code'] == 'UnauthorizedOperation': print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have the required ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print(e) except KeyboardInterrupt: diff --git a/libs/ecr.py b/libs/ecr.py index f56d103..99fab70 100644 --- a/libs/ecr.py +++ b/libs/ecr.py @@ -21,7 +21,7 @@ def describe_repositories(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): response = client.describe_repositories() - # print response + # print (response) if response.get('repositories') is None: print("{} likely does not have ECR permissions\n" .format(AWS_ACCESS_KEY_ID)) @@ -38,6 +38,8 @@ def describe_repositories(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/elasticbeanstalk.py b/libs/elasticbeanstalk.py index e8b80cf..803c07f 100644 --- a/libs/elasticbeanstalk.py +++ b/libs/elasticbeanstalk.py @@ -39,6 +39,8 @@ def describe_applications(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -70,6 +72,8 @@ def describe_application_versions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -107,6 +111,8 @@ def describe_configuration_options(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -138,6 +144,8 @@ def describe_environments(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -169,6 +177,8 @@ def describe_events(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/emr.py b/libs/emr.py index c5860a9..82a84ea 100644 --- a/libs/emr.py +++ b/libs/emr.py @@ -37,6 +37,8 @@ def list_clusters(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -68,6 +70,8 @@ def list_security_configurations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/firehose.py b/libs/firehose.py index f65e941..7bc6ed9 100644 --- a/libs/firehose.py +++ b/libs/firehose.py @@ -36,6 +36,8 @@ def firehose_list_delivery_streams(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -67,6 +69,8 @@ def firehose_describe_delivery_streams(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/iam.py b/libs/iam.py index 80f1cc5..4a5b4ed 100644 --- a/libs/iam.py +++ b/libs/iam.py @@ -13,7 +13,7 @@ import pprint pp = pprint.PrettyPrinter(indent=5, width=80) -region = 'us-east-1' +regions = ['us-east-1'] def check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY,region_name=region) @@ -51,6 +51,8 @@ def check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("The AWS KEY IS INVALID. Exiting") if e.response['Error']['Code'] == 'AccessDenied': print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: @@ -194,3 +196,122 @@ def make_backdoor_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username, pa print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") + +def iam_list_groups(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print("### Printing IAM Groups ###") + try: + for region in regions: + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + response = client.list_groups() + if response.get('Groups') is None: + print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['Groups']) <= 0: + print("[-] ListGroups allowed for {} but no results [-]\n" .format(region)) + else: + # print(response) + print ("### {} Groups ###" .format(region)) + for group in response['Groups']: + pp.pprint(group) + print("\n") + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + +def iam_get_user(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print("### Printing IAM User Info ###") + try: + for region in regions: + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + response = client.get_user() + print(response) + if response.get('User') is None: + print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['User']) <= 0: + print("[-] GetUser allowed for {} but no results [-]\n" .format(region)) + else: + # print(response) + print ("### {} User Account Info ###" .format(region)) + for key, value in response['User'].items(): + print(key,':', value) + print("\n") + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + +def iam_get_account_summary(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print("### Printing IAM Account Summary ###") + try: + for region in regions: + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + + response = client.get_account_summary() + # print(response) + if response.get('SummaryMap') is None: + print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['SummaryMap']) <= 0: + print("[-] GetAccountSummary allowed for {} but no results [-]\n" .format(region)) + else: + pp.pprint(response['SummaryMap']) + # print(response) + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + +def iam_list_users(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print("### Printing IAM Users ###") + try: + for region in regions: + client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + + response = client.list_users() + # print(response) + if response.get('Users') is None: + print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['Users']) <= 0: + print("[-] ListUsers allowed for {} but no results [-]\n" .format(region)) + else: + pp.pprint(response['Users']) + # print(response) + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") diff --git a/libs/opsworks.py b/libs/opsworks.py index 4e50a80..cabe0b5 100644 --- a/libs/opsworks.py +++ b/libs/opsworks.py @@ -6,7 +6,7 @@ pp = pprint.PrettyPrinter(indent=5, width=80) # from http://docs.aws.amazon.com/general/latest/gr/rande.html # http://docs.aws.amazon.com/general/latest/gr/rande.html#opsworks_region -regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', ] +regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ap-northeast-1', 'ap-northeast-2', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-1', 'ca-central-1', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'sa-east-1' ] def describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): @@ -23,9 +23,9 @@ def describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): # debug # print(response) if response.get('Stacks') is None: - print("{} likely does not have Lambda permissions\n" .format(AWS_ACCESS_KEY_ID)) + print("{} likely does not have Opsworks permissions\n" .format(AWS_ACCESS_KEY_ID)) elif len(response['Stacks']) <= 0: - print("[-] DescribeStacks allowed for {} but no results (everyone seems to have this permission) [-]\n" .format(region)) + print("[-] DescribeStacks allowed for {} but no results [-]\n" .format(region)) else: # THIS PART IS UNTESTED for r in response['Stacks']: pp.pprint(r) @@ -37,7 +37,47 @@ def describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'EndpointConnectionError': print("[-] Cant connect to the {} endpoint [-]" .format(region)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") + + +def describe_user_profiles(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + print('#### Listing User Profiles ####') + try: + for region in regions: + client = boto3.client( + 'opsworks', + aws_access_key_id=AWS_ACCESS_KEY_ID, + aws_secret_access_key=AWS_SECRET_ACCESS_KEY, + region_name=region + ) + response = client.describe_user_profiles() + # debug + print(response) + #if response.get('Stacks') is None: + # print("{} likely does not have Lambda permissions\n" .format(AWS_ACCESS_KEY_ID)) + #elif len(response['Stacks']) <= 0: + # print("[-] DescribeStacks allowed for {} but no results (everyone seems to have this permission) [-]\n" .format(region)) + #else: # THIS PART IS UNTESTED + # for r in response['Stacks']: + # pp.pprint(r) + except botocore.exceptions.EndpointConnectionError as e: + print("Unexpected error: {}" .format(e)) + + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'EndpointConnectionError': + print("[-] Cant connect to the {} endpoint [-]" .format(region)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") + + diff --git a/libs/pricing.py b/libs/pricing.py new file mode 100644 index 0000000..aace0ab --- /dev/null +++ b/libs/pricing.py @@ -0,0 +1,39 @@ +''' +Pricing Library +''' + +import boto3 +import botocore +import pprint +import sys + +pp = pprint.PrettyPrinter(indent=5, width=80) + +#from http://docs.aws.amazon.com/general/latest/gr/rande.html +regions = ['us-east-1', 'ap-south-1', ] + + +def pricing_describe_services(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + try: + for region in regions: + client = boto3.client('pricing', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region) + response = client.describe_services() + print(response) + if response.get('Services') is None: + print("{} likely does not have Pricing permissions\n" .format(AWS_ACCESS_KEY_ID)) + elif len(response['Services']) <= 0: + print("[-] Describe Pricing Services allowed for {} but no results [-]" .format(region)) + else: + print("### {} Services ###" .format(region)) + for tables in response['ServiceCode']: + pp.pprint(tables) + print("\n") + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'UnauthorizedOperation': + print('{} : (UnauthorizedOperation) when calling the Pricing DescribeServices' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print(e) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") diff --git a/libs/rds.py b/libs/rds.py index 2bcbfa3..58ea635 100644 --- a/libs/rds.py +++ b/libs/rds.py @@ -9,22 +9,29 @@ regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1', ' def describe_db_instances(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): - print("doing stuff") - try: - for region in regions: - client = boto3.client( - 'rds', - aws_access_key_id = AWS_ACCESS_KEY_ID, - aws_secret_access_key = AWS_SECRET_ACCESS_KEY, - region_name=region - ) + print("doing stuff") + try: + for region in regions: + client = boto3.client( + 'rds', + aws_access_key_id = AWS_ACCESS_KEY_ID, + aws_secret_access_key = AWS_SECRET_ACCESS_KEY, + region_name=region + ) - instances = client.describe_db_instances() - for r in instances['DBInstances']: - for i in r['Instances']: - pp.pprint(i) + instances = client.describe_db_instances() + for r in instances['DBInstances']: + for i in r['Instances']: + pp.pprint(i) - except botocore.exceptions.ClientError as e: - print(e) - except KeyboardInterrupt: - print("CTRL-C received, exiting...") + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: + print("CTRL-C received, exiting...") diff --git a/libs/route53.py b/libs/route53.py index d173a78..609cd0a 100644 --- a/libs/route53.py +++ b/libs/route53.py @@ -40,6 +40,10 @@ def list_geolocations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'OptInRequired': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/s3.py b/libs/s3.py index 1aec960..274f890 100644 --- a/libs/s3.py +++ b/libs/s3.py @@ -54,8 +54,10 @@ def get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket): print("\n") elif e.response['Error']['Code'] == 'AllAccessDisabled': print('{} : cant list s3 bucket policy [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: - print ("Unexpected error: {}" .format(e)) + print("Unexpected error: {}" .format(e)) try: acl = client.get_bucket_acl(Bucket=bucket) @@ -73,16 +75,20 @@ def get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket): print("\n") elif e.response['Error']['Code'] == 'AllAccessDisabled': print('{} : cant list s3 bucket acl [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: - print ("Unexpected error: {}" .format(e)) + print("Unexpected error: {}" .format(e)) except botocore.exceptions.ClientError as e: if e.response['Error']['Code'] == 'InvalidClientTokenId': sys.exit("The AWS KEY IS INVALID. Exiting") elif e.response['Error']['Code'] == 'NotSignedUp': print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: - print ("Unexpected error: {}" .format(e)) + print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") @@ -107,8 +113,10 @@ def get_s3object_acl(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket, myfile): sys.exit("The AWS KEY IS INVALID. Exiting") elif e.response['Error']['Code'] == 'NotSignedUp': print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: - print ("Unexpected error: {}" .format(e)) + print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") @@ -133,8 +141,10 @@ def get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'NotSignedUp': print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: - print ("Unexpected error: {}" .format(e)) + print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") @@ -158,7 +168,9 @@ def get_s3objects_for_account_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) sys.exit("The AWS KEY IS INVALID. Exiting") elif e.response['Error']['Code'] == 'NotSignedUp': print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: - print ("Unexpected error: {}" .format(e)) + print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") diff --git a/libs/sqs.py b/libs/sqs.py index d8aa7d6..c189778 100644 --- a/libs/sqs.py +++ b/libs/sqs.py @@ -26,6 +26,8 @@ def sqs_list_queues(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) elif e.response['Error']['Code'] == 'AccessDenied': print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) else: print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: diff --git a/libs/sts.py b/libs/sts.py index eba6ca2..3bd5bb3 100644 --- a/libs/sts.py +++ b/libs/sts.py @@ -13,6 +13,16 @@ def get_accountid(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): client = boto3.client("sts", aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY) account_id = client.get_caller_identity()["Account"] print("Account Id: {}" .format(account_id)) + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'EndpointConnectionError': + print("[-] Cant connect to the {} endpoint [-]" .format(region)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) + except KeyboardInterrupt: print("CTRL-C received, exiting...") @@ -28,6 +38,15 @@ def get_accountid_all(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): print("Account Id: {}" .format(account_id)) print("Account UserID: {}" .format(account_userid) ) print("Account ARN: {}" .format(account_arn) ) + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'EndpointConnectionError': + print("[-] Cant connect to the {} endpoint [-]" .format(region)) + elif e.response['Error']['Code'] == 'SubscriptionRequiredException': + print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID)) + else: + print("Unexpected error: {}" .format(e)) except KeyboardInterrupt: print("CTRL-C received, exiting...") diff --git a/modules/ce.py b/modules/ce.py new file mode 100644 index 0000000..35a5354 --- /dev/null +++ b/modules/ce.py @@ -0,0 +1,12 @@ +''' +This file is used to perform various Cost Explorer operations +usually have to be root or be specifically assigned the +permission to get anything from this +''' + +from libs.ce import * +from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY + + +def step_cost_explorer_get_cost_and_usage(): + ce_get_cost_and_usage(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) \ No newline at end of file diff --git a/modules/cloudtrail.py b/modules/cloudtrail.py new file mode 100644 index 0000000..3f6ce18 --- /dev/null +++ b/modules/cloudtrail.py @@ -0,0 +1,13 @@ +''' +This file is used to perform cloudtrail actions +''' +from libs.cloudtrail import * +from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY + + +def step_cloudtrail_describe_trails(): + describe_trails(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + + +def step_cloudtrail_list_public_keys(): + list_public_keys(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) \ No newline at end of file diff --git a/modules/iam.py b/modules/iam.py new file mode 100644 index 0000000..cdbc9a3 --- /dev/null +++ b/modules/iam.py @@ -0,0 +1,22 @@ +''' +IAM recon functions +''' +from libs.iam import * + +from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY + + +def step_iam_list_groups(): + iam_list_groups(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + + +def step_iam_get_user(): + iam_get_user(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + + +def step_iam_get_account_summary(): + iam_get_account_summary(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + + +def step_iam_list_users(): + iam_list_users(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) \ No newline at end of file diff --git a/modules/opsworks.py b/modules/opsworks.py index 2b65558..b51f3eb 100644 --- a/modules/opsworks.py +++ b/modules/opsworks.py @@ -4,3 +4,7 @@ from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY def step_opsworks_describe_stacks(): describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) + + +def step_opsworks_describe_user_profiles(): + describe_user_profiles(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) \ No newline at end of file diff --git a/modules/pricing.py b/modules/pricing.py new file mode 100644 index 0000000..ea8d6d9 --- /dev/null +++ b/modules/pricing.py @@ -0,0 +1,12 @@ +''' +This file is used to perform various pricing operations +usually have to be root or be specifically assigned the +permission to get anything from this +''' + +from libs.pricing import * +from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY + + +def step_pricing_describe_services(): + pricing_describe_services(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) diff --git a/modules/route53.py b/modules/route53.py new file mode 100644 index 0000000..f8829a9 --- /dev/null +++ b/modules/route53.py @@ -0,0 +1,10 @@ +''' +route53 functions +''' +from libs.route53 import * + +from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY + + +def step_route53_list_geolocations(): + list_geolocations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) \ No newline at end of file