-
-
Save manjunathadinka/160f91ef6ec703fdf490abb00cbc53c0 to your computer and use it in GitHub Desktop.
Revisions
-
richadams revised this gist
Apr 20, 2015 . 1 changed file with 8 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -73,9 +73,16 @@ for REGION in ${REGIONS[*]}; do echo -e " => $PROTO:$INPORT->$OUTPORT\t\t$CIDR $EXTRA" ;; USERIDGROUPPAIRS*) EXTRA="" GROUPID=(`echo $line | awk -F\t '{print $2}'`) GROUPNAME=(`echo $line | awk -F\t '{print $3}'`) # If a global rule was already seen for this port combo, then this rule is redundant! if [[ "$PORT_HAS_GLOBAL_RULE" = "$PROTO:$INPORT-$OUTPORT" ]] ; then EXTRA=" <= ** Redundant, /0 was already specified for $PORT_HAS_GLOBAL_RULE." fi echo -e " => $PROTO:$INPORT->$OUTPORT\t\t$GROUPID ($GROUPNAME) $EXTRA" ;; esac done -
Apr 17, 2015 . 1 changed file with 35 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,44 +12,65 @@ fi REGIONS=(`aws ec2 describe-regions --region us-west-1 --output text | grep "-" | awk -F\t '{print $3}'`) for REGION in ${REGIONS[*]}; do echo "=> $REGION" # Grab all the security group info for this region in one call. GFILE='/tmp/aws-sec-groups' aws ec2 describe-security-groups --region $REGION --output text > $GFILE # Grab list of actively used security groups for EC2. EC2FILE='/tmp/aws-sec-groups-ec2' aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --output text --region $REGION | tr '\t' '\n' | sort | uniq > $EC2FILE # Grab list of actively used security groups for RDS. RDSFILE='/tmp/aws-sec-groups-rds' aws rds describe-db-security-groups --query 'DBSecurityGroups[*].EC2SecurityGroups[*].EC2SecurityGroupId' --output text --region $REGION | tr '\t' '\n' | sort | uniq > $RDSFILE # Loop over each line of the file and parse it. old_IFS=$IFS; IFS=$'\n' cat $GFILE | while read line do case $line in # Header SECURITYGROUPS*) PORT_HAS_GLOBAL_RULE=0 SID=(`echo $line | awk -F\t '{print $3}'`) GNAME=(`echo $line | awk -F\t '{print $4}'`) # Determine if this group is currently being used by an EC2/RDS instance. EXTRA="" grep $SID $EC2FILE &> /dev/null if [ $? -ne 0 ]; then grep $SID $RDSFILE &> /dev/null if [ $? -ne 0 ]; then EXTRA=" <= ** Not currently used by any EC2 or RDS instance in this region!" fi fi echo " => $SID ($GNAME) $EXTRA" ;; # Rule Info IPPERMISSIONS*) INPORT=(`echo $line | awk -F\t '{print $2}'`) OUTPORT=(`echo $line | awk -F\t '{print $4}'`) PROTO=(`echo $line | awk -F\t '{print $3}'`) ;; IPRANGES*) EXTRA="" CIDR=(`echo $line | awk -F\t '{print $2}'`) # If a global rule was already seen for this port combo, then this rule is redundant! if [[ "$PORT_HAS_GLOBAL_RULE" = "$PROTO:$INPORT-$OUTPORT" ]] ; then EXTRA=" <= ** Redundant, /0 was already specified for $PORT_HAS_GLOBAL_RULE." fi # Check if we have the global rule enabled. if [[ "$CIDR" = "0.0.0.0/0" ]]; then EXTRA=" (!!)" # Mark it as potentially dangerous. PORT_HAS_GLOBAL_RULE="$PROTO:$INPORT-$OUTPORT" # Also keep track, as it makes other rules redundant. fi echo -e " => $PROTO:$INPORT->$OUTPORT\t\t$CIDR $EXTRA" ;; USERIDGROUPPAIRS*) GROUPID=(`echo $line | awk -F\t '{print $2}'`) @@ -63,10 +84,11 @@ for REGION in ${REGIONS[*]}; do # Clean up rm $GFILE rm $EC2FILE rm $RDSFILE done # Remove any credentials from env. unset AWS_ACCESS_KEY_ID unset AWS_SECRET_ACCESS_KEY echo "" -
Mar 18, 2015 . 1 changed file with 15 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -17,6 +17,10 @@ for REGION in ${REGIONS[*]}; do GFILE='/tmp/aws-sec-groups' aws ec2 describe-security-groups --region $REGION --output text > $GFILE # Grab list of actively used security groups for EC2. EC2FILE='/tmp/aws-sec-groups-ec2' aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --output text --region $REGION | tr '\t' '\n' | sort | uniq > $EC2FILE # Loop over each line of the file and parse it. old_IFS=$IFS; IFS=$'\n' cat $GFILE | while read line @@ -26,9 +30,18 @@ for REGION in ${REGIONS[*]}; do SECURITYGROUPS*) SID=(`echo $line | awk -F\t '{print $3}'`) GNAME=(`echo $line | awk -F\t '{print $4}'`) # Determine if this group is currently being used by an EC2 instance. EXTRA="" grep $SID $EC2FILE &> /dev/null if [ $? -ne 0 ]; then EXTRA=" <= ** Not currently used by any EC2 instance in this region!" fi echo " => $SID ($GNAME) $EXTRA" ;; # Rule Info IPPERMISSIONS*) INPORT=(`echo $line | awk -F\t '{print $2}'`) OUTPORT=(`echo $line | awk -F\t '{print $4}'`) @@ -49,6 +62,7 @@ for REGION in ${REGIONS[*]}; do # Clean up rm $GFILE rm $EC2FILE done # Remove any credentials from env. -
Mar 18, 2015 . 1 changed file with 6 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,7 +36,12 @@ for REGION in ${REGIONS[*]}; do ;; IPRANGES*) CIDR=(`echo $line | awk -F\t '{print $2}'`) echo -e " => $PROTO:$INPORT->$OUTPORT\t\t$CIDR" ;; USERIDGROUPPAIRS*) GROUPID=(`echo $line | awk -F\t '{print $2}'`) GROUPNAME=(`echo $line | awk -F\t '{print $3}'`) echo -e " => $PROTO:$INPORT->$OUTPORT\t\t$GROUPID ($GROUPNAME)" ;; esac done -
Mar 18, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,53 @@ #!/bin/bash # Requires: awscli (http://aws.amazon.com/cli/) # Prints out a list of all security groups and their settings, just for quickly auditing it. # Your AWS credentials if [ -z ${AWS_ACCESS_KEY_ID} ]; then export AWS_ACCESS_KEY_ID='***' export AWS_SECRET_ACCESS_KEY='***' fi # Want to do this for all regions... REGIONS=(`aws ec2 describe-regions --region us-west-1 --output text | grep "-" | awk -F\t '{print $3}'`) for REGION in ${REGIONS[*]}; do echo "=> $REGION" # Grab all the security group info for this region in one call. GFILE='/tmp/aws-sec-groups' aws ec2 describe-security-groups --region $REGION --output text > $GFILE # Loop over each line of the file and parse it. old_IFS=$IFS; IFS=$'\n' cat $GFILE | while read line do case $line in # Header SECURITYGROUPS*) SID=(`echo $line | awk -F\t '{print $3}'`) GNAME=(`echo $line | awk -F\t '{print $4}'`) echo " => $SID ($GNAME)" ;; IPPERMISSIONS*) INPORT=(`echo $line | awk -F\t '{print $2}'`) OUTPORT=(`echo $line | awk -F\t '{print $4}'`) PROTO=(`echo $line | awk -F\t '{print $3}'`) ;; IPRANGES*) CIDR=(`echo $line | awk -F\t '{print $2}'`) echo -e " => $PROTO:$INPORT\t\t$CIDR" ;; esac done IFS=$old_IFS # Clean up rm $GFILE done # Remove any credentials from env. unset AWS_ACCESS_KEY_ID unset AWS_SECRET_ACCESS_KEY echo ""