AWS Security Group Checker

This Python script checks your AWS security groups in all regions for "open" (i.e. 0.0.0.0/0) statements and reports the results.
Requirements:
  • Tested w/ python version 2.7 / boto version 2.34
  • A valid profile in ~/.aws/config or ${AWS_CONFIG_FILE} with the appropriate API keys.
Steps:
  1.  Install python.
    sudo yum install python27
  2.  Install PIP:curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py"python get-pip.py
3. Install AWS CLI:
pip install awscli
4. Run below command:
aws configure
5. Put your AWS credentials:

           In the file ~/.boto

[Credentials]
aws_access_key_id = aws_access_key_id
aws_secret_access_key = aws_secret_access_key

            In the file ~/.aws/credentials

             [default]
AWS_ACCESS_KEY_ID = xxxxxxxxxxxxxxxxxxxxx
AWS_SECRET_ACCESS_KEY = xxxxxxxxxxxxxxxxxxxxxxxxxx[user2]
AWS_ACCESS_KEY_ID = xxxxxxxxxxxxxxxxxxxx
AWS_SECRET_ACCESS_KEY = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 

            In the file ~/.aws/config

             [default]
region=us-west-2
output=json[profile user2]
region=us-east-1
output=text
 
 
     6. Create the script to check the SG:   sg-chkr.py
 
----------------------------------------------------------------------------------------------------------------------------------------------------
#!/usr/bin/env python
#
# Python Version: 2.7
#
# Scan for "open" security groups# Must be the first line
from __future__ import print_functionimport boto.vpc
import boto.ec2
import sys
# ** Modify these variables as needed **
REGIONS = ( 'us-east-1', 'eu-west-1', 'ap-northeast-1', 'us-west-1', 'us-west-2', 'ap-southeast-1', 'ap-northeast-2', 'ap-southeast-2', 'sa-east-1', 'eu-central-1' ,'ap-south-1' )
# **
# Make our text pretty
class bcolors:
HEADER = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
def usage():
"""Usage Statement"""
print("""
Security group checker..
""")
print("\t* use: --profile <profile_name>")
print("\t" + bcolors.GREEN + "profile_name " + bcolors.ENDC + "from your ~/.boto (~/.aws/config)\n\n")
exit()
# Check for arguments
args = len(sys.argv)
if args != 3:
usage()
if '--profile' in (str(sys.argv[1]).lower()):
profile = str(sys.argv[2]).lower()
else:
usage()
reg_total = len(REGIONS)
reg_no = 0
# Test in each region (main loop)
while reg_total > 0:
# Do the work
sg_no = 0
reg_name = REGIONS[reg_no]
myregion = boto.ec2.get_region(region_name=reg_name)
try:
conn = boto.vpc.VPCConnection(profile_name=profile, region=myregion)
except Exception,e:
print("\nCheck your profile_name in ~/.boto and try again.")
print(e)
usage()
print("\nRegion:", reg_name)
# Get all security groups
all_sgs = conn.get_all_security_groups()
sg_total = len(all_sgs)
print("Number of SGs:", sg_total, "\n")
# Scan the rules in each security group
# Look for 0.0.0.0/0 as the source - ports 80 and 443 probably ok, but print them anyway
while sg_no < sg_total:
sg = all_sgs[sg_no]
for rule in sg.rules:
if str(rule.from_port) == "80" or str(rule.from_port) == "443":
textc = bcolors.WARNING
else:
textc = bcolors.FAIL
for grant in rule.grants:
if str(grant) in ("0.0.0.0/0"):
print(textc + "WARNING: Open security group >>>", sg.name, "(", sg.id, ")")
textc = bcolors.ENDC
print(textc + "Proto:", rule.ip_protocol, "\tPorts:", rule.from_port, "\t", rule.to_port, "\tSource:", rule.grants, "\n")
sg_no += 1
reg_no += 1
reg_total -= 1
#
# (end main loop)
 
----------------------------------------------------------------------------------------------------------------------------------------------------
 
7. Run this script:
python sg-chkr.py --profile user2

Save the output in a file:
python sg-chkr.py --profile user2 >> sg-output.txt

Output:
./sg-chkr.py --profile eng

Region: us-east-1
Number of SGs: 29 

WARNING: Open security group >>> launch-wizard-1 ( sg-6b72f506 )
Proto: tcp  Ports: 22    22     Source: [0.0.0.0/0] 

WARNING: Open security group >>> launch-wizard-2 ( sg-5ff54632 )
Proto: tcp  Ports: 0     65535  Source: [0.0.0.0/0] 

WARNING: Open security group >>> launch-wizard-3 ( sg-6b4b230f )
Proto: tcp  Ports: 22    22     Source: [0.0.0.0/0] 

WARNING: Open security group >>> app-server ( sg-9b505afe )
Proto: tcp  Ports: 8080      8080   Source: [0.0.0.0/0] 

WARNING: Open security group >>> rds-launch-wizard ( sg-5062e234 )
Proto: tcp  Ports: 3306      3306   Source: [0.0.0.0/0] 


Region: eu-west-1
Number of SGs: 7 


Region: ap-northeast-1
Number of SGs: 1 


Region: us-west-1
Number of SGs: 1 


Region: us-west-2
Number of SGs: 6 

WARNING: Open security group >>> launch-wizard-1 ( sg-5dfde938 )
Proto: tcp  Ports: 22    22     Source: [0.0.0.0/0] 

WARNING: Open security group >>> gateway-elb ( sg-85111ae0 )
Proto: tcp  Ports: 80    80     Source: [0.0.0.0/0] 


Region: ap-southeast-1
Number of SGs: 1 


Region: ap-southeast-2
Number of SGs: 1 


Region: sa-east-1
Number of SGs: 1 


Region: eu-central-1
Number of SGs: 1
 
 
Hope this will help you!
Please Remember me in your prayers!
Enjoy :-)

Comments

Post a Comment

Popular posts from this blog

Default ssh Usernames For Connecting To EC2 Instances

Image
Each AMI publisher on EC2 decides what user (or users) should have ssh access enabled by default and what ssh credentials should allow you to gain access as that user. For the second part, most AMIs allow you to ssh in to the system with the ssh keypair you specified at launch time. This is so common, users often assume that it is built in to EC2 even though it must be enabled by each AMI provider. Unfortunately, there is no standard ssh username that is used to access EC2 instances across operating systems, distros, and AMI providers. Here are some of the ssh usernames that I am aware of at this time: OS/Distro Official AMI ssh Username Legacy / Community / Other AMI ssh Usernames Amazon Linux ec2-user Ubuntu ubuntu root Debian admin root RHEL 6.4 and later ec2-user RHEL 6.3 and earlier root Fedora ec2-user root Centos centos root SUSE root BitNami bitnami TurnKey root NanoStack ubuntu FreeBSD ec2-user OmniOS root Even though the above list will get ...
Read more

Deleting a Route 53 Hosted Zone And All DNS Records Using aws-cli

Image
fast, easy, and slightly dangerous recursive deletion of a domain’s DNS Amazon Route 53  currently charges  $0.50/month per hosted zone for your first 25 domains, and $0.10/month for additional hosted zones, even if they are not getting any DNS requests. I recently stopped using Route 53 to serve DNS for 25 domains and wanted to save on the $150/year these were costing. Amazon’s instructions for using the Route 53 Console to  delete Record Sets and a Hosted Zone  make it look simple. I started in the Route 53 Console clicking into a hosted zone, selecting each DNS record set (but not the NS or SOA ones), clicking delete, clicking confirm, going back a level, selecting the next domain, and so on. This got old quickly. Being  lazy , I decided to spend a lot more effort figuring out how to automate this process with the aws-cli, and pass the savings on to you. Steps with aws-cli Let’s start by putting the hosted zone domain name into an environment va...
Read more

JAWS: THE JAVASCRIPT + AWS STACK.

Image
JAWS is a stack from Amazon web services(AWS) to ease the development of massive scalable web applications. It is trying to solve important problems in scalable web application development. 1. No Backend servers : All web and mobile application needs backend server and database server. Since the JAWS back-end is comprised entirely of AWS Lambda Functions, you don't need to write your back end server in Node, Ruby, PHP or python. A back-end comprised of Lambda functions comes with a ton of concurrency and you can easily enable multi-region redundancy. So there is no need for scaling/deploying/maintaing/monitoring servers again. 2. Cheap : Lambda functions run only when they are called, and you only pay for when they are run. You can build your app using following AWS services Lambda  - Build worker tasks that you can spawn and scale infinitely. DynamoDB  - Managed, NOSQL data storage API Gateway  - Launch an API with...
Read more