From f9ea4e843dd028d37ccc4a5670a95df5bffe2ca9 Mon Sep 17 00:00:00 2001 From: carnal0wnage Date: Tue, 27 Jun 2017 22:06:46 -0400 Subject: [PATCH] more s3 --- libs/s3.py | 154 ++++++++++++++++++++++++++++ s3_list_bucket_contents.py | 2 +- s3_list_bucket_contents_fromfile.py | 2 +- s3_list_buckets_and_contents.py | 3 +- s3_list_buckets_for_acct.py | 5 +- 5 files changed, 158 insertions(+), 8 deletions(-) create mode 100644 libs/s3.py diff --git a/libs/s3.py b/libs/s3.py new file mode 100644 index 0000000..6131b84 --- /dev/null +++ b/libs/s3.py @@ -0,0 +1,154 @@ +''' +S3 Library +''' + +import boto3 +import botocore +import pprint + +pp = pprint.PrettyPrinter(indent=5, width=80) + +def get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket): + client = boto3.client( + 's3', + aws_access_key_id=AWS_ACCESS_KEY_ID, + aws_secret_access_key=AWS_SECRET_ACCESS_KEY, + region_name='us-east-1' + ) + + try: + bucket = bucket + print('\n#### Trying to enumate s3 buckets and bucket policy & ACL for {} ####' .format(bucket)) + + try: + for key in client.list_objects(Bucket=bucket,MaxKeys=100)['Contents']: + print('[+] '+ key['Key'].encode('utf-8').strip()) + #print(key['Key']) #first 100 results + except KeyError as e: + print "KeyError havent tracked down reason yet" + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'AccessDenied': + print('{} : cant list s3 bucket [AccessDenied]' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'NoSuchBucketPolicy': + print('%s: Has No S3 Policy!' % bucket['Name']) + elif e.response['Error']['Code'] == 'AllAccessDisabled': + print('{} : cant list s3 bucket [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID)) + else: + print "Unexpected error: {}" .format(e) + + try: + policy = client.get_bucket_policy(Bucket=bucket) + if policy: + print(bucket + " Policy: ") + pp.pprint(policy['Policy']) + print("\n") + else: + pass + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'AccessDenied': + print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'NoSuchBucketPolicy': + print('{}: Has No S3 Policy!' .format(bucket)) + print("\n") + elif e.response['Error']['Code'] == 'AllAccessDisabled': + print('{} : cant list s3 bucket policy [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID)) + else: + print "Unexpected error: {}" .format(e) + + try: + acl = client.get_bucket_acl(Bucket=bucket) + if acl: + print(bucket + " Grants: ") + pp.pprint(acl['Grants']) + print("\n") + else: + pass + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'AccessDenied': + print('{} : cant list s3 bucket acl [AccessDenied]' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'NoSuchBucketPolicy': + print('{}: Has No S3 Policy!' .format(bucket)) + print("\n") + elif e.response['Error']['Code'] == 'AllAccessDisabled': + print('{} : cant list s3 bucket acl [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID)) + else: + print "Unexpected error: {}" .format(e) + + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("The AWS KEY IS INVALID. Exiting") + elif e.response['Error']['Code'] == 'NotSignedUp': + print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) + else: + print "Unexpected error: {}" .format(e) + +#specifically get the acl on a file in a buckeet +def get_s3object_acl(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket, myfile): + client = boto3.client( + 's3', + aws_access_key_id=AWS_ACCESS_KEY_ID, + aws_secret_access_key=AWS_SECRET_ACCESS_KEY, + region_name='us-east-1' + ) + + try: + bucket = bucket + myobject = myfile + print('#### Trying to enumate s3 ACL for {}:{} ####\n '.format(bucket, myfile)) + acl = client.get_object_acl(Bucket=bucket,Key=myfile) + print acl + + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("The AWS KEY IS INVALID. Exiting") + elif e.response['Error']['Code'] == 'NotSignedUp': + print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) + else: + print "Unexpected error: {}" .format(e) + +#given an aws keypair what s3 assets does it have permission to +def get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + client = boto3.resource( + 's3', + aws_access_key_id=AWS_ACCESS_KEY_ID, + aws_secret_access_key=AWS_SECRET_ACCESS_KEY, + region_name='us-east-1' + ) + + try: + print('#### Trying to list s3 bucketsfor {} ####\n '.format(AWS_ACCESS_KEY_ID)) + for bucket in client.buckets.all(): + print(bucket.name) + + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("The AWS KEY IS INVALID. Exiting") + elif e.response['Error']['Code'] == 'AccessDenied': + print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID)) + elif e.response['Error']['Code'] == 'NotSignedUp': + print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) + else: + print "Unexpected error: {}" .format(e) + + +def get_s3objects_for_account_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY): + client = boto3.resource( + 's3', + aws_access_key_id=AWS_ACCESS_KEY_ID, + aws_secret_access_key=AWS_SECRET_ACCESS_KEY, + region_name='us-east-1' + ) + + try: + print('#### Trying to list s3 bucketsfor {} ####\n '.format(AWS_ACCESS_KEY_ID)) + for bucket in client.buckets.all(): + print(bucket.name) + get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,bucket.name) + + except botocore.exceptions.ClientError as e: + if e.response['Error']['Code'] == 'InvalidClientTokenId': + sys.exit("The AWS KEY IS INVALID. Exiting") + elif e.response['Error']['Code'] == 'NotSignedUp': + print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID)) + else: + print "Unexpected error: {}" .format(e) diff --git a/s3_list_bucket_contents.py b/s3_list_bucket_contents.py index 3285233..487e0ad 100644 --- a/s3_list_bucket_contents.py +++ b/s3_list_bucket_contents.py @@ -9,7 +9,7 @@ import pprint pp = pprint.PrettyPrinter(indent=5, width=80) -from s3.s3 import * +from libs.s3 import * #insert AWS key, will figure out how to pull this in from a single file for all scripts diff --git a/s3_list_bucket_contents_fromfile.py b/s3_list_bucket_contents_fromfile.py index 6541a01..c5b3223 100644 --- a/s3_list_bucket_contents_fromfile.py +++ b/s3_list_bucket_contents_fromfile.py @@ -9,7 +9,7 @@ import pprint pp = pprint.PrettyPrinter(indent=5, width=80) -from s3.s3 import * +from libs.s3 import * AWS_ACCESS_KEY_ID = '' AWS_SECRET_ACCESS_KEY ='' diff --git a/s3_list_buckets_and_contents.py b/s3_list_buckets_and_contents.py index 409a8a2..93f2a5e 100644 --- a/s3_list_buckets_and_contents.py +++ b/s3_list_buckets_and_contents.py @@ -9,7 +9,7 @@ import pprint pp = pprint.PrettyPrinter(indent=5, width=80) -from s3.s3 import * +from libs.s3 import * #insert AWS key, will figure out how to pull this in from a single file for all scripts @@ -17,5 +17,4 @@ from s3.s3 import * #AWS_SECRET_ACCESS_KEY ='' - get_s3objects_for_account_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) \ No newline at end of file diff --git a/s3_list_buckets_for_acct.py b/s3_list_buckets_for_acct.py index f2dd291..e0a41a0 100644 --- a/s3_list_buckets_for_acct.py +++ b/s3_list_buckets_for_acct.py @@ -9,7 +9,7 @@ import pprint pp = pprint.PrettyPrinter(indent=5, width=80) -from s3.s3 import * +from libs.s3 import * #insert AWS key, will figure out how to pull this in from a single file for all scripts @@ -17,7 +17,4 @@ AWS_ACCESS_KEY_ID = '' AWS_SECRET_ACCESS_KEY ='' -#client = boto3.resource('s3') -#for bucket in client.buckets.all(): -# print(bucket.name) get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) \ No newline at end of file