Skip to content

Instantly share code, notes, and snippets.

View alsmola's full-sized avatar

Alex Smolen alsmola

28 followers · 3 following
View GitHub Profile
@alsmola
alsmola / okta_aws_account_access.go
Last active February 10, 2021 21:37
List Okta account access to AWS IAM roles
package main
import (
"context"
"encoding/csv"
"errors"
"fmt"
"log"
"os"
"regexp"
@alsmola
alsmola / background.js
Created September 12, 2020 18:41
Chrome extension to use AWS IoT Credentials Endpoint
'use strict';
chrome.runtime.onMessage.addListener(
function (request, sender, sendResponse) {
if (request.contentScriptQuery == "getCredentials") {
const url = "https://{credentials-endpoint}.credentials.iot.us-east-1.amazonaws.com/role-aliases/chromeiot/credentials";
const params = { headers: { "x-amzn-iot-thingname": "{thingName}" } }
fetch(url, params)
.then(response => response.json())
.then(data => sendResponse(data.credentials));
@alsmola
alsmola / aws_multifactorauthpresent.snippet
Last active March 29, 2020 17:45
Use of aws:MultiFactorAuthPresent global condition context key
/* Dangerous - allows long-term access keys */
...
"Effect": "Deny",
"Condition":
{ "Bool": {"aws:MultiFactorAuthPresent": "false"}}
...
"Effect": "Allow",
"Condition":
{"Null": {"aws:MultiFactorAuthPresent": "false"}}
...
@alsmola
alsmola / clever-openvpn-split-tunnel-config.md
Created March 21, 2020 22:01
Settings for Clever OpenVPN Split Tunnel

From https://www.smartspate.com/bypass-website-blocking-without-directing-traffic-vpn/

Advanced VPN > Additonal OpenVPN Config Directives
push "route 44.228.121.66 255.255.255.255 vpn_gateway" # DEIP databases
push "route 54.203.187.138 255.255.255.255 vpn_gateway"
push "route 54.188.185.98 255.255.255.255 vpn_gateway"
push "route 44.231.10.48 255.255.255.255 vpn_gateway"
push "route 35.167.142.219 255.255.255.255 vpn_gateway"
push "route 54.70.205.111 255.255.255.255 vpn_gateway"
@alsmola
alsmola / VerifyCognitoALBToken.js
Created February 3, 2020 04:37
Verifies ALB token from Cognito
// Get OIDC JWT from headers
const encodeJwt = req.headers["x-amzn-oidc-data"];
const jwtHeaders = encodeJwt.split(".")[0];
const decodedJwtHeaders = Buffer.from(jwtHeaders, "base64");
const decodedJson = JSON.parse(decodedJwtHeaders);
const kid = decodedJson["kid"];
// Lookup ALB public key for JWT
const region = "us-east-1";
const url = `https://public-keys.auth.elb.${region}.amazonaws.com/${kid}`;
@alsmola
alsmola / gsuite_saml_cognito_alb.tf
Created February 1, 2020 18:19
ALB for gsuite-saml-cognito
resource "aws_lb" "app1" {
name = "App1"
internal = false
load_balancer_type = "application"
security_groups = ["<your-security-group>"]
subnets = ["<your-subnet-id>"]
}
resource "aws_lb_target_group" "app1" {
name = "App1"
@alsmola
alsmola / README.md
Last active December 27, 2019 04:53
Using session policies to limit IAM role access

Session Policy Example

First, upload test files to an S3 bucket you control (replace YOUR_BUCKET_NAME) in two directories representing isolated namespaces (123 and 124).

echo "123" > test.txt
aws s3 cp test.txt s3://YOUR_BUCKET_NAME/123/test.txt
echo "124" > test.txt
aws s3 cp test.txt s3://YOUR_BUCKET_NAME/124/test.txt
@alsmola
alsmola / incongito_for_bash_profile.sh
Created April 28, 2018 03:17
function hide {
export OLD_PS1=${PS1}
set +o history
PS1="\e[41m $PS1 \e[m"
}
function show {
set -o history
PS1=${OLD_PS1}
}
@alsmola
alsmola / cloudtrail_partition_create_athena_table.sql
Last active August 23, 2023 10:28
cloudtrail_partition_create_athena_table
CREATE EXTERNAL TABLE cloudtrail_logs (
eventversion STRING,
userIdentity STRUCT<
  type:STRING,
  principalid:STRING,
  arn:STRING,
  accountid:STRING,
  invokedby:STRING,
  accesskeyid:STRING,
userName:STRING,
@alsmola
alsmola / cloudtrail_partitions.js
Last active November 23, 2021 08:51
cloudtrail_partitions
'use strict';
console.log('Loading function');
const aws = require('aws-sdk');
aws.config.update({region: 'us-east-1'});
const s3 = new aws.S3({ apiVersion: '2006-03-01' });
const ddb = new aws.DynamoDB({apiVersion: '2012-10-08'});
const athena = new aws.Athena();