Each web ACL will be saved to a JSON file named "{web-acl-name}-{YYYYMMDD}.json".
$ ./waf-acl.py --profile profile-name --region {us-east-1} --scope-regional --directory output-dir --original --wcu --ip-set
- profile-name: The profile name as listed in "~/.aws/credentials".
- directory: Output directory. It will be created if not exist. Defaults to current folder.
- region: Region of web ACL, defaults to "us-east-1".
- scope-regional: Regional-scoped/non-Cloudfront ACL.
- original: Preserve the original ACL after conversion and save it with "-original" suffix.
- wcu: Output Web ACL Capacity Unit (WCU) of each rule
- total-wcu (disabled): Output the total WCU of each web ACL
- ip-set: Save IP address(es) of an IP set. Defaults to the IP set's name.
Script duration is roughly 1 minute per 1000 rules.
List deployed Config rules across all accounts and regions. Output will be saved to "aws-config-rules.txt".
$ ./all-rules.py --profile profile-name --region {us-east-1} --output output-dir
List (non-)complient resources according to AWS Config rules.
Output will be saved to "{rule-name}-{YYYYMMDD}.csv" with the following columns:
- accountId
- accountName (see
ACC_NAME_DICTconstant to configure) - awsRegion
- resourceId (e.g. EC2 instance ID)
- resourceName
- compliance (i.e.
COMPLIANTorNON_COMPLIANT)
$ ./aws-config.py --profile profile-name --region {us-east-1} --rules space separated rules --output output-dir --summary
- summary: Save output of all supported rules (see below) into CSV and XLSX files.
Supported Rules:
- access-keys-rotated
- acm-certificate-expiration-check
- alb-http-drop-invalid-header-enabled
- alb-http-to-https-redirection-check
- api-gw-associated-with-waf
- aurora-mysql-backtracking-enabled
- autoscaling-group-elb-healthcheck-required
- beanstalk-enhanced-health-reporting-enabled
- cloud-trail-log-file-validation-enabled
- cloud-trail-cloud-watch-logs-enabled
- cloud-trail-encryption-enabled
- cloud-trail-enabled-in-region
- cloudtrail-enabled
- cloudfront-accesslogs-enabled
- cloudfront-associated-with-waf
- cloudfront-default-root-object-configured
- cmk-backing-key-rotation-enabled
- codebuild-project-envvar-awscred-check
- codebuild-project-source-repo-url-check
- dynamodb-autoscaling-enabled
- dynamodb-pitr-enabled
- ebs-snapshot-public-restorable-check
- ec2-ebs-encryption-by-default
- ec2-imdsv2-check
- ec2-instance-managed-by-ssm
- ec2-instance-multiple-eni-check
- ec2-instance-no-public-ip
- ec2-managedinstance-association-compliance-status-check
- ec2-managedinstance-patch-compliance
- ec2-security-group-attached-to-eni
- ec2-stopped-instance
- ecs-task-definition-user-for-host-mode-check
- efs-encrypted-check
- efs-in-backup-plan
- eip-attached
- elastic-beanstalk-managed-updates-enabled
- elb-connection-draining-enabled
- elb-logging-enabled
- elb-tls-https-listeners-only
- encrypted-volumes
- fms-shield-resource-policy-check
- guardduty-enabled-centralized
- iam-customer-policy-blocked-kms-actions
- iam-inline-policy-blocked-kms-actions
- iam-password-policy-recommended-defaults
- iam-password-policy-recommended-defaults-no-symbols-required
- iam-policy-no-statements-with-admin-access
- iam-policy-no-statements-with-full-access
- iam-root-access-key-check
- iam-user-mfa-enabled
- iam-user-no-policies-check
- iam-user-unused-credentials-check
- kms-cmk-not-scheduled-for-deletion
- lambda-dlq-check
- lambda-function-public-access-prohibited
- lambda-function-settings-check
- lambda-inside-vpc
- mfa-set-on-root-account
- multi-region-cloud-trail-enabled
- rds-automatic-minor-version-upgrade-enabled
- rds-cluster-copy-tags-to-snapshots-enabled
- rds-cluster-deletion-protection-enabled
- rds-cluster-iam-authentication-enabled
- rds-cluster-multi-az-enabled
- rds-deployed-in-vpc
- rds-enhanced-monitoring-enabled
- rds-instance-copy-tags-to-snapshots-enabled
- rds-instance-deletion-protection-enabled
- rds-instance-iam-authentication-enabled
- rds-instance-public-access-check
- rds-logging-enabled
- rds-multi-az-support
- rds-no-default-ports
- rds-snapshot-encrypted
- rds-snapshots-public-prohibited
- rds-storage-encrypted
- redshift-cluster-audit-logging-enabled
- redshift-cluster-maintenancesettings-check
- redshift-cluster-public-access-check
- redshift-require-tls-ssl
- redshift-enhanced-vpc-routing-enabled
- resources_tagged
- restricted-ssh
- root-account-hardware-mfa-enabled
- root-account-mfa-enabled
- s3-bucket-blacklisted-actions-prohibited
- s3-bucket-level-public-access-prohibited
- s3-bucket-public-read-prohibited
- s3-bucket-public-write-prohibited
- secretsmanager-rotation-enabled-check
- secretsmanager-secret-periodic-rotation
- secretsmanager-secret-unused
- service-vpc-endpoint-enabled
- shield-advanced-enabled
- sns-encrypted-kms
- subnet-auto-assign-public-ip-disabled
- vpc-default-security-group-closed
- Use this script to fix.
- vpc-flow-logs-enabled
- vpc-network-acl-unused-check
- vpc-sg-open-only-to-authorized-ports
- vpc-sg-restricted-common-ports
List all missing patches identified by the SSM.
Output will be saved to "SSM-patch-compliance-YYYYMMDD.csv" and "SSM-patch-compliance-YYYYMMDD.xlsx"" with the following columns:
- ACCOUNT ID
- ACCOUNT (see
ACC_NAME_DICTconstant to configure) - REGION
- INSTANCE ID (e.g. EC2 instance ID)
- MISSING PATCHES (newline separated)
$ ./ssm-patch-compliance.py --profile profile-name --region {us-east-1} --output output-dir
https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html
./vpc-default-security-group-closed.py --accounts {[aws-accounts]} --profile {security} --region {us-east-1} --aggregator {OrganizationConfigAggregator} --remediate --output output-dir
- accounts: List of space-separated 12-digit account ID(s) or name(s) to be remediated. Only applicable when
--remediateis enabled. Defaults to all accounts. - remediate: Remediate non-compliant default security groups to custom groups. By default, this'll remove rules for un-attached security groups. Specify this option twice ("-ee") to also migrate attached security groups, though this is discouraged because it'll cause a config drift from CloudFormation.
- profile: AWS account where AWS Config is deployed. Parsed from ~/.aws/config (SSO) or credentials (API key).
- region: AWS Region where AWS Config is deployed.
- aggregator: Value of ConfigurationAggregatorName.