Merge pull request #17 from leandrodamascena/developer

New checks, performance and others.

Author: leandrodamascena

README.md

@@ -26,7 +26,7 @@ This script has been written in python3+ using AWS-CLI and it works in Linux, Wi
 - Make sure the latest version of AWS-CLI is installed on your workstation, and other components needed, with Python pip already installed:
 
 ```sh
-$ pip install awscli boto3
+$ pip install -r requirements.txt
 ```
 
 - Make sure you have properly configured your AWS-CLI with a valid Access Key and Region:
@@ -71,7 +71,6 @@ $ python msgfmt.py -o locales/NEWFOLDER/LC_MESSAGES/messages.mo locales/NEWFOLDE
 
 ### TODO
 
-- Use role instance rather than aws-cli
 - Improve documentation and code comments
 - More services that uses VPC (I'll try add one a week)
 - Custom logging control and reporting improvement.

requirements.txt

@@ -0,0 +1,2 @@
+boto3
+ipaddress

shared/awscommands.py

@@ -1,10 +1,10 @@
 from shared.common import *
 from shared.internal.security import IAM, IAMPOLICY
-from shared.internal.network import VPC
+from shared.internal.network import VPC, IGW, NATGATEWAY
 from shared.internal.compute import LAMBDA, EC2
 from shared.internal.database import RDS, ELASTICACHE, DOCUMENTDB
 from shared.internal.storage import EFS, S3POLICY
-from shared.internal.analytics import ELASTICSEARCH
+from shared.internal.analytics import ELASTICSEARCH, MSK
 from shared.internal.application import SQSPOLICY
 
 
@@ -26,3 +26,6 @@ def run(self):
         ELASTICSEARCH(self.vpc_options).run()
         DOCUMENTDB(self.vpc_options).run()
         SQSPOLICY(self.vpc_options).run()
+        MSK(self.vpc_options).run()
+        IGW(self.vpc_options).run()
+        NATGATEWAY(self.vpc_options).run()

shared/common.py

@@ -1,6 +1,12 @@
 from typing import NamedTuple
 import datetime
 import boto3
+import re
+from ipaddress import ip_network, ip_address
+
+
+VPCE_REGEX = re.compile(r'(?<=sourcevpce")(\s*:\s*")(vpce-[a-zA-Z0-9]+)', re.DOTALL)
+SOURCE_IP_ADDRESS_REGEX = re.compile(r'(?<=sourceip")(\s*:\s*")([a-fA-F0-9.:/%]+)', re.DOTALL)
 
 
 class bcolors:
@@ -19,6 +25,9 @@ class VpcOptions(NamedTuple):
     vpc_id: str
     region_name: str
 
+    def client(self, service_name: str):
+        return self.session.client(service_name, region_name=self.region_name)
+
 
 def generate_session(profile_name):
     try:
@@ -29,14 +38,83 @@ def generate_session(profile_name):
 
 
 def exit_critical(message):
-    print(bcolors.colors.get('FAIL'), message, bcolors.colors.get('ENDC'), sep="")
+    log_critical(message)
     raise SystemExit
 
 
+def log_critical(message):
+    print(bcolors.colors.get('FAIL'), message, bcolors.colors.get('ENDC'), sep="")
+
+
 def message_handler(message, position):
     print(bcolors.colors.get(position), message, bcolors.colors.get('ENDC'), sep="")
 
 
 def datetime_to_string(o):
     if isinstance(o, datetime.datetime):
         return o.__str__()
+
+
+def check_ipvpc_inpolicy(document, vpc_options: VpcOptions):
+    document = document.replace("\\", "").lower()
+
+    """ Checking if VPC is inside document, it's a 100% true information """
+    if vpc_options.vpc_id in document:
+        return "direct VPC reference"
+    else:
+        """ 
+        Vpc_id not found, trying to discover if it's a potencial subnet IP or VPCE is allowed
+        """
+        if "aws:sourcevpce" in document:
+
+            """ Get VPCE found """
+            aws_sourcevpces = []
+            for vpce_tuple in VPCE_REGEX.findall(document):
+                aws_sourcevpces.append(vpce_tuple[1])
+
+            """ Get all VPCE of this VPC """
+            ec2 = vpc_options.client('ec2')
+
+            filters = [{'Name': 'vpc-id',
+                        'Values': [vpc_options.vpc_id]}]
+
+            vpc_endpoints = ec2.describe_vpc_endpoints(Filters=filters)
+
+            """ iterate VPCEs found found """
+            if len(vpc_endpoints['VpcEndpoints']) > 0:
+                matching_vpces = []
+                """ Iterate VPCE to match vpce in Policy Document """
+                for data in vpc_endpoints['VpcEndpoints']:
+                    if data['VpcEndpointId'] in aws_sourcevpces:
+                        matching_vpces.append(data['VpcEndpointId'])
+                return "VPC Endpoint(s): " + (", ".join(matching_vpces))
+
+        if "aws:sourceip" in document:
+
+            """ Get ip found """
+            aws_sourceips = []
+            for vpce_tuple in SOURCE_IP_ADDRESS_REGEX.findall(document):
+                aws_sourceips.append(vpce_tuple[1])
+            """ Get subnets cidr block """
+            ec2 = vpc_options.client('ec2')
+
+            filters = [{'Name': 'vpc-id',
+                        'Values': [vpc_options.vpc_id]}]
+
+            subnets = ec2.describe_subnets(Filters=filters)
+            overlapping_subnets = []
+            """ iterate ips found """
+            for ipfound in aws_sourceips:
+
+                """ Iterate subnets to match ipaddress """
+                for subnet in list(subnets['Subnets']):
+                    ipfound = ip_network(ipfound)
+                    network_addres = ip_network(subnet['CidrBlock'])
+
+                    if ipfound.overlaps(network_addres):
+                        overlapping_subnets.append("{} ({})".format(str(network_addres), subnet['SubnetId']))
+            if len(overlapping_subnets) != 0:
+                return "source IP(s): {} -> subnet CIDR(s): {}"\
+                    .format(", ".join(aws_sourceips), ", ".join(overlapping_subnets))
+
+        return False

shared/internal/analytics.py

@@ -8,7 +8,7 @@ def __init__(self, vpc_options: VpcOptions):
 
     def run(self):
         try:
-            client = self.vpc_options.session.client('es', region_name=self.vpc_options.region_name)
+            client = self.vpc_options.client('es')
 
             response = client.list_domain_names()
 
@@ -27,9 +27,12 @@ def run(self):
 
                     document = json.dumps(documentpolicy, default=datetime_to_string)
 
+                    """ check either vpc_id or potencial subnet ip are found """
+                    ipvpc_found = check_ipvpc_inpolicy(document=document, vpc_options=self.vpc_options)
+
                     """ elasticsearch uses accesspolicies too, so check both situation """
                     if elasticsearch_domain['DomainStatus']['VPCOptions']['VPCId'] == self.vpc_options.vpc_id \
-                    or self.vpc_options.vpc_id in document:
+                    or ipvpc_found is True:
                         found += 1
                         message = message + "\nDomainId: {0} - DomainName: {1} - VpcId {2}".format(
                             elasticsearch_domain['DomainStatus']['DomainId'], 
@@ -40,4 +43,53 @@ def run(self):
 
         except Exception as e:
             message = "Can't list ElasticSearch Domains\nError {0}".format(str(e))
+            exit_critical(message)
+
+class MSK(object):
+
+    def __init__(self, vpc_options: VpcOptions):
+        self.vpc_options = vpc_options
+
+    def run(self):
+        try:
+            client = self.vpc_options.client('kafka')
+
+            """ get all cache clusters """
+            response = client.list_clusters()
+
+            message_handler("\nChecking MSK CLUSTERS...", "HEADER")
+
+            if len(response['ClusterInfoList']) == 0:
+                message_handler("Found 0 MSK Clusters in region {0}".format(self.vpc_options.region_name), "OKBLUE")
+            else:
+                found = 0
+                message = ""
+
+                """ iterate cache clusters to get subnet groups """
+                for data in response['ClusterInfoList']:
+
+                    msk_subnets = ", ".join(data['BrokerNodeGroupInfo']['ClientSubnets'])
+
+                    ec2 = self.vpc_options.session.resource('ec2', region_name=self.vpc_options.region_name)
+
+                    filters = [{'Name':'vpc-id',
+                                'Values':[self.vpc_options.vpc_id]}]
+
+                    subnets = ec2.subnets.filter(Filters=filters)
+
+                    for subnet in list(subnets):
+
+                        if subnet.id in msk_subnets:
+
+                            found += 1
+                            message = message + "\nClusterName: {0} - VpcId: {1}".format(
+                                data['ClusterName'],
+                                self.vpc_options.vpc_id
+                            )
+                            break
+
+                message_handler("Found {0} MSK Clusters using VPC {1} {2}".format(str(found), self.vpc_options.vpc_id, message),'OKBLUE')
+
+        except Exception as e:
+            message = "Can't list MSK Clusters\nError {0}".format(str(e))
             exit_critical(message)

shared/internal/application.py

@@ -1,52 +1,58 @@
+from concurrent.futures.thread import ThreadPoolExecutor
+
 from shared.common import *
 import json
 
+
 class SQSPOLICY(object):
-    
+
     def __init__(self, vpc_options: VpcOptions):
         self.vpc_options = vpc_options
 
     def run(self):
         try:
-            client = self.vpc_options.session.client('sqs', region_name=self.vpc_options.region_name)
-            
+            client = self.vpc_options.client('sqs')
             response = client.list_queues()
+        except Exception as e:
+            message = "Can't list SQS Queue Policy\nError {0}".format(str(e))
+            log_critical(message)
+            return
+        message_handler("\nChecking SQS QUEUE POLICY...", "HEADER")
+
+        if "QueueUrls" not in response:
+            message_handler("Found 0 SQS Queues in region {0}".format(self.vpc_options.region_name), "OKBLUE")
+        else:
+            found = 0
+            message = ""
+
+            with ThreadPoolExecutor(15) as executor:
+                results = executor.map(lambda data: self.analyze_queues(client, data[1]), enumerate(response["QueueUrls"]))
+
+            for result in results:
+                if result[0] is True:
+                    found += 1
+                    message += result[1]
+            message_handler("Found {0} SQS Queue Policy using VPC {1} {2}".format(str(found), self.vpc_options.vpc_id, message),'OKBLUE')
+
+    def analyze_queues(self, client, queue):
+        try:
+            sqs_queue_policy = client.get_queue_attributes(QueueUrl=queue, AttributeNames=['Policy'])
+            if "Attributes" in sqs_queue_policy:
 
-            message_handler("\nChecking SQS QUEUE POLICY...", "HEADER")
-            
-            if not "QueueUrls" in response:
-                message_handler("Found 0 SQS Queues in region {0}".format(self.vpc_options.region_name), "OKBLUE")
-            else:
-                found = 0
-                message = ""
-
-                """ SQS Queue doesn't returns a dict"""
-                for idx, queue in enumerate(response["QueueUrls"]):
-
-                    sqs_queue_policy = client.get_queue_attributes(QueueUrl=queue,
-                                                                   AttributeNames=['Policy'])
-
-
-                    if "Attributes" in sqs_queue_policy:
-
-                        """ Not sure about boto3 return """
-                        try:
-                            documentpolicy = sqs_queue_policy['Attributes']['Policy']
-
-                            document = json.dumps(documentpolicy, default=datetime_to_string)
+                """ Not sure about boto3 return """
 
-                            if self.vpc_options.vpc_id in document:
-                                found += 1
-                                message = message + "\nQueueUrl: {0} - VpcId {1}".format(
-                                    queue,
-                                    self.vpc_options.vpc_id
-                                )
-                        except:
-                            pass
+                documentpolicy = sqs_queue_policy['Attributes']['Policy']
+                document = json.dumps(documentpolicy, default=datetime_to_string)
 
+                """ check either vpc_id or potencial subnet ip are found """
+                ipvpc_found = check_ipvpc_inpolicy(document=document, vpc_options=self.vpc_options)
 
-                message_handler("Found {0} SQS Queue Policy using VPC {1} {2}".format(str(found), self.vpc_options.vpc_id, message),'OKBLUE')
-        
+                if ipvpc_found is not False:
+                    return True, "\nQueueUrl: {0} -> {1} -> VPC {2}".format(
+                        queue,
+                        ipvpc_found,
+                        self.vpc_options.vpc_id
+                    )
         except Exception as e:
-            message = "Can't list SQS Queue Policy\nError {0}".format(str(e))
-            exit_critical(message)
+            log_critical(str(e))
+        return False, None

shared/internal/compute.py

@@ -8,7 +8,7 @@ def __init__(self, vpc_options: VpcOptions):
 
     def run(self):
         try:
-            client = self.vpc_options.session.client('lambda', region_name=self.vpc_options.region_name)
+            client = self.vpc_options.client('lambda')
 
             response = client.list_functions()
 
@@ -22,11 +22,10 @@ def run(self):
                 for data in response["Functions"]:
                     if 'VpcConfig' in data and data['VpcConfig']['VpcId'] == self.vpc_options.vpc_id:
                         found += 1
-                        message = message + "\nFunctionName: {0} - Runtime: {1} - VpcId {2} - SubnetIds: {3}".format(
-                            data["FunctionName"], 
-                            data["Runtime"], 
-                            data['VpcConfig']['VpcId'], 
-                            ", ".join(data['VpcConfig']['SubnetIds'])
+                        message = message + "\nFunctionName: {} -> Subnet id(s): {} -> VPC id {}".format(
+                            data["FunctionName"],
+                            ", ".join(data['VpcConfig']['SubnetIds']),
+                            data['VpcConfig']['VpcId']
                         )
                 message_handler("Found {0} Lambda Functions using VPC {1} {2}".format(str(found), self.vpc_options.vpc_id, message),'OKBLUE')
         except Exception as e:
@@ -42,7 +41,7 @@ def __init__(self, vpc_options: VpcOptions):
     def run(self):
         try:
 
-            client = self.vpc_options.session.client('ec2', region_name=self.vpc_options.region_name)
+            client = self.vpc_options.client('ec2')
 
             response = client.describe_instances()
 
@@ -58,11 +57,11 @@ def run(self):
                         if "VpcId" in instances:
                             if instances['VpcId'] == self.vpc_options.vpc_id:
                                 found += 1
-                                message = message + "\nInstanceId: {0} - PrivateIpAddress: {1} - VpcId {2} - SubnetIds: {3}".format(
+                                message = message + "\nInstanceId: {} - PrivateIpAddress: {} -> Subnet id(s): {} - VpcId {}".format(
                                     instances["InstanceId"], 
                                     instances["PrivateIpAddress"], 
-                                    instances['VpcId'], 
-                                    instances['SubnetId']
+                                    instances['SubnetId'],
+                                    instances['VpcId']
                                 )
                 message_handler("Found {0} EC2 Instances using VPC {1} {2}".format(str(found), self.vpc_options.vpc_id, message),'OKBLUE')
         except Exception as e:

shared/internal/database.py

@@ -8,7 +8,7 @@ def __init__(self, vpc_options: VpcOptions):
 
     def run(self):
         try:
-            client = self.vpc_options.session.client('rds', region_name=self.vpc_options.region_name)
+            client = self.vpc_options.client('rds')
 
             response = client.describe_db_instances(Filters=[
                                                     {'Name': 'engine',
@@ -46,7 +46,7 @@ def __init__(self, vpc_options: VpcOptions):
 
     def run(self):
         try:
-            client = self.vpc_options.session.client('elasticache', region_name=self.vpc_options.region_name)
+            client = self.vpc_options.client('elasticache')
 
             """ get all cache clusters """
             response = client.describe_cache_clusters()
@@ -85,7 +85,7 @@ def __init__(self, vpc_options: VpcOptions):
 
     def run(self):
         try:
-            client = self.vpc_options.session.client('docdb', region_name=self.vpc_options.region_name)
+            client = self.vpc_options.client('docdb')
 
             response = client.describe_db_instances(Filters=[
                                                     {'Name': 'engine',