Skip to content

curbengh/aws-scripts

Repository files navigation

WAF ACL Review

Each web ACL will be saved to a JSON file named "{web-acl-name}-{YYYYMMDD}.json".

$ ./waf-acl.py --profile profile-name --region {us-east-1} --scope-regional --directory output-dir --original --wcu --ip-set
  • profile-name: The profile name as listed in "~/.aws/credentials".
  • directory: Output directory. It will be created if not exist. Defaults to current folder.
  • region: Region of web ACL, defaults to "us-east-1".
  • scope-regional: Regional-scoped/non-Cloudfront ACL.
  • original: Preserve the original ACL after conversion and save it with "-original" suffix.
  • wcu: Output Web ACL Capacity Unit (WCU) of each rule
  • total-wcu (disabled): Output the total WCU of each web ACL
  • ip-set: Save IP address(es) of an IP set. Defaults to the IP set's name.

Resource Compliance using AWS Config

Script duration is roughly 1 minute per 1000 rules.

List of resource compliance rules

List deployed Config rules across all accounts and regions. Output will be saved to "aws-config-rules.txt".

$ ./all-rules.py --profile profile-name --region {us-east-1} --output output-dir

Resource Compliance

List (non-)complient resources according to AWS Config rules.

Output will be saved to "{rule-name}-{YYYYMMDD}.csv" with the following columns:

  • accountId
  • accountName (see ACC_NAME_DICT constant to configure)
  • awsRegion
  • resourceId (e.g. EC2 instance ID)
  • resourceName
  • compliance (i.e. COMPLIANT or NON_COMPLIANT)
$ ./aws-config.py --profile profile-name --region {us-east-1} --rules space separated rules --output output-dir --summary
  • summary: Save output of all supported rules (see below) into CSV and XLSX files.

Supported Rules:

Patch Compliance

List all missing patches identified by the SSM.

Output will be saved to "SSM-patch-compliance-YYYYMMDD.csv" and "SSM-patch-compliance-YYYYMMDD.xlsx"" with the following columns:

  • ACCOUNT ID
  • ACCOUNT (see ACC_NAME_DICT constant to configure)
  • REGION
  • INSTANCE ID (e.g. EC2 instance ID)
  • MISSING PATCHES (newline separated)
$ ./ssm-patch-compliance.py --profile profile-name --region {us-east-1} --output output-dir

Default Security Groups' Compliance

https://docs.aws.amazon.com/config/latest/developerguide/vpc-default-security-group-closed.html

./vpc-default-security-group-closed.py --accounts {[aws-accounts]} --profile {security} --region {us-east-1} --aggregator {OrganizationConfigAggregator} --remediate --output output-dir
  • accounts: List of space-separated 12-digit account ID(s) or name(s) to be remediated. Only applicable when --remediate is enabled. Defaults to all accounts.
  • remediate: Remediate non-compliant default security groups to custom groups. By default, this'll remove rules for un-attached security groups. Specify this option twice ("-ee") to also migrate attached security groups, though this is discouraged because it'll cause a config drift from CloudFormation.
  • profile: AWS account where AWS Config is deployed. Parsed from ~/.aws/config (SSO) or credentials (API key).
  • region: AWS Region where AWS Config is deployed.
  • aggregator: Value of ConfigurationAggregatorName.

Log4Shell Demo

log4shell-stack