Ken Johnson
@@ -10,7 +10,6 @@ import datetime #change as required once we decide time format
|
||||
|
||||
from libs.sql import *
|
||||
|
||||
|
||||
# we chould probably load this from one place in the future #TODO
|
||||
db_name = "weirdAAL.db"
|
||||
|
||||
|
||||
@@ -32,7 +32,7 @@ def describe_configuration_recorders(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, r
|
||||
print('[-] {} : does not have config access. Did you check first?' .format(AWS_ACCESS_KEY_ID))
|
||||
pass
|
||||
else:
|
||||
print "Unexpected error: {}" .format(e)
|
||||
print("Unexpected error: {}" .format(e))
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
@@ -57,8 +57,8 @@ def describe_configuration_rules(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, regio
|
||||
print('[-] {} : does not have config access. Did you check first?' .format(AWS_ACCESS_KEY_ID))
|
||||
pass
|
||||
else:
|
||||
print "Unexpected error: {}" .format(e)
|
||||
print("Unexpected error: {}" .format(e))
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
return response
|
||||
return response
|
||||
|
||||
@@ -16,19 +16,18 @@ def list_pipelines(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("### Printing Data Pipeline Pipelines ###")
|
||||
try:
|
||||
for region in regions:
|
||||
client = boto3.client('datapipeline', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
response = client.list_pipelines()
|
||||
print"### {} Data Pipelines ###" .format(region)
|
||||
if response.get('pipelineIdList') is None:
|
||||
print("{} likely does not have Data Pipeline permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['pipelineIdList']) <= 0:
|
||||
print("[-] ListPipelines allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} Data Pipelines ###" .format(region)
|
||||
for pipes in response['pipelineIdList']:
|
||||
pp.pprint(pipes)
|
||||
print("\n")
|
||||
client = boto3.client('datapipeline', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
response = client.list_pipelines()
|
||||
print("### {} Data Pipelines ###" .format(region))
|
||||
if response.get('pipelineIdList') is None:
|
||||
print("{} likely does not have Data Pipeline permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['pipelineIdList']) <= 0:
|
||||
print("[-] ListPipelines allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print("### {} Data Pipelines ###" .format(region))
|
||||
for pipes in response['pipelineIdList']:
|
||||
pp.pprint(pipes)
|
||||
print("\n")
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
|
||||
@@ -15,19 +15,18 @@ regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1', '
|
||||
def list_dynamodb_tables(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("### Printing DynamoDB Tables ###")
|
||||
try:
|
||||
for region in regions:
|
||||
client = boto3.client('dynamodb', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
response = client.list_tables()
|
||||
if response.get('TableNames') is None:
|
||||
print("{} likely does not have DynamoDB permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['TableNames']) <= 0:
|
||||
print("[-] ListTables allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} DynamoDB Tables ###" .format(region)
|
||||
for tables in response['TableNames']:
|
||||
pp.pprint(tables)
|
||||
print("\n")
|
||||
for region in regions:
|
||||
client = boto3.client('dynamodb', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
response = client.list_tables()
|
||||
if response.get('TableNames') is None:
|
||||
print("{} likely does not have DynamoDB permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['TableNames']) <= 0:
|
||||
print("[-] ListTables allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print("### {} DynamoDB Tables ###" .format(region))
|
||||
for tables in response['TableNames']:
|
||||
pp.pprint(tables)
|
||||
print("\n")
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
@@ -42,19 +41,17 @@ def list_dynamodb_tables(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
def list_dynamodb_tables_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("### Printing DynamoDB Tables ###")
|
||||
try:
|
||||
for region in regions:
|
||||
client = boto3.client('dynamodb', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
response = client.list_tables()
|
||||
if response.get('TableNames') is None:
|
||||
print("{} likely does not have DynamoDB permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['TableNames']) <= 0:
|
||||
print("[-] ListTables allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} DynamoDB Tables ###" .format(region)
|
||||
for tables in response['TableNames']:
|
||||
#pp.pprint(tables)
|
||||
describe_table(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, tables, region)
|
||||
for region in regions:
|
||||
client = boto3.client('dynamodb', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
response = client.list_tables()
|
||||
if response.get('TableNames') is None:
|
||||
print("{} likely does not have DynamoDB permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['TableNames']) <= 0:
|
||||
print("[-] ListTables allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print("### {} DynamoDB Tables ###" .format(region))
|
||||
for tables in response['TableNames']:
|
||||
describe_table(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, tables, region)
|
||||
print("\n")
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
@@ -70,8 +67,7 @@ def list_dynamodb_tables_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
def describe_table(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, table, region):
|
||||
print("### Describing DynamoDB Table: {} ###" .format(table))
|
||||
try:
|
||||
client = boto3.client('dynamodb', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
client = boto3.client('dynamodb', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
response = client.describe_table(TableName=table)
|
||||
if response.get('Table') is None:
|
||||
print("{} likely does not have DynamoDB permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
|
||||
@@ -16,20 +16,18 @@ regions = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'ca-central-1', '
|
||||
def list_dynamodbstreams(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("### Printing DynamoDBstreams ###")
|
||||
try:
|
||||
for region in regions:
|
||||
client = boto3.client('dynamodbstreams', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
for region in regions:
|
||||
client = boto3.client('dynamodbstreams', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
if response.get('Streams') is None:
|
||||
print("{} likely does not have DynamoDB permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['Streams']) <= 0:
|
||||
print("[-] ListStreams allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print("### {} DynamoDB Streams ###" .format(region))
|
||||
for streams in response['Streams']:
|
||||
pp.pprint(streams)
|
||||
print("\n")
|
||||
|
||||
response = client.list_streams()
|
||||
if response.get('Streams') is None:
|
||||
print("{} likely does not have DynamoDB permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['Streams']) <= 0:
|
||||
print("[-] ListStreams allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} DynamoDB Streams ###" .format(region)
|
||||
for streams in response['Streams']:
|
||||
pp.pprint(streams)
|
||||
print("\n")
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
@@ -38,4 +36,4 @@ def list_dynamodbstreams(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
else:
|
||||
print("Unexpected error: {}" .format(e))
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
15
libs/ec2.py
15
libs/ec2.py
@@ -28,7 +28,7 @@ def review_encrypted_volumes(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
'Name' : 'status',
|
||||
'Values' : ['in-use']
|
||||
}])['Volumes']
|
||||
|
||||
|
||||
for volume in response:
|
||||
if volume['Encrypted']:
|
||||
encrypted.append(volume['VolumeId'])
|
||||
@@ -49,7 +49,7 @@ def review_encrypted_volumes(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
if e.response['Error']['Code'] == 'UnauthorizedOperation':
|
||||
print('{} : (UnauthorizedOperation) when calling the DescribeVolumes -- sure you have ec2 permissions?' .format(AWS_ACCESS_KEY_ID))
|
||||
else:
|
||||
print e
|
||||
print(e)
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
@@ -70,7 +70,7 @@ def get_instance_details(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
pp.pprint(i)
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
print e
|
||||
print(e)
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
@@ -91,9 +91,9 @@ def get_instance_volume_details(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
volumes = client.describe_instance_attribute(InstanceId=i['InstanceId'], Attribute='blockDeviceMapping')
|
||||
print ("Instance ID: {} \n" .format(i['InstanceId']))
|
||||
pp.pprint(volumes)
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
print e
|
||||
print(e)
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
@@ -115,9 +115,8 @@ def get_instance_volume_details2(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("InstandID:{} \n" .format(volume['Attachments'][0]['InstanceId']))
|
||||
pp.pprint(volume)
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
print e
|
||||
print(e)
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
|
||||
@@ -27,11 +27,11 @@ def describe_repositories(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
elif len(response['repositories']) <= 0:
|
||||
print("[-] DescribeRepositories allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} ECR Repositories ###" .format(region)
|
||||
print("### {} ECR Repositories ###" .format(region))
|
||||
for tables in response['repositories']:
|
||||
pp.pprint(tables)
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
|
||||
@@ -27,11 +27,11 @@ def describe_applications(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
elif len(response['Applications']) <= 0:
|
||||
print("[-] DescribeApplications allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} ElasticBeanstalk Applications ###" .format(region)
|
||||
print("### {} ElasticBeanstalk Applications ###" .format(region))
|
||||
for app in response['Applications']:
|
||||
pp.pprint(app)
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
@@ -57,11 +57,11 @@ def describe_application_versions(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
elif len(response['ApplicationVersions']) <= 0:
|
||||
print("[-] DescribeApplicationVersions allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} ElasticBeanstalk Application Versions ###" .format(region)
|
||||
print("### {} ElasticBeanstalk Application Versions ###" .format(region))
|
||||
for app in response['ApplicationVersions']:
|
||||
pp.pprint(app)
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
@@ -87,7 +87,7 @@ def describe_configuration_options(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
elif len(response['Options']) <= 0:
|
||||
print("[-] DescribeConfigurationOptions allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} ElasticBeanstalk Configuration Options ###" .format(region)
|
||||
print("### {} ElasticBeanstalk Configuration Options ###" .format(region))
|
||||
#if response['PlatformArn'] is None:
|
||||
# pass
|
||||
#else:
|
||||
@@ -96,7 +96,7 @@ def describe_configuration_options(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("SolutionStackName: {}" .format(response['SolutionStackName']))
|
||||
pp.pprint( "Options: {}" .format(response['Options']))
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
@@ -122,11 +122,11 @@ def describe_environments(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
elif len(response['Environments']) <= 0:
|
||||
print("[-] DescribeEnvironments allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} ElasticBeanstalk Environments ###" .format(region)
|
||||
print("### {} ElasticBeanstalk Environments ###" .format(region))
|
||||
for enviro in response['Environments']:
|
||||
pp.pprint(enviro)
|
||||
pp.pprint(enviro)
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
@@ -152,11 +152,11 @@ def describe_events(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
elif len(response['Events']) <= 0:
|
||||
print("[-] DescribeEvents allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} ElasticBeanstalk Events ###" .format(region)
|
||||
print("### {} ElasticBeanstalk Events ###" .format(region))
|
||||
for events in response['Events']:
|
||||
pp.pprint(events)
|
||||
pp.pprint(events)
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
@@ -166,4 +166,3 @@ def describe_events(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("Unexpected error: {}" .format(e))
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
|
||||
@@ -27,11 +27,11 @@ def list_clusters(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
elif len(response['Clusters']) <= 0:
|
||||
print("[-] ListClusters allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} EMR Clusters ###" .format(region)
|
||||
print("### {} EMR Clusters ###" .format(region))
|
||||
for app in response['Clusters']:
|
||||
pp.pprint(app)
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
@@ -57,11 +57,11 @@ def list_security_configurations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
elif len(response['SecurityConfigurations']) <= 0:
|
||||
print("[-] ListSecurityConfigurations allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} EMR Security Configuration ###" .format(region)
|
||||
print("### {} EMR Security Configuration ###" .format(region))
|
||||
for app in response['SecurityConfigurations']:
|
||||
pp.pprint(app)
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
@@ -71,4 +71,3 @@ def list_security_configurations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("Unexpected error: {}" .format(e))
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
|
||||
28
libs/iam.py
28
libs/iam.py
@@ -17,7 +17,7 @@ region = 'us-east-1'
|
||||
|
||||
def check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY,region_name=region)
|
||||
|
||||
|
||||
try:
|
||||
acct_summary = client.get_account_summary()
|
||||
if acct_summary:
|
||||
@@ -28,18 +28,18 @@ def check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
if client_list:
|
||||
print("Printing Users")
|
||||
pp.pprint(client_list['Users'])
|
||||
|
||||
|
||||
print("Checking for console access")
|
||||
for user in client_list['Users']:
|
||||
|
||||
|
||||
try:
|
||||
profile = client.get_login_profile(UserName=user['UserName'])
|
||||
if profile:
|
||||
print('User {} likely has console access and the password can be reset :-)' .format(user['UserName']))
|
||||
print("Checking for MFA on account")
|
||||
mfa = client.list_mfa_devices(UserName=user['UserName'])
|
||||
print mfa['MFADevices']
|
||||
|
||||
print(mfa['MFADevices'])
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'NoSuchEntity':
|
||||
print("[-]: user '{}' likely doesnt have console access" .format(user['UserName']))
|
||||
@@ -55,10 +55,10 @@ def check_root_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("Unexpected error: {}" .format(e))
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
|
||||
def change_user_console_password(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username, password):
|
||||
client = boto3.client('iam', aws_access_key_id = AWS_ACCESS_KEY_ID, aws_secret_access_key = AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
|
||||
try:
|
||||
response = client.update_login_profile(UserName=username,Password=password, PasswordResetRequired=False)
|
||||
print('Changing password for user: {} to password: {}' .format(username, password))
|
||||
@@ -76,7 +76,7 @@ def change_user_console_password(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, usern
|
||||
|
||||
def create_user_console_password(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username, password):
|
||||
client = boto3.client('iam', aws_access_key_id = AWS_ACCESS_KEY_ID, aws_secret_access_key = AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
|
||||
try:
|
||||
response = client.create_login_profile(UserName=username,Password=password, PasswordResetRequired=False)
|
||||
print('Changing password for user: %s to password: {}' .format(username, password))
|
||||
@@ -94,7 +94,7 @@ def create_user_console_password(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, usern
|
||||
|
||||
def get_password_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
client = boto3.client('iam', aws_access_key_id = AWS_ACCESS_KEY_ID, aws_secret_access_key = AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
|
||||
try:
|
||||
pass_policy = client.get_account_password_policy()
|
||||
print("Account Password Policy:")
|
||||
@@ -106,7 +106,7 @@ def get_password_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
|
||||
def create_user(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username):
|
||||
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
|
||||
try:
|
||||
print("Creating a new IAM user named: {}" .format(username))
|
||||
create_user = client.create_user(Path='/',UserName=username)
|
||||
@@ -123,7 +123,7 @@ def create_user(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username):
|
||||
|
||||
def create_access_key(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username):
|
||||
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
|
||||
try:
|
||||
create_access_key = client.create_access_key(UserName=username)
|
||||
print("Creating a new access key for: {}" .format(username))
|
||||
@@ -135,7 +135,7 @@ def create_access_key(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username):
|
||||
|
||||
def delete_access_key(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username, accesskey):
|
||||
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
|
||||
try:
|
||||
delete_access_key = client.delete_access_key(UserName=username, AccessKeyId=accesskey)
|
||||
print("Deleting a access key: {} for: {}" .format(accesskey, username))
|
||||
@@ -166,7 +166,7 @@ def delete_mfa_device(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username, mfaser
|
||||
|
||||
def make_admin(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username):
|
||||
client = boto3.client('iam', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY, region_name=region)
|
||||
|
||||
|
||||
try:
|
||||
make_admin = client.attach_user_policy(UserName=username, PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess')
|
||||
print("Adding admin policy to: {}" .format(username))
|
||||
@@ -189,7 +189,7 @@ def make_backdoor_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username, pa
|
||||
make_admin(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,username)
|
||||
create_user_console_password(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, username, password)
|
||||
create_access_key(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,username)
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
print("Unexpected error: {}" .format(e))
|
||||
except KeyboardInterrupt:
|
||||
|
||||
@@ -22,13 +22,13 @@ def describe_stacks(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
)
|
||||
response = client.describe_stacks()
|
||||
#debug
|
||||
print response
|
||||
print(response)
|
||||
if response.get('Stacks') is None:
|
||||
print("{} likely does not have Lambda permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['Stacks']) <= 0:
|
||||
print("[-] DescribeStacks allowed for {} but no results (everyone seems to have this permission) [-]\n" .format(region))
|
||||
else: #THIS PART IS UNTESTED
|
||||
for r in response['Stacks']:
|
||||
for r in response['Stacks']:
|
||||
pp.pprint(r)
|
||||
except botocore.exceptions.EndpointConnectionError as e:
|
||||
print("Unexpected error: {}" .format(e))
|
||||
|
||||
@@ -25,6 +25,6 @@ def describe_db_instances(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
pp.pprint(i)
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
print e
|
||||
print(e)
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
@@ -30,11 +30,11 @@ def list_geolocations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
elif len(response['GeoLocationDetailsList']) <= 0:
|
||||
print("[-] ListGeoLocations allowed for {} but no results [-]" .format(region))
|
||||
else:
|
||||
print"### {} Route53 GeoLocations ###" .format(region)
|
||||
print("### {} Route53 GeoLocations ###" .format(region))
|
||||
for app in response['GeoLocationDetailsList']:
|
||||
pp.pprint(app)
|
||||
print("\n")
|
||||
|
||||
|
||||
except botocore.exceptions.ClientError as e:
|
||||
if e.response['Error']['Code'] == 'InvalidClientTokenId':
|
||||
sys.exit("{} : The AWS KEY IS INVALID. Exiting" .format(AWS_ACCESS_KEY_ID))
|
||||
@@ -44,5 +44,3 @@ def list_geolocations(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
|
||||
print("Unexpected error: {}" .format(e))
|
||||
except KeyboardInterrupt:
|
||||
print("CTRL-C received, exiting...")
|
||||
|
||||
|
||||
|
||||
@@ -42,7 +42,7 @@ for region in regions:
|
||||
print(config_service_text)
|
||||
print("Region:" + region)
|
||||
print_config_text(config_service_text)
|
||||
|
||||
|
||||
if response.get('ConfigurationRecorders') is None:
|
||||
print("{} likely does not have Config permissions\n" .format(AWS_ACCESS_KEY_ID))
|
||||
elif len(response['ConfigurationRecorders']) <= 0:
|
||||
@@ -55,6 +55,6 @@ for region in regions:
|
||||
# pp.pprint(resourcetype['resourceTypes'][0])
|
||||
|
||||
ruleresponse = describe_configuration_recorders(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, region)
|
||||
print ruleresponse
|
||||
|
||||
print(ruleresponse)
|
||||
|
||||
print_section_header_and_footer("END OF CONFIG SERVICE REVIEW", True)
|
||||
|
||||
@@ -8,4 +8,5 @@ dirpath = os.getcwd()
|
||||
foldername = os.path.dirname(os.path.realpath(__file__))
|
||||
|
||||
all_files = list_all_files(foldername)
|
||||
|
||||
__all__ = all_files
|
||||
|
||||
@@ -3,7 +3,7 @@ if you have root or IAM access gather user info, manipulate access keys or passw
|
||||
'''
|
||||
from libs.iam import *
|
||||
from libs.sts import *
|
||||
from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
|
||||
#from config import AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
|
||||
|
||||
|
||||
def step_cg_test():
|
||||
|
||||
0
target.txt
Normal file
0
target.txt
Normal file
Reference in New Issue
Block a user