sábado, 21 de agosto de 2021

Cloud - Export AWS Security Groups from all Regions – aws ec2 describe-security-groups


I can’t take any credit for this script. Rich Adams created it and shared kindly on github:

https://gist.github.com/richadams/384020d6e4e6d4f400d7

Steps:

1. Login to AWS account

2. IAM > Users > Username > Security Credentials > Create Access Key

3. Add ‘Access key Id’ and ‘Secret access key’ to relevant section in the script

4. Make sure script is executable (chmod +x)

5. Run script, outputting security groups to text file i.e.

  1. sh aws_security_group_details.sh >> aws_all_regions_secgroups.txt

6. Remove access key from AWS > IAM if not longer required

Code below in case the version is removed from github:

  1. #!/bin/bash
  2. # Requires: awscli (http://aws.amazon.com/cli/)
  3. # Prints out a list of all security groups and their settings, just for quickly auditing it.
  4. # Your AWS credentials
  5. if [ -z ${AWS_ACCESS_KEY_ID} ]; then
  6. export AWS_ACCESS_KEY_ID='***'
  7. export AWS_SECRET_ACCESS_KEY='***'
  8. fi
  9. # Want to do this for all regions...
  10. REGIONS=(`aws ec2 describe-regions --region us-west-1 --output text | grep "-" | awk -F\t '{print $3}'`)
  11. for REGION in ${REGIONS[*]}; do
  12. echo "=> $REGION"
  13. # Grab all the security group info for this region in one call.
  14. GFILE='/tmp/aws-sec-groups'
  15. aws ec2 describe-security-groups --region $REGION --output text > $GFILE
  16. # Grab list of actively used security groups for EC2.
  17. EC2FILE='/tmp/aws-sec-groups-ec2'
  18. aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --output text --region $REGION | tr '\t' '\n' | sort | uniq > $EC2FILE
  19. # Grab list of actively used security groups for RDS.
  20. RDSFILE='/tmp/aws-sec-groups-rds'
  21. aws rds describe-db-security-groups --query 'DBSecurityGroups[*].EC2SecurityGroups[*].EC2SecurityGroupId' --output text --region $REGION | tr '\t' '\n' | sort | uniq > $RDSFILE
  22. # Loop over each line of the file and parse it.
  23. old_IFS=$IFS; IFS=$'\n'
  24. cat $GFILE | while read line
  25. do
  26. case $line in
  27. # Header
  28. SECURITYGROUPS*)
  29. PORT_HAS_GLOBAL_RULE=0
  30. SID=(`echo $line | awk -F\t '{print $3}'`)
  31. GNAME=(`echo $line | awk -F\t '{print $4}'`)
  32. # Determine if this group is currently being used by an EC2/RDS instance.
  33. EXTRA=""
  34. grep $SID $EC2FILE &> /dev/null
  35. if [ $? -ne 0 ]; then
  36. grep $SID $RDSFILE &> /dev/null
  37. if [ $? -ne 0 ]; then
  38. EXTRA=" <= ** Not currently used by any EC2 or RDS instance in this region!"
  39. fi
  40. fi
  41. echo " => $SID ($GNAME) $EXTRA"
  42. ;;
  43. # Rule Info
  44. IPPERMISSIONS*)
  45. INPORT=(`echo $line | awk -F\t '{print $2}'`)
  46. OUTPORT=(`echo $line | awk -F\t '{print $4}'`)
  47. PROTO=(`echo $line | awk -F\t '{print $3}'`)
  48. ;;
  49. IPRANGES*)
  50. EXTRA=""
  51. CIDR=(`echo $line | awk -F\t '{print $2}'`)
  52. # If a global rule was already seen for this port combo, then this rule is redundant!
  53. if [[ "$PORT_HAS_GLOBAL_RULE" = "$PROTO:$INPORT-$OUTPORT" ]] ; then
  54. EXTRA=" <= ** Redundant, /0 was already specified for $PORT_HAS_GLOBAL_RULE."
  55. fi
  56. # Check if we have the global rule enabled.
  57. if [[ "$CIDR" = "0.0.0.0/0" ]]; then
  58. EXTRA=" (!!)" # Mark it as potentially dangerous.
  59. PORT_HAS_GLOBAL_RULE="$PROTO:$INPORT-$OUTPORT" # Also keep track, as it makes other rules redundant.
  60. fi
  61. echo -e " => $PROTO:$INPORT->$OUTPORT\t\t$CIDR $EXTRA"
  62. ;;
  63. USERIDGROUPPAIRS*)
  64. EXTRA=""
  65. GROUPID=(`echo $line | awk -F\t '{print $2}'`)
  66. GROUPNAME=(`echo $line | awk -F\t '{print $3}'`)
  67. # If a global rule was already seen for this port combo, then this rule is redundant!
  68. if [[ "$PORT_HAS_GLOBAL_RULE" = "$PROTO:$INPORT-$OUTPORT" ]] ; then
  69. EXTRA=" <= ** Redundant, /0 was already specified for $PORT_HAS_GLOBAL_RULE."
  70. fi
  71. echo -e " => $PROTO:$INPORT->$OUTPORT\t\t$GROUPID ($GROUPNAME) $EXTRA"
  72. ;;
  73. esac
  74. done
  75. IFS=$old_IFS
  76. # Clean up
  77. rm $GFILE
  78. rm $EC2FILE
  79. rm $RDSFILE
  80. done
  81. # Remove any credentials from env.
  82. unset AWS_ACCESS_KEY_ID
  83. unset AWS_SECRET_ACCESS_KEY
  84. echo ""

0 comentários: