diff --git a/aws/AwsEnvReview.py b/aws/AwsEnvReview.py index 6cc8f32..de5484e 100755 --- a/aws/AwsEnvReview.py +++ b/aws/AwsEnvReview.py @@ -164,30 +164,21 @@ for r in regions: printResult(outTable, "Region, AccountID, PublicIp") printTitle("Security group review") -printSubTitle("[Security] Security group allowing ingress from 0.0.0.0/0 - Consider setting more restrictive rules " +printSubTitle("[Security] Security group rules allowing ingress from 0.0.0.0/0 - Consider setting more restrictive rules " "allowing access from specific sources.") outTable = [] for r in regions: client = boto3.client('ec2', region_name=r) - response = client.describe_security_groups() - for sg in jmespath.search("SecurityGroups[*].GroupId", response): - sgrResp = client.describe_security_group_rules( - Filters=[ - { - 'Name': 'group-id', - 'Values': [sg] - }, - ], - ) - for sgr in sgrResp.get("SecurityGroupRules"): - if (not sgr.get("IsEgress") - and sgr.get("CidrIpv4") == "0.0.0.0/0" - and sgr.get("FromPort") != 443 - and sgr.get("ToPort") != 443 - and sgr.get("FromPort") != 80 - and sgr.get("ToPort") != 80): - outTable.append([r, aid, sg, sgr.get("SecurityGroupRuleId"), sgr.get("FromPort"), sgr.get("ToPort")]) + response = client.describe_security_group_rules() + for sgr in jmespath.search("SecurityGroupRules[?IsEgress==`false`]", response): + if (not sgr.get("IsEgress") + and sgr.get("CidrIpv4") == "0.0.0.0/0" + and sgr.get("FromPort") != 443 + and sgr.get("ToPort") != 443 + and sgr.get("FromPort") != 80 + and sgr.get("ToPort") != 80): + outTable.append([r, aid, sgr.get("GroupId"), sgr.get("SecurityGroupRuleId"), sgr.get("FromPort"), sgr.get("ToPort")]) printResult(outTable, "Region, AccountID, SecurityGroup, Rule, FromPort, ToPort") printTitle("Rds service review")