UPD: improved sgr check

2024-08-02 11:13:35 +08:00 · 2024-08-02 11:13:35 +08:00 · 2767995979
commit 2767995979
parent 50cbe202fa
1 changed files with 10 additions and 19 deletions
--- a/aws/AwsEnvReview.py
+++ b/aws/AwsEnvReview.py
@ -164,30 +164,21 @@ for r in regions:
 printResult(outTable, "Region, AccountID, PublicIp")

 printTitle("Security group review")
-printSubTitle("[Security] Security group allowing ingress from 0.0.0.0/0 - Consider setting more restrictive rules "
+printSubTitle("[Security] Security group rules allowing ingress from 0.0.0.0/0 - Consider setting more restrictive rules "
              "allowing access from specific sources.")
 outTable = []

 for r in regions:
    client = boto3.client('ec2', region_name=r)
-    response = client.describe_security_groups()
-    for sg in jmespath.search("SecurityGroups[*].GroupId", response):
-        sgrResp = client.describe_security_group_rules(
-            Filters=[
-                {
-                    'Name': 'group-id',
-                    'Values': [sg]
-                },
-            ],
-        )
-        for sgr in sgrResp.get("SecurityGroupRules"):
+    response = client.describe_security_group_rules()
+    for sgr in jmespath.search("SecurityGroupRules[?IsEgress==`false`]", response):
        if (not sgr.get("IsEgress")
                and sgr.get("CidrIpv4") == "0.0.0.0/0"
                and sgr.get("FromPort") != 443
                and sgr.get("ToPort") != 443
                and sgr.get("FromPort") != 80
                and sgr.get("ToPort") != 80):
-                outTable.append([r, aid, sg, sgr.get("SecurityGroupRuleId"), sgr.get("FromPort"), sgr.get("ToPort")])
+            outTable.append([r, aid, sgr.get("GroupId"), sgr.get("SecurityGroupRuleId"), sgr.get("FromPort"), sgr.get("ToPort")])
 printResult(outTable, "Region, AccountID, SecurityGroup, Rule, FromPort, ToPort")

 printTitle("Rds service review")