Forked from richadams/aws_security_group_details.sh
Last active
August 21, 2021 20:29
-
-
Save pnancarrow/69a219423d408eb73aab04b3071e1cea to your computer and use it in GitHub Desktop.
A quick and dirty script to list out all security group settings on an AWS account. Barely tested, use at own risk, etc. Requires awscli to be installed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Requires: awscli (http://aws.amazon.com/cli/) | |
| # Prints out a list of all security groups and their settings, just for quickly auditing it. | |
| # Your AWS credentials | |
| #if [ -z ${AWS_ACCESS_KEY_ID} ]; then | |
| # export AWS_ACCESS_KEY_ID='***' | |
| # export AWS_SECRET_ACCESS_KEY='***' | |
| #fi | |
| #Want to do this for what account | |
| PROFILE='develop' | |
| # Want to do this for all regions... | |
| #REGIONS=(`aws ec2 describe-regions --profile production --region us-east-2 --output text | grep "-" | awk -F\t '{print $3}'`) | |
| REGIONS='us-east-2' | |
| for REGION in ${REGIONS[*]}; do | |
| echo "=> $REGION" | |
| # Grab all the security group info for this region in one call. | |
| GFILE='/tmp/aws-sec-groups' | |
| aws ec2 describe-security-groups --profile $PROFILE --region $REGION --output text > $GFILE | |
| # Grab list of actively used security groups for EC2. | |
| EC2FILE='/tmp/aws-sec-groups-ec2' | |
| aws ec2 describe-instances --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' --profile $PROFILE --output text --region $REGION | tr '\t' '\n' | sort | uniq > $EC2FILE | |
| # Grab list of actively used security groups for RDS. | |
| RDSFILE='/tmp/aws-sec-groups-rds' | |
| aws rds describe-db-instances --query 'DBInstances[*].VpcSecurityGroups[*].VpcSecurityGroupId' --profile $PROFILE --output text --region $REGION | tr '\t' '\n' | sort | uniq > $RDSFILE | |
| #Grab list of actively used security groups for ELBs. | |
| ELBFILE='/tmp/aws-sec-groups-elb' | |
| aws elb describe-load-balancers --query 'LoadBalancerDescriptions[*].SecurityGroups[*]' --profile $PROFILE --output text --region $REGION | tr '\t' '\n' | sort | uniq > $ELBFILE | |
| # Loop over each line of the file and parse it. | |
| old_IFS=$IFS; IFS=$'\n' | |
| cat $GFILE | while read line | |
| do | |
| case $line in | |
| # Header | |
| SECURITYGROUPS*) | |
| PORT_HAS_GLOBAL_RULE=0 | |
| SID=(`echo $line | awk -F\t '{print $3}'`) | |
| GNAME=(`echo $line | awk -F\t '{print $4}'`) | |
| # Determine if this group is currently being used by an EC2/RDS/ELB instance. | |
| EXTRA="" | |
| grep $SID $EC2FILE &> /dev/null | |
| if [ $? -ne 0 ]; then | |
| grep $SID $RDSFILE &> /dev/null | |
| if [ $? -ne 0 ]; then | |
| grep $SID $ELBFILE &> /dev/null | |
| if [ $? -ne 0 ]; then | |
| EXTRA=" <= ** Not currently used by any EC2, RDS, or ELB instance in this region!" | |
| fi | |
| fi | |
| fi | |
| echo " => $SID ($GNAME) $EXTRA" | |
| ;; | |
| # Rule Info | |
| IPPERMISSIONS*) | |
| INPORT=(`echo $line | awk -F\t '{print $2}'`) | |
| OUTPORT=(`echo $line | awk -F\t '{print $4}'`) | |
| PROTO=(`echo $line | awk -F\t '{print $3}'`) | |
| ;; | |
| IPRANGES*) | |
| EXTRA="" | |
| CIDR=(`echo $line | awk -F\t '{print $2}'`) | |
| # If a global rule was already seen for this port combo, then this rule is redundant! | |
| if [[ "$PORT_HAS_GLOBAL_RULE" = "$PROTO:$INPORT-$OUTPORT" ]] ; then | |
| EXTRA=" <= ** Redundant, /0 was already specified for $PORT_HAS_GLOBAL_RULE." | |
| fi | |
| # Check if we have the global rule enabled. | |
| if [[ "$CIDR" = "0.0.0.0/0" ]]; then | |
| EXTRA=" (!!)" # Mark it as potentially dangerous. | |
| PORT_HAS_GLOBAL_RULE="$PROTO:$INPORT-$OUTPORT" # Also keep track, as it makes other rules redundant. | |
| fi | |
| echo -e " => $PROTO:$INPORT->$OUTPORT\t\t$CIDR $EXTRA" | |
| ;; | |
| USERIDGROUPPAIRS*) | |
| EXTRA="" | |
| GROUPID=(`echo $line | awk -F\t '{print $2}'`) | |
| GROUPNAME=(`echo $line | awk -F\t '{print $3}'`) | |
| # If a global rule was already seen for this port combo, then this rule is redundant! | |
| if [[ "$PORT_HAS_GLOBAL_RULE" = "$PROTO:$INPORT-$OUTPORT" ]] ; then | |
| EXTRA=" <= ** Redundant, /0 was already specified for $PORT_HAS_GLOBAL_RULE." | |
| fi | |
| echo -e " => $PROTO:$INPORT->$OUTPORT\t\t$GROUPID ($GROUPNAME) $EXTRA" | |
| ;; | |
| esac | |
| done | |
| IFS=$old_IFS | |
| # Clean up | |
| rm $GFILE | |
| rm $EC2FILE | |
| rm $RDSFILE | |
| rm $ELBFILE | |
| done | |
| #Remove any credentials from env. | |
| #unset AWS_ACCESS_KEY_ID | |
| #unset AWS_SECRET_ACCESS_KEY | |
| #echo "" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment