From 50cbe202fa183f447ea8845e26eb9a1c2b5c21bc Mon Sep 17 00:00:00 2001 From: x p k Date: Fri, 2 Aug 2024 10:08:45 +0800 Subject: [PATCH] UPD: Updated inline documentation --- aws/AwsEnvReview.py | 76 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 58 insertions(+), 18 deletions(-) diff --git a/aws/AwsEnvReview.py b/aws/AwsEnvReview.py index 8040d5f..6cc8f32 100755 --- a/aws/AwsEnvReview.py +++ b/aws/AwsEnvReview.py @@ -59,7 +59,8 @@ regions = getAllRegions(client) print("AWS Environment Review - " + str(date.today()) + "\n\n") printTitle("Ec2 service review") -printSubTitle("[Cost Optimization] Instances stopped for over 14 days - Consider backing up and terminate instances") +printSubTitle("[Cost Optimization] Instances stopped for over 14 days - Consider backing up and terminate instances " + "or use AutoScalingGroup to spin up and down instances as needed.") outTable = [] for r in regions: @@ -71,7 +72,8 @@ for r in regions: outTable.append([r, aid, i[0].get("InstanceId"), getAgeFromDate(i[0].get("UsageOperationUpdateTime"))]) printResult(outTable, "Region, AccountID, InstanceId, DaysStopped") -printSubTitle("[Security] IDMSv1 allowed - Consider requiring IDMSv2") +printSubTitle("[Security] Insecure IDMSv1 allowed - Consider requiring IDMSv2. For more information, " + "see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html") outTable = [] for r in regions: @@ -83,7 +85,8 @@ for r in regions: outTable.append([r, aid, i[0].get("InstanceId"), i[0].get("MetadataOptions").get("HttpTokens") ]) printResult(outTable, "Region, AccountID, InstanceId, IDMSv2") -printSubTitle("[Performance Efficiency] Use of previous generation instance type - Consider using current generation instances") +printSubTitle("[Performance Efficiency] Use of previous generation instance type - " + "Consider using current generation instances") outTable = [] for r in regions: client = boto3.client('ec2', region_name=r) @@ -94,7 +97,7 @@ for r in regions: outTable.append([r, aid, i[0].get("InstanceId"), i[0].get("InstanceType")]) printResult(outTable, "Region, AccountID, InstanceId, InstanceType") -printSubTitle("[Cost Optimization] Unattached EBS volumes - Consider taking snapshot and delete volumes") +printSubTitle("[Cost Optimization] Unattached EBS volumes - Consider backing up the volumes and delete them") outTable = [] for r in regions: client = boto3.client('ec2', region_name=r) @@ -110,7 +113,8 @@ for r in regions: outTable.append([r, aid, i.get("VolumeId"), i.get("Size"), i.get("VolumeType")]) printResult(outTable, "Region, AccountID, VolumeId, Size, VolumeType") -printSubTitle("[Cost Optimization] EBS snapshots more than 365 days old - Consider removing snapshots if no longer needed") +printSubTitle("[Cost Optimization] EBS snapshots more than 365 days old - " + "Consider removing snapshots if no longer needed") outTable = [] for r in regions: client = boto3.client('ec2', region_name=r) @@ -123,7 +127,11 @@ for r in regions: printResult(outTable, "Region, AccountID, SnapshotId, Description, SnapshotAge") -printSubTitle("[Security] Unencrypted EBS volumes - Consider replacing volume with encrypted ones") +printSubTitle("[Security] Unencrypted EBS volumes - Consider replacing volume with encrypted ones. " + "One can do so by stopping the Ec2 instance, creating snapshot for the unencrypted volume, " + "copy the snapshot to a new encrypted snapshot, create a volume from the encrypted snapshot," + "detach the original volume and attach the encrypted volume. Remember to clean up the volumes" + "and snapshots afterwards.") outTable = [] for r in regions: client = boto3.client('ec2', region_name=r) @@ -156,7 +164,8 @@ for r in regions: printResult(outTable, "Region, AccountID, PublicIp") printTitle("Security group review") -printSubTitle("[Security] Security group allowing ingress from 0.0.0.0/0 - Consider setting more restrictive sg rules") +printSubTitle("[Security] Security group allowing ingress from 0.0.0.0/0 - Consider setting more restrictive rules " + "allowing access from specific sources.") outTable = [] for r in regions: @@ -182,7 +191,8 @@ for r in regions: printResult(outTable, "Region, AccountID, SecurityGroup, Rule, FromPort, ToPort") printTitle("Rds service review") -printSubTitle("[Security] Unencrypted RDS instances - Consider encrypting RDS instances") +printSubTitle("[Security] Unencrypted RDS instances - Consider encrypting RDS instances. For more detail, see " + "https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/encrypt-an-existing-amazon-rds-for-postgresql-db-instance.html") outTable = [] for r in regions: client = boto3.client('rds', region_name=r) @@ -197,7 +207,8 @@ for r in regions: printResult(outTable, "Region, AccountID, DBIdentifier, Engine") -printSubTitle("[Reliability] Single AZ RDS instance - Consider enabling multi-az for production") +printSubTitle("[Reliability] RDS instance running in single availability zone - " + "Consider enabling multi-az for production use.") outTable = [] for r in regions: client = boto3.client('rds', region_name=r) @@ -213,7 +224,8 @@ printResult(outTable, "Region, AccountID, DBIdentifier, Engine") printTitle("Lambda service review") -printSubTitle("[Security] Outdated Lambda runtime - Consider changing to currently supported Lambda runtime") +printSubTitle("[Security] Outdated Lambda runtime - Consider changing to currently supported Lambda runtime versions, " + "listed on https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html") outTable = [] for r in regions: client = boto3.client('lambda', region_name=r) @@ -226,7 +238,7 @@ printResult(outTable, "Region, AccountID, FunctionName, Runtime") printTitle("Iam service review") -printSubTitle("[Security] Iam user access key age - Consider rotating access key") +printSubTitle("[Security] Iam user access key not rotated for 180 days - Consider rotating access key") outTable = [] client = boto3.client('iam', region_name="us-east-1") @@ -239,6 +251,24 @@ for u in users: outTable.append([aid, u, i.get("AccessKeyId"), getAgeFromDate(i.get("CreateDate"))]) printResult(outTable, "AccountID, UserName, AccessKeyId, AccessKeyAge") +printSubTitle("[Security] Iam AdministratorAccess policy attached - Consider granting minimum privileges " + "to users/groups/roles. AWS managed policies for job functions are recommended. See " + "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html") +outTable = [] + +client = boto3.client('iam', region_name="us-east-1") +entityResp = client.list_entities_for_policy( + PolicyArn='arn:aws:iam::aws:policy/AdministratorAccess' +) +for group in jmespath.search("PolicyGroups[*].GroupName", entityResp): + outTable.append([aid, "Group", group]) +for user in jmespath.search("PolicyUsers[*].UserName", entityResp): + outTable.append([aid, "User", user]) +for role in jmespath.search("PolicyRoles[*].RoleName", entityResp): + outTable.append([aid, "Role", role]) +printResult(outTable, "AccountID, Type, Name") + + printTitle("Cloudwatch service review") printSubTitle("[Cost Optimization] Cloudwatch LogGroups without retention period - Consider setting retention") outTable = [] @@ -251,7 +281,7 @@ for r in regions: outTable.append([r, aid, i.get("logGroupName"), int(round(i.get("storedBytes")/1024/1024,0))]) printResult(outTable, "Region, AccountID, LogGroup, SizeMiB") -printSubTitle("[Security] Cloudwatch LogGroups unencrypted - Consider encrypting loggroup") +printSubTitle("[Security] Cloudwatch LogGroups unencrypted - Consider encrypting LogGroups") outTable = [] for r in regions: @@ -263,7 +293,8 @@ for r in regions: printResult(outTable, "Region, AccountID, LogGroup") printTitle("Backup service review") -printSubTitle("[Reliability] Ec2/Rds instances found but AWSBackup plan missing - Consider setting up AWSBackup plans to backup AWS resources") +printSubTitle("[Reliability] Ec2/Rds instances found but AWSBackup plan missing - " + "Consider setting up AWSBackup plans to backup AWS resources.") outTable = [] for r in regions: client = boto3.client('backup', region_name=r) @@ -294,7 +325,8 @@ for i in jmespath.search("Buckets[*].Name", response): printResult(outTable, "AccountID, BucketName") printTitle("ElastiCache review") -printSubTitle("[Cost Optimization] ElastiCache instances on x64 platform - Consider Graviton instances such as t4g/r7g for cost saving") +printSubTitle("[Cost Optimization] ElastiCache instances on x64 platform - Consider Graviton instances " + "such as t4g/r7g to optimize your infrastructure investment.") outTable = [] for r in regions: @@ -306,7 +338,7 @@ for r in regions: printResult(outTable, "Region, AccountID, CacheClusterId, CacheNodeType") printTitle("LoadBalancer service review") -printSubTitle("[Cost Optimization] LB Target group without targets - Consider removing target groups") +printSubTitle("[Cost Optimization] LB Target group without targets - Consider removing empty target groups") outTable = [] for r in regions: @@ -319,7 +351,9 @@ for r in regions: printResult(outTable, "Region, AccountID, TargetGroup") printTitle("KMS service review") -printSubTitle("[Security] Customer Managed Keys do not have auto rotation enabled - Consider enabling auto key rotation") +printSubTitle("[Security] Customer Managed Keys do not have auto rotation enabled - " + "Consider enabling auto key rotation. When a key is rotated, previous ones " + "are still kept within AWS to allow data retrival.") outTable = [] for r in regions: @@ -338,7 +372,10 @@ for r in regions: printResult(outTable, "Region, AccountID, KeyId") printTitle("ApiGateway service review") -printSubTitle("[Security] ApiGateway resource policy missing - Consider restricting access to private API with a policy") +printSubTitle("[Security] ApiGateway resource policy missing - Consider restricting access to private API with a " + "policy. Private Api should be accessed through Vpc endpoint and a policy ensures the Api cannot " + "be accessed otherwise. For more detail, see " + "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html") outTable = [] for r in regions: @@ -379,7 +416,9 @@ printResult(outTable, "Region, AccountID, Status") printTitle("Vpc service review") -printSubTitle("[Reliability] Insufficient VPN tunnels - Consider having 2 tunnels for each site VPN connection") +printSubTitle("[Reliability] Insufficient VPN tunnels - Consider having 2 tunnels for each site VPN connection. " + "AWS performs VPN tunnel endpoint maintenance rather frequently. Having 2 tunnel reduces the risk " + "of service interruption.") outTable = [] for r in regions: @@ -396,4 +435,5 @@ printResult(outTable, "Region, AccountID, VpnConnection, TunnelCount") # TODO """ - config enabled for all regions +- list users/groups/roles with administrator access """ \ No newline at end of file