UPD: Added more services to the review

2024-08-02 09:27:32 +08:00 · 2024-08-02 09:27:32 +08:00 · f41bba3cd4
commit f41bba3cd4
parent e6fd103c2a
1 changed files with 28 additions and 1 deletions
--- a/aws/AwsEnvReview.py
+++ b/aws/AwsEnvReview.py
@ -155,6 +155,32 @@ for r in regions:
            outTable.append([r, aid, i.get("PublicIp")])
 printResult(outTable, "Region, AccountID, PublicIp")

+printTitle("Security group review")
+printSubTitle("[Security] Security group allowing ingress from 0.0.0.0/0 - Consider setting more restrictive sg rules")
+outTable = []
+
+for r in regions:
+    client = boto3.client('ec2', region_name=r)
+    response = client.describe_security_groups()
+    for sg in jmespath.search("SecurityGroups[*].GroupId", response):
+        sgrResp = client.describe_security_group_rules(
+            Filters=[
+                {
+                    'Name': 'group-id',
+                    'Values': [sg]
+                },
+            ],
+        )
+        for sgr in sgrResp.get("SecurityGroupRules"):
+            if (not sgr.get("IsEgress")
+                    and sgr.get("CidrIpv4") == "0.0.0.0/0"
+                    and sgr.get("FromPort") != 443
+                    and sgr.get("ToPort") != 443
+                    and sgr.get("FromPort") != 80
+                    and sgr.get("ToPort") != 80):
+                outTable.append([r, aid, sg, sgr.get("SecurityGroupRuleId"), sgr.get("FromPort"), sgr.get("ToPort")])
+printResult(outTable, "Region, AccountID, SecurityGroup, Rule, FromPort, ToPort")
+
 printTitle("Rds service review")
 printSubTitle("[Security] Unencrypted RDS instances - Consider encrypting RDS instances")
 outTable = []
@ -365,8 +391,9 @@ for r in regions:
 printResult(outTable, "Region, AccountID, VpnConnection, TunnelCount")


+
+
 # TODO
 """
- SG allowing public access
 - config enabled for all regions
 """