dash/weirdAAL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mostly fixes to handle a root key that has perms but shit isnt actually set up

Browse Source
This commit is contained in:
carnal0wnage
2018-04-11 22:50:24 -04:00
parent c6802744f1
commit 89e758a4cf
27 changed files with 543 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
libs/aws_lambda.py
View File

@@ -37,7 +37,14 @@ def list_functions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
pp.pprint(r) pp.pprint(r)
print("\n") print("\n")
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
print(e) if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")
@@ -65,6 +72,13 @@ def list_event_source_mappings(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
pp.pprint(r) pp.pprint(r)
print("\n") print("\n")
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
print(e) if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")

40
libs/ce.py Normal file
View File

@@ -0,0 +1,40 @@
'''
Cost Explorer Library
'''
import boto3
import botocore
import pprint
import sys
pp = pprint.PrettyPrinter(indent=5, width=80)
#from http://docs.aws.amazon.com/general/latest/gr/rande.html
regions = ['us-east-1', ]
def ce_get_cost_and_usage(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
try:
for region in regions:
client = boto3.client('ce', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
response = client.get_cost_and_usage(TimePeriod={'Start': '2018-01-01', 'End': '2018-04-01'}, Granularity='MONTHLY', Metrics=["BlendedCost", "UnblendedCost", "UsageQuantity"],)
print(response)
#if response.get('Services') is None:
# print("{} likely does not have Pricing permissions\n" .format(AWS_ACCESS_KEY_ID))
#elif len(response['Services']) <= 0:
# print("[-] Describe Pricing Services allowed for {} but no results [-]" .format(region))
#else:
# print("### {} Services ###" .format(region))
# for tables in response['ServiceCode']:
# pp.pprint(tables)
# print("\n")
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'UnauthorizedOperation':
print('{} : (UnauthorizedOperation) when calling the DescribeInstances -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDeniedException':
print('{} : (AccessDenied) when calling the Get Cost & Usage' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print(e)
except KeyboardInterrupt:
print("CTRL-C received, exiting...")

84
libs/cloudtrail.py Normal file
View File

@@ -0,0 +1,84 @@
'''
Cloudtrail functions
'''
import boto3
import botocore
import os
import pprint
import sys
pp = pprint.PrettyPrinter(indent=5, width=80)
# from http://docs.aws.amazon.com/general/latest/gr/rande.html
regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ap-northeast-1', 'ap-northeast-2', 'ap-northeast-3', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'sa-east-1' ]
# 'cn-north-1', 'cn-northwest-1', 'us-gov-west-1' throwing An error occurred (UnrecognizedClientException) when calling the DescribeTrails operation: The security token included in the request is invalid.
def describe_trails(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print("### Printing CloudTrail DescribeTrails ###")
try:
for region in regions:
client = boto3.client('cloudtrail', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
response = client.describe_trails()
# print (response)
# print(region)
if response['trailList'] is None:
print("{} likely does not have CloudTrail permissions\n" .format(AWS_ACCESS_KEY_ID))
elif len(response['trailList']) <= 0:
print("[-] ListTrails allowed for {} but no results [-]" .format(region))
else:
print("### {} CloudTrail Trails ###" .format(region))
for trail in response['trailList']:
pp.pprint(trail)
print("\n")
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
#elif e.response['Error']['Code'] == 'UnrecognizedClientException':
# print('{} : UnrecognizedClientException error' .format(AWS_ACCESS_KEY_ID))
# pass
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
pass
except KeyboardInterrupt:
print("CTRL-C received, exiting...")
def list_public_keys(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print("### Printing CloudTrail DescribeTrails ###")
try:
for region in regions:
client = boto3.client('cloudtrail', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
response = client.list_public_keys()
# print (response)
# print(region)
if response['PublicKeyList'] is None:
print("{} likely does not have CloudTrail permissions\n" .format(AWS_ACCESS_KEY_ID))
elif len(response['PublicKeyList']) <= 0:
print("[-] PublicKeyList allowed for {} but no results [-]" .format(region))
else:
print("### {} CloudTrail Public Keys ###" .format(region))
for keys in response['PublicKeyList']:
pp.pprint(keys)
print("\n")
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
pass
except KeyboardInterrupt:
print("CTRL-C received, exiting...")

16
libs/cloudwatch.py
View File

@@ -28,8 +28,12 @@ def describe_alarms(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'OptInRequired':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print ("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")
@@ -55,8 +59,12 @@ def describe_alarm_history(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print ('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) print ('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'OptInRequired':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print ("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")
@@ -82,6 +90,10 @@ def list_metrics(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print ('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) print ('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'OptInRequired':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print ("Unexpected error: {}" .format(e)) print ("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

4
libs/config.py
View File

@@ -31,6 +31,8 @@ def describe_configuration_recorders(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, r
elif e.response['Error']['Code'] == 'AccessDeniedException': elif e.response['Error']['Code'] == 'AccessDeniedException':
print('[-] {} : does not have config access. Did you check first?' .format(AWS_ACCESS_KEY_ID)) print('[-] {} : does not have config access. Did you check first?' .format(AWS_ACCESS_KEY_ID))
pass pass
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -56,6 +58,8 @@ def describe_configuration_rules(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, regio
elif e.response['Error']['Code'] == 'AccessDeniedException': elif e.response['Error']['Code'] == 'AccessDeniedException':
print('[-] {} : does not have config access. Did you check first?' .format(AWS_ACCESS_KEY_ID)) print('[-] {} : does not have config access. Did you check first?' .format(AWS_ACCESS_KEY_ID))
pass pass
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

2
libs/datapipeline.py
View File

@@ -34,6 +34,8 @@ def list_pipelines(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

6
libs/dynamodb.py
View File

@@ -35,6 +35,8 @@ def list_dynamodb_tables(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -64,6 +66,8 @@ def list_dynamodb_tables_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDeniedException': elif e.response['Error']['Code'] == 'AccessDeniedException':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -98,6 +102,8 @@ def describe_table(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, table, region):
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDeniedException': elif e.response['Error']['Code'] == 'AccessDeniedException':
print('{} : Does not have the required DescribeTable permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required DescribeTable permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

2
libs/dynamodbstreams.py
View File

@@ -35,6 +35,8 @@ def list_dynamodbstreams(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

10
libs/ec2.py
View File

@@ -46,6 +46,8 @@ def review_encrypted_volumes(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'UnauthorizedOperation': if e.response['Error']['Code'] == 'UnauthorizedOperation':
print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print(e) print(e)
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -68,6 +70,8 @@ def get_instance_details(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'UnauthorizedOperation': if e.response['Error']['Code'] == 'UnauthorizedOperation':
print('{} : (UnauthorizedOperation) when calling the DescribeInstances -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) print('{} : (UnauthorizedOperation) when calling the DescribeInstances -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print(e) print(e)
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -95,6 +99,8 @@ def get_instance_details_basic(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'UnauthorizedOperation': if e.response['Error']['Code'] == 'UnauthorizedOperation':
print('{} : (UnauthorizedOperation) when calling the DescribeInstances-- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) print('{} : (UnauthorizedOperation) when calling the DescribeInstances-- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print(e) print(e)
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -118,6 +124,8 @@ def get_instance_volume_details(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'UnauthorizedOperation': if e.response['Error']['Code'] == 'UnauthorizedOperation':
print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have required ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have required ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print(e) print(e)
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -143,6 +151,8 @@ def get_instance_volume_details2(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'UnauthorizedOperation': if e.response['Error']['Code'] == 'UnauthorizedOperation':
print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have the required ec2 permissions?' .format(AWS_ACCESS_KEY_ID)) print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have the required ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print(e) print(e)
except KeyboardInterrupt: except KeyboardInterrupt:

4
libs/ecr.py
View File

@@ -21,7 +21,7 @@ def describe_repositories(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
response = client.describe_repositories() response = client.describe_repositories()
# print response # print (response)
if response.get('repositories') is None: if response.get('repositories') is None:
print("{} likely does not have ECR permissions\n" .format(AWS_ACCESS_KEY_ID)) print("{} likely does not have ECR permissions\n" .format(AWS_ACCESS_KEY_ID))
@@ -38,6 +38,8 @@ def describe_repositories(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

10
libs/elasticbeanstalk.py
View File

@@ -39,6 +39,8 @@ def describe_applications(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -70,6 +72,8 @@ def describe_application_versions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -107,6 +111,8 @@ def describe_configuration_options(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -138,6 +144,8 @@ def describe_environments(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -169,6 +177,8 @@ def describe_events(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

4
libs/emr.py
View File

@@ -37,6 +37,8 @@ def list_clusters(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -68,6 +70,8 @@ def list_security_configurations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

4
libs/firehose.py
View File

@@ -36,6 +36,8 @@ def firehose_list_delivery_streams(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -67,6 +69,8 @@ def firehose_describe_delivery_streams(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

123
libs/iam.py
View File

@@ -13,7 +13,7 @@ import pprint
pp = pprint.PrettyPrinter(indent=5, width=80) pp = pprint.PrettyPrinter(indent=5, width=80)
region = 'us-east-1' regions = ['us-east-1']
def check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): def check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY,region_name=region) client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY,region_name=region)
@@ -51,6 +51,8 @@ def check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("The AWS KEY IS INVALID. Exiting") sys.exit("The AWS KEY IS INVALID. Exiting")
if e.response['Error']['Code'] == 'AccessDenied': if e.response['Error']['Code'] == 'AccessDenied':
print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID)) print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
@@ -194,3 +196,122 @@ def make_backdoor_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username, pa
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")
def iam_list_groups(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print("### Printing IAM Groups ###")
try:
for region in regions:
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
response = client.list_groups()
if response.get('Groups') is None:
print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID))
elif len(response['Groups']) <= 0:
print("[-] ListGroups allowed for {} but no results [-]\n" .format(region))
else:
# print(response)
print ("### {} Groups ###" .format(region))
for group in response['Groups']:
pp.pprint(group)
print("\n")
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Is NOT a root key' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'OptInRequired':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt:
print("CTRL-C received, exiting...")
def iam_get_user(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print("### Printing IAM User Info ###")
try:
for region in regions:
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
response = client.get_user()
print(response)
if response.get('User') is None:
print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID))
elif len(response['User']) <= 0:
print("[-] GetUser allowed for {} but no results [-]\n" .format(region))
else:
# print(response)
print ("### {} User Account Info ###" .format(region))
for key, value in response['User'].items():
print(key,':', value)
print("\n")
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'OptInRequired':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt:
print("CTRL-C received, exiting...")
def iam_get_account_summary(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print("### Printing IAM Account Summary ###")
try:
for region in regions:
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
response = client.get_account_summary()
# print(response)
if response.get('SummaryMap') is None:
print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID))
elif len(response['SummaryMap']) <= 0:
print("[-] GetAccountSummary allowed for {} but no results [-]\n" .format(region))
else:
pp.pprint(response['SummaryMap'])
# print(response)
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'OptInRequired':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt:
print("CTRL-C received, exiting...")
def iam_list_users(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print("### Printing IAM Users ###")
try:
for region in regions:
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
response = client.list_users()
# print(response)
if response.get('Users') is None:
print("{} likely does not have IAM permissions\n" .format(AWS_ACCESS_KEY_ID))
elif len(response['Users']) <= 0:
print("[-] ListUsers allowed for {} but no results [-]\n" .format(region))
else:
pp.pprint(response['Users'])
# print(response)
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Is NOT a root/IAM key' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'OptInRequired':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt:
print("CTRL-C received, exiting...")

46
libs/opsworks.py
View File

@@ -6,7 +6,7 @@ pp = pprint.PrettyPrinter(indent=5, width=80)
# from http://docs.aws.amazon.com/general/latest/gr/rande.html # from http://docs.aws.amazon.com/general/latest/gr/rande.html
# http://docs.aws.amazon.com/general/latest/gr/rande.html#opsworks_region # http://docs.aws.amazon.com/general/latest/gr/rande.html#opsworks_region
regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', ] regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ap-northeast-1', 'ap-northeast-2', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-1', 'ca-central-1', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'sa-east-1' ]
def describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): def describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
@@ -23,9 +23,9 @@ def describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
# debug # debug
# print(response) # print(response)
if response.get('Stacks') is None: if response.get('Stacks') is None:
print("{} likely does not have Lambda permissions\n" .format(AWS_ACCESS_KEY_ID)) print("{} likely does not have Opsworks permissions\n" .format(AWS_ACCESS_KEY_ID))
elif len(response['Stacks']) <= 0: elif len(response['Stacks']) <= 0:
print("[-] DescribeStacks allowed for {} but no results (everyone seems to have this permission) [-]\n" .format(region)) print("[-] DescribeStacks allowed for {} but no results [-]\n" .format(region))
else: # THIS PART IS UNTESTED else: # THIS PART IS UNTESTED
for r in response['Stacks']: for r in response['Stacks']:
pp.pprint(r) pp.pprint(r)
@@ -37,7 +37,47 @@ def describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'EndpointConnectionError': elif e.response['Error']['Code'] == 'EndpointConnectionError':
print("[-] Cant connect to the {} endpoint [-]" .format(region)) print("[-] Cant connect to the {} endpoint [-]" .format(region))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")
def describe_user_profiles(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print('#### Listing User Profiles ####')
try:
for region in regions:
client = boto3.client(
'opsworks',
aws_access_key_id=AWS_ACCESS_KEY_ID,
aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
region_name=region
)
response = client.describe_user_profiles()
# debug
print(response)
#if response.get('Stacks') is None:
# print("{} likely does not have Lambda permissions\n" .format(AWS_ACCESS_KEY_ID))
#elif len(response['Stacks']) <= 0:
# print("[-] DescribeStacks allowed for {} but no results (everyone seems to have this permission) [-]\n" .format(region))
#else: # THIS PART IS UNTESTED
# for r in response['Stacks']:
# pp.pprint(r)
except botocore.exceptions.EndpointConnectionError as e:
print("Unexpected error: {}" .format(e))
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'EndpointConnectionError':
print("[-] Cant connect to the {} endpoint [-]" .format(region))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt:
print("CTRL-C received, exiting...")

39
libs/pricing.py Normal file
View File

@@ -0,0 +1,39 @@
'''
Pricing Library
'''
import boto3
import botocore
import pprint
import sys
pp = pprint.PrettyPrinter(indent=5, width=80)
#from http://docs.aws.amazon.com/general/latest/gr/rande.html
regions = ['us-east-1', 'ap-south-1', ]
def pricing_describe_services(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
try:
for region in regions:
client = boto3.client('pricing', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
response = client.describe_services()
print(response)
if response.get('Services') is None:
print("{} likely does not have Pricing permissions\n" .format(AWS_ACCESS_KEY_ID))
elif len(response['Services']) <= 0:
print("[-] Describe Pricing Services allowed for {} but no results [-]" .format(region))
else:
print("### {} Services ###" .format(region))
for tables in response['ServiceCode']:
pp.pprint(tables)
print("\n")
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'UnauthorizedOperation':
print('{} : (UnauthorizedOperation) when calling the Pricing DescribeServices' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print(e)
except KeyboardInterrupt:
print("CTRL-C received, exiting...")

41
libs/rds.py
View File

@@ -9,22 +9,29 @@ regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1', '
def describe_db_instances(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): def describe_db_instances(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print("doing stuff") print("doing stuff")
try: try:
for region in regions: for region in regions:
client = boto3.client( client = boto3.client(
'rds', 'rds',
aws_access_key_id = AWS_ACCESS_KEY_ID, aws_access_key_id = AWS_ACCESS_KEY_ID,
aws_secret_access_key = AWS_SECRET_ACCESS_KEY, aws_secret_access_key = AWS_SECRET_ACCESS_KEY,
region_name=region region_name=region
) )
instances = client.describe_db_instances() instances = client.describe_db_instances()
for r in instances['DBInstances']: for r in instances['DBInstances']:
for i in r['Instances']: for i in r['Instances']:
pp.pprint(i) pp.pprint(i)
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
print(e) if e.response['Error']['Code'] == 'InvalidClientTokenId':
except KeyboardInterrupt: sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
print("CTRL-C received, exiting...") elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt:
print("CTRL-C received, exiting...")

4
libs/route53.py
View File

@@ -40,6 +40,10 @@ def list_geolocations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'OptInRequired':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

24
libs/s3.py
View File

@@ -54,8 +54,10 @@ def get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket):
print("\n") print("\n")
elif e.response['Error']['Code'] == 'AllAccessDisabled': elif e.response['Error']['Code'] == 'AllAccessDisabled':
print('{} : cant list s3 bucket policy [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID)) print('{} : cant list s3 bucket policy [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print ("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
try: try:
acl = client.get_bucket_acl(Bucket=bucket) acl = client.get_bucket_acl(Bucket=bucket)
@@ -73,16 +75,20 @@ def get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket):
print("\n") print("\n")
elif e.response['Error']['Code'] == 'AllAccessDisabled': elif e.response['Error']['Code'] == 'AllAccessDisabled':
print('{} : cant list s3 bucket acl [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID)) print('{} : cant list s3 bucket acl [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print ("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except botocore.exceptions.ClientError as e: except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId': if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("The AWS KEY IS INVALID. Exiting") sys.exit("The AWS KEY IS INVALID. Exiting")
elif e.response['Error']['Code'] == 'NotSignedUp': elif e.response['Error']['Code'] == 'NotSignedUp':
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print ("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")
@@ -107,8 +113,10 @@ def get_s3object_acl(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket, myfile):
sys.exit("The AWS KEY IS INVALID. Exiting") sys.exit("The AWS KEY IS INVALID. Exiting")
elif e.response['Error']['Code'] == 'NotSignedUp': elif e.response['Error']['Code'] == 'NotSignedUp':
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print ("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")
@@ -133,8 +141,10 @@ def get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID)) print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'NotSignedUp': elif e.response['Error']['Code'] == 'NotSignedUp':
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print ("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")
@@ -158,7 +168,9 @@ def get_s3objects_for_account_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
sys.exit("The AWS KEY IS INVALID. Exiting") sys.exit("The AWS KEY IS INVALID. Exiting")
elif e.response['Error']['Code'] == 'NotSignedUp': elif e.response['Error']['Code'] == 'NotSignedUp':
print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print ("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")

2
libs/sqs.py
View File

@@ -26,6 +26,8 @@ def sqs_list_queues(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID)) sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'AccessDenied': elif e.response['Error']['Code'] == 'AccessDenied':
print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID)) print('{} : Does not have the required permissions' .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else: else:
print("Unexpected error: {}" .format(e)) print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:

19
libs/sts.py
View File

@@ -13,6 +13,16 @@ def get_accountid(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
client = boto3.client("sts", aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY) client = boto3.client("sts", aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY)
account_id = client.get_caller_identity()["Account"] account_id = client.get_caller_identity()["Account"]
print("Account Id: {}" .format(account_id)) print("Account Id: {}" .format(account_id))
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'EndpointConnectionError':
print("[-] Cant connect to the {} endpoint [-]" .format(region))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")
@@ -28,6 +38,15 @@ def get_accountid_all(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
print("Account Id: {}" .format(account_id)) print("Account Id: {}" .format(account_id))
print("Account UserID: {}" .format(account_userid) ) print("Account UserID: {}" .format(account_userid) )
print("Account ARN: {}" .format(account_arn) ) print("Account ARN: {}" .format(account_arn) )
except botocore.exceptions.ClientError as e:
if e.response['Error']['Code'] == 'InvalidClientTokenId':
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
elif e.response['Error']['Code'] == 'EndpointConnectionError':
print("[-] Cant connect to the {} endpoint [-]" .format(region))
elif e.response['Error']['Code'] == 'SubscriptionRequiredException':
print('{} : Has permissions but isnt signed up for service - usually means you have a root account' .format(AWS_ACCESS_KEY_ID))
else:
print("Unexpected error: {}" .format(e))
except KeyboardInterrupt: except KeyboardInterrupt:
print("CTRL-C received, exiting...") print("CTRL-C received, exiting...")

12
modules/ce.py Normal file
View File

@@ -0,0 +1,12 @@
'''
This file is used to perform various Cost Explorer operations
usually have to be root or be specifically assigned the
permission to get anything from this
'''
from libs.ce import *
from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
def step_cost_explorer_get_cost_and_usage():
ce_get_cost_and_usage(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

13
modules/cloudtrail.py Normal file
View File

@@ -0,0 +1,13 @@
'''
This file is used to perform cloudtrail actions
'''
from libs.cloudtrail import *
from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
def step_cloudtrail_describe_trails():
describe_trails(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
def step_cloudtrail_list_public_keys():
list_public_keys(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

22
modules/iam.py Normal file
View File

@@ -0,0 +1,22 @@
'''
IAM recon functions
'''
from libs.iam import *
from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
def step_iam_list_groups():
iam_list_groups(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
def step_iam_get_user():
iam_get_user(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
def step_iam_get_account_summary():
iam_get_account_summary(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
def step_iam_list_users():
iam_list_users(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

4
modules/opsworks.py
View File

@@ -4,3 +4,7 @@ from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
def step_opsworks_describe_stacks(): def step_opsworks_describe_stacks():
describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
def step_opsworks_describe_user_profiles():
describe_user_profiles(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

12
modules/pricing.py Normal file
View File

@@ -0,0 +1,12 @@
'''
This file is used to perform various pricing operations
usually have to be root or be specifically assigned the
permission to get anything from this
'''
from libs.pricing import *
from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
def step_pricing_describe_services():
pricing_describe_services(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

10
modules/route53.py Normal file
View File

@@ -0,0 +1,10 @@
'''
route53 functions
'''
from libs.route53 import *
from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
def step_route53_list_geolocations():
list_geolocations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)