Merge pull request #27 from leboncoin/v4.3.0

v4.3.0
leboncoin · Sep 14, 2022 · 0512388 · 0512388
2 parents 895ca36 + d1ccfaa
commit 0512388
Show file tree

Hide file tree

Showing 18 changed files with 672 additions and 211 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,13 +3,14 @@ __pycache__
 venv
 package
 .env
-*.png
+*.svg
 
 # Config
 config/rules.yaml
 config/lambda.config
 config/subnet_allow_list.txt
 config/trusted_accounts_list.txt
+config/variables.py
 
 # Documentation
 

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,23 @@ CHANGELOG
 AWS-TOWER
 -----
 
+4.3.0
+-----
+
+2022/09/08
+
+### New feature
+  - Add `draw` verb : `aws-tower draw <my-profile>` to display a threat map
+
+### Changes
+  - Dissociate IAM services and actions, easier to read and understand findings
+  - whitelist more IAM actions as readers and not poweruser
+  - Add more retryier in lambda monitoring and split in another lambda child
+  - Update deprecated RDS/EKS engine in rules
+
+### Fixtures
+  - Fix iam_scan to use min-rights
+
 4.2.2
 -----
 

diff --git a/README.md b/README.md
@@ -20,9 +20,9 @@ AWS Services monitored:
 
 ```bash
 $ pip install -r requirements.txt
-$ cp config/rules.yaml.sample config/rules.yaml # if you want to use "audit", then edit "config/variables.py" and remove .sample
-$ cp config/subnet_allow_list.txt.sample config/subnet_allow_list.txt # if you want to use a subnet allow list, then edit "config/variables.py" and remove .sample
-$ cp config/trusted_accounts_list.txt.sample config/trusted_accounts_list.txt # if you want to use an aws account allow list, then edit "config/variables.py" and remove .sample
+$ cp config/rules.yaml.sample config/rules.yaml # if you want to use "audit"
+$ cp config/subnet_allow_list.txt.sample config/subnet_allow_list.txt # if you want to use a subnet allow list
+$ cp config/trusted_accounts_list.txt.sample config/trusted_accounts_list.txt # if you want to use an aws account allow list
 ```
 
 ## Usage
@@ -33,12 +33,14 @@ $ alias aws-tower='<path>/aws_tower_cli.py'
 
 ```bash
 $ aws-tower --help
-usage: aws_tower_cli.py [-h] [--version] [--no-color] [--no-cache] [--clean-cache] [-l] [-p] {discover,audit,iam} ...
+usage: aws_tower_cli.py [-h] [--version] [--no-color] [--no-cache] [--clean-cache] [-l] [-p] {audit,discover,draw,iam} ...
 
 positional arguments:
-  {discover,audit,iam}  commands
-    discover            Discover assets in an AWS account
+  {audit,discover,draw,iam}
+                        commands
     audit               Audit AWS account to find security issues
+    discover            Discover assets in an AWS account
+    draw                Draw a threat model of your AWS account
     iam                 Display IAM info for an AWS account
 
 options:
@@ -92,6 +94,19 @@ options:
   -s, --summary         Summary of the account assets
 ```
 
+```bash
+$ aws-tower draw --help
+usage: aws_tower_cli.py draw [-h] [-t {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,RDS,S3,VPC}] profile
+
+positional arguments:
+  profile               A valid profile name configured in the ~/.aws/config file
+
+options:
+  -h, --help            show this help message and exit
+  -t {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,RDS,S3,VPC}, --type {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,RDS,S3,VPC}
+                        Types to display (default: display everything)
+```
+
 ```bash
 $ aws-tower iam --help
 usage: aws_tower_cli.py iam [-h] [-s SOURCE] [-a ACTION] [--min-rights {admin,poweruser,reader}] [--service SERVICE] [-d] [-v] profile

diff --git a/aws_tower_cli.py b/aws_tower_cli.py
@@ -17,7 +17,8 @@
 import botocore
 from rich import console
 
-from libs.display import print_report, print_summary
+from libs.display import audit_scan, draw_threats, prepare_report, \
+    print_report, print_summary
 from libs.iam_scan import complete_source_arn, iam_display, \
     iam_display_roles, iam_extract, iam_simulate
 from libs.scan import aws_scan
@@ -28,7 +29,7 @@
 # from pdb import set_trace as st
 
 CONSOLE = console.Console()
-VERSION = '4.2.2'
+VERSION = '4.3.0'
 
 def audit_handler(session, args, meta_types, cache):
     """
@@ -103,6 +104,33 @@ def discover_handler(session, args, meta_types, cache):
             security_config=None
         )
 
+def draw_handler(session, args, meta_types, cache):
+    """
+    Handle draw argument
+    """
+    assets = aws_scan(
+        session,
+        cache,
+        iam_action_passlist=variables.IAM_ACTION_PASSLIST,
+        iam_rolename_passlist=variables.IAM_ROLENAME_PASSLIST,
+        public_only=False,
+        meta_types=meta_types,
+        name_filter='',
+        console=CONSOLE
+    )
+
+    min_severity = 'medium'
+    max_severity = 'critical'
+    security_config = {
+        'findings_rules_path': variables.FINDING_RULES_PATH,
+        'severity_levels': variables.SEVERITY_LEVELS,
+        'min_severity': min_severity,
+        'max_severity': max_severity
+    }
+    report = prepare_report(assets, meta_types, CONSOLE)
+    audit_scan(assets, report, security_config, None, CONSOLE)
+    draw_threats(f'AWS Tower: Threat map of {args.profile}', assets, CONSOLE)
+
 def iam_handler(session, args, cache, csl):
     """
     Handle iam argument
@@ -115,6 +143,7 @@ def iam_handler(session, args, cache, csl):
             client_iam,
             res_iam,
             args.source,
+            args.min_rights,
             cache,
             csl,
             iam_action_passlist=variables.IAM_ACTION_PASSLIST,
@@ -192,6 +221,8 @@ def main(verb, args):
         audit_handler(session, args, meta_types, cache)
     elif verb == 'discover':
         discover_handler(session, args, meta_types, cache)
+    elif verb == 'draw':
+        draw_handler(session, args, meta_types, cache)
     elif verb == 'iam':
         iam_handler(session, args, cache, csl)
     else:
@@ -221,6 +252,47 @@ def main(verb, args):
         action='store_true',
         help='List available profiles')
 
+    # AUDIT Arguments
+    AUDIT_PARSER = SUBPARSERS.add_parser(
+        'audit',
+        help='Audit AWS account to find security issues')
+    AUDIT_PARSER.add_argument(
+        'profile',
+        action='store',\
+        help='A valid profile name configured in the ~/.aws/config file')
+    AUDIT_PARSER.add_argument(
+        '-t', '--type',
+        action='append',
+        choices=variables.META_TYPES,
+        help='Types to display (default: display everything)')
+    AUDIT_PARSER.add_argument(
+        '-m', '--min-severity',
+        default='medium',
+        choices=variables.SEVERITY_LEVELS,
+        help='min severity level to report when security is enabled (default: medium)')
+    AUDIT_PARSER.add_argument(
+        '-M', '--max-severity',
+        default='high',
+        choices=variables.SEVERITY_LEVELS,
+        help='max severity level to report when security is enabled (default: high)')
+    AUDIT_PARSER.add_argument(
+        '-f', '--filter',
+        action='store',
+        default='',
+        help='Filter by asset value (Ex: "something", "port:xxx", "engine:xxx", "version:xxx"')
+    AUDIT_PARSER.add_argument(
+        '-v', '--verbose',
+        action='store_true',
+        help='Verbose output of the account assets')
+    AUDIT_PARSER.add_argument(
+        '-b', '--brief',
+        action='store_true',
+        help='Brief output of the account assets')
+    AUDIT_PARSER.add_argument(
+        '-s', '--summary',
+        action='store_true',
+        help='Summary of the account assets')
+
     # DISCOVER Arguments
     DISCOVER_PARSER = SUBPARSERS.add_parser(
         'discover',
@@ -256,46 +328,19 @@ def main(verb, args):
         action='store_true',
         help='Summary of the account assets')
 
-    # AUDIT Arguments
-    AUDIT_PARSER = SUBPARSERS.add_parser(
-        'audit',
-        help='Audit AWS account to find security issues')
-    AUDIT_PARSER.add_argument(
+    # DRAW Arguments
+    DRAW_PARSER = SUBPARSERS.add_parser(
+        'draw',
+        help='Draw a threat model of your AWS account')
+    DRAW_PARSER.add_argument(
         'profile',
-        action='store',\
+        action='store',
         help='A valid profile name configured in the ~/.aws/config file')
-    AUDIT_PARSER.add_argument(
+    DRAW_PARSER.add_argument(
         '-t', '--type',
         action='append',
         choices=variables.META_TYPES,
         help='Types to display (default: display everything)')
-    AUDIT_PARSER.add_argument(
-        '-m', '--min-severity',
-        default='medium',
-        choices=variables.SEVERITY_LEVELS,
-        help='min severity level to report when security is enabled (default: medium)')
-    AUDIT_PARSER.add_argument(
-        '-M', '--max-severity',
-        default='high',
-        choices=variables.SEVERITY_LEVELS,
-        help='max severity level to report when security is enabled (default: high)')
-    AUDIT_PARSER.add_argument(
-        '-f', '--filter',
-        action='store',
-        default='',
-        help='Filter by asset value (Ex: "something", "port:xxx", "engine:xxx", "version:xxx"')
-    AUDIT_PARSER.add_argument(
-        '-v', '--verbose',
-        action='store_true',
-        help='Verbose output of the account assets')
-    AUDIT_PARSER.add_argument(
-        '-b', '--brief',
-        action='store_true',
-        help='Brief output of the account assets')
-    AUDIT_PARSER.add_argument(
-        '-s', '--summary',
-        action='store_true',
-        help='Summary of the account assets')
 
     # IAM Arguments
     IAM_PARSER = SUBPARSERS.add_parser(
@@ -351,6 +396,8 @@ def main(verb, args):
         VERB = 'audit'
     elif hasattr(ARGS, 'min_rights'):
         VERB = 'iam'
+    elif not hasattr(ARGS, 'filter'):
+        VERB = 'draw'
     if ARGS.no_color:
         CONSOLE = None
     main(VERB, ARGS)