more s3

libs/s3.py

@@ -0,0 +1,154 @@
+'''
+S3 Library
+'''
+
+import boto3
+import botocore
+import pprint
+
+pp = pprint.PrettyPrinter(indent=5, width=80)
+
+def get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket):
+    client = boto3.client(
+            's3',
+            aws_access_key_id=AWS_ACCESS_KEY_ID,
+            aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
+            region_name='us-east-1'
+    )
+    
+    try:
+        bucket = bucket
+        print('\n#### Trying to enumate s3 buckets and bucket policy & ACL for {} ####' .format(bucket))
+
+        try:
+            for key in client.list_objects(Bucket=bucket,MaxKeys=100)['Contents']:
+                print('[+] '+ key['Key'].encode('utf-8').strip())
+                #print(key['Key']) #first 100 results
+        except KeyError as e:
+            print "KeyError havent tracked down reason yet"
+        except botocore.exceptions.ClientError as e:
+            if e.response['Error']['Code'] == 'AccessDenied':
+                print('{} : cant list s3 bucket [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
+            elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
+                print('%s: Has No S3 Policy!' % bucket['Name'])
+            elif e.response['Error']['Code'] == 'AllAccessDisabled':
+                print('{} : cant list s3 bucket [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
+            else:
+                print "Unexpected error: {}" .format(e)
+            
+        try:
+            policy = client.get_bucket_policy(Bucket=bucket)
+            if policy:
+                print(bucket + " Policy: ")
+                pp.pprint(policy['Policy'])
+                print("\n")
+            else:
+                pass
+        except botocore.exceptions.ClientError as e:
+            if e.response['Error']['Code'] == 'AccessDenied':
+                print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
+            elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
+                print('{}: Has No S3 Policy!' .format(bucket))
+                print("\n")
+            elif e.response['Error']['Code'] == 'AllAccessDisabled':
+                print('{} : cant list s3 bucket policy [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
+            else:
+                print "Unexpected error: {}" .format(e)
+                    
+        try:
+            acl = client.get_bucket_acl(Bucket=bucket)
+            if acl:
+                print(bucket + " Grants: ")
+                pp.pprint(acl['Grants'])
+                print("\n")
+            else:
+                pass
+        except botocore.exceptions.ClientError as e:
+            if e.response['Error']['Code'] == 'AccessDenied':
+                print('{} : cant list s3 bucket acl [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
+            elif e.response['Error']['Code'] == 'NoSuchBucketPolicy':
+                print('{}: Has No S3 Policy!' .format(bucket))
+                print("\n")
+            elif e.response['Error']['Code'] == 'AllAccessDisabled':
+                print('{} : cant list s3 bucket acl [AllAccessDisabled]' .format(AWS_ACCESS_KEY_ID))
+            else:
+                print "Unexpected error: {}" .format(e)
+
+    except botocore.exceptions.ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientTokenId':
+            sys.exit("The AWS KEY IS INVALID. Exiting")
+        elif e.response['Error']['Code'] == 'NotSignedUp':
+            print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
+        else:
+            print "Unexpected error: {}" .format(e)
+
+#specifically get the acl on a file in a buckeet
+def get_s3object_acl(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, bucket, myfile):
+    client = boto3.client(
+            's3',
+            aws_access_key_id=AWS_ACCESS_KEY_ID,
+            aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
+            region_name='us-east-1'
+    )
+    
+    try:
+        bucket = bucket
+        myobject = myfile
+        print('#### Trying to enumate s3 ACL for {}:{} ####\n '.format(bucket, myfile))
+        acl = client.get_object_acl(Bucket=bucket,Key=myfile)
+        print acl
+        
+    except botocore.exceptions.ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientTokenId':
+            sys.exit("The AWS KEY IS INVALID. Exiting")
+        elif e.response['Error']['Code'] == 'NotSignedUp':
+            print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
+        else:
+            print "Unexpected error: {}" .format(e)
+
+#given an aws keypair what s3 assets does it have permission to
+def get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
+    client = boto3.resource(
+            's3',
+            aws_access_key_id=AWS_ACCESS_KEY_ID,
+            aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
+            region_name='us-east-1'
+    )
+    
+    try:
+        print('#### Trying to list s3 bucketsfor {} ####\n '.format(AWS_ACCESS_KEY_ID))
+        for bucket in client.buckets.all():
+            print(bucket.name)
+        
+    except botocore.exceptions.ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientTokenId':
+            sys.exit("The AWS KEY IS INVALID. Exiting")
+        elif e.response['Error']['Code'] == 'AccessDenied':
+            print('{} : cant list s3 bucket policy [AccessDenied]' .format(AWS_ACCESS_KEY_ID))
+        elif e.response['Error']['Code'] == 'NotSignedUp':
+            print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
+        else:
+            print "Unexpected error: {}" .format(e)
+
+
+def get_s3objects_for_account_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY):
+    client = boto3.resource(
+            's3',
+            aws_access_key_id=AWS_ACCESS_KEY_ID,
+            aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
+            region_name='us-east-1'
+    )
+    
+    try:
+        print('#### Trying to list s3 bucketsfor {} ####\n '.format(AWS_ACCESS_KEY_ID))
+        for bucket in client.buckets.all():
+            print(bucket.name)
+            get_s3bucket_policy(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY,bucket.name)
+        
+    except botocore.exceptions.ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientTokenId':
+            sys.exit("The AWS KEY IS INVALID. Exiting")
+        elif e.response['Error']['Code'] == 'NotSignedUp':
+            print('{} : doesnt have s3 access' .format(AWS_ACCESS_KEY_ID))
+        else:
+            print "Unexpected error: {}" .format(e)

s3_list_bucket_contents.py

@@ -9,7 +9,7 @@ import pprint
 
 pp = pprint.PrettyPrinter(indent=5, width=80)
 
-from s3.s3 import *
+from libs.s3 import *
 
 #insert AWS key, will figure out how to pull this in from a single file for all scripts
 

s3_list_bucket_contents_fromfile.py

@@ -9,7 +9,7 @@ import pprint
 
 pp = pprint.PrettyPrinter(indent=5, width=80)
 
-from s3.s3 import *
+from libs.s3 import *
 
 AWS_ACCESS_KEY_ID = ''
 AWS_SECRET_ACCESS_KEY =''

s3_list_buckets_and_contents.py

@@ -9,7 +9,7 @@ import pprint
 
 pp = pprint.PrettyPrinter(indent=5, width=80)
 
-from s3.s3 import *
+from libs.s3 import *
 
 #insert AWS key, will figure out how to pull this in from a single file for all scripts
 
@@ -17,5 +17,4 @@ from s3.s3 import *
 #AWS_SECRET_ACCESS_KEY =''
 
 
-
 get_s3objects_for_account_detailed(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

s3_list_buckets_for_acct.py

@@ -9,7 +9,7 @@ import pprint
 
 pp = pprint.PrettyPrinter(indent=5, width=80)
 
-from s3.s3 import *
+from libs.s3 import *
 
 #insert AWS key, will figure out how to pull this in from a single file for all scripts
 
@@ -17,7 +17,4 @@ AWS_ACCESS_KEY_ID = ''
 AWS_SECRET_ACCESS_KEY =''
 
 
-#client = boto3.resource('s3')
-#for bucket in client.buckets.all():
-#    print(bucket.name)
 get_s3objects_for_account(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)