xpk/code-dumps
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: improved sgr check

Browse Source
This commit is contained in:
xpk 2024-08-02 11:13:35 +08:00
parent 50cbe202fa
commit 2767995979
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
1 changed files with 10 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
aws/AwsEnvReview.py
View File

@ -164,30 +164,21 @@ for r in regions:
printResult(outTable, "Region, AccountID, PublicIp") printResult(outTable, "Region, AccountID, PublicIp")
printTitle("Security group review") printTitle("Security group review")
printSubTitle("[Security] Security group allowing ingress from 0.0.0.0/0 - Consider setting more restrictive rules " printSubTitle("[Security] Security group rules allowing ingress from 0.0.0.0/0 - Consider setting more restrictive rules "
"allowing access from specific sources.") "allowing access from specific sources.")
outTable = [] outTable = []
for r in regions: for r in regions:
client = boto3.client('ec2', region_name=r) client = boto3.client('ec2', region_name=r)
response = client.describe_security_groups() response = client.describe_security_group_rules()
for sg in jmespath.search("SecurityGroups[*].GroupId", response): for sgr in jmespath.search("SecurityGroupRules[?IsEgress==`false`]", response):
sgrResp = client.describe_security_group_rules( if (not sgr.get("IsEgress")
Filters=[ and sgr.get("CidrIpv4") == "0.0.0.0/0"
{ and sgr.get("FromPort") != 443
'Name': 'group-id', and sgr.get("ToPort") != 443
'Values': [sg] and sgr.get("FromPort") != 80
}, and sgr.get("ToPort") != 80):
], outTable.append([r, aid, sgr.get("GroupId"), sgr.get("SecurityGroupRuleId"), sgr.get("FromPort"), sgr.get("ToPort")])
)
for sgr in sgrResp.get("SecurityGroupRules"):
if (not sgr.get("IsEgress")
and sgr.get("CidrIpv4") == "0.0.0.0/0"
and sgr.get("FromPort") != 443
and sgr.get("ToPort") != 443
and sgr.get("FromPort") != 80
and sgr.get("ToPort") != 80):
outTable.append([r, aid, sg, sgr.get("SecurityGroupRuleId"), sgr.get("FromPort"), sgr.get("ToPort")])
printResult(outTable, "Region, AccountID, SecurityGroup, Rule, FromPort, ToPort") printResult(outTable, "Region, AccountID, SecurityGroup, Rule, FromPort, ToPort")
printTitle("Rds service review") printTitle("Rds service review")