Skip to content

Instantly share code, notes, and snippets.

@bearmini

bearmini/iam-cert-check.sh

Last active Feb 28, 2019
Embed
What would you like to do?
Detects if any IAM cert is used in the specified AWS accounts
#!/usr/bin/env bash
RED="\\033[1;31m"
GREEN="\\033[1;32m"
RESET="\\033[0m"
if [ "$1" == "" ]; then
echo "usage: $0 <profile> ..."
exit 1
fi
command -v aws > /dev/null 2>&1 || {
echo "\`aws\` command is required."
exit 1
}
command -v jq > /dev/null 2>&1 || {
echo "\`jq\` command is required."
exit 1
}
indent_print() {
for line in $2; do
echo -n "$1"
echo "$line"
done
}
check_cloudfront() {
profile=$1
echo "checking CloudFront ..."
result="$( aws cloudfront list-distributions --profile "$profile" | jq -r '.DistributionList.Items[] | select( .ViewerCertificate.CertificateSource == "iam") | .Id' )"
if [ "$result" == "" ]; then
echo -e "$GREEN OK.$RESET"
else
echo -e "$RED FOUND.$RESET"
indent_print " " "$result"
fi
echo "done."
echo
}
check_elb() {
profile=$1
regions=$2
echo "checking Elastic Load Balancers ..."
for region in $regions; do
echo "region $region"
result="$( aws elb describe-load-balancers --profile "$profile" --region "$region" | jq -r '.LoadBalancerDescriptions[] | select(.ListenerDescriptions[] | objects | .Listener.SSLCertificateId | strings | test(":iam:")) | .LoadBalancerName' )"
if [ "$result" == "" ]; then
echo -e "$GREEN OK.$RESET"
else
echo -e "$RED FOUND.$RESET"
indent_print " " "$result"
fi
done
echo "done."
echo
}
check_elbv2() {
profile=$1
regions=$2
echo "checking Elastic Load Balancers v2 ..."
for region in $regions; do
echo "region $region"
arns="$( aws elbv2 describe-load-balancers --profile "$profile" --region "$region" | jq -r '.LoadBalancers[].LoadBalancerArn' )"
for arn in $arns; do
echo " $arn"
result="$( aws elbv2 describe-listeners --load-balancer-arn "$arn" --profile "$profile" --region "$region" | jq -r '.Listeners[].Certificates[]? | select( .CertificateArn | test(":iam:.*server-certificate")) | .CertificateArn' )"
if [ "$result" == "" ]; then
echo -e "$GREEN OK.$RESET"
else
echo -e "$RED FOUND.$RESET"
indent_print " " "$result"
fi
done
done
echo "done."
echo
}
check_eb() {
profile=$1
regions=$2
echo "checking Elastic Beanstalk ..."
for region in $regions; do
echo "region $region"
apps_and_envs="$( aws elasticbeanstalk describe-environments --profile "$profile" --region "$region" | jq -r '.Environments[] | [.ApplicationName, .EnvironmentName] | @csv' )"
for row in $apps_and_envs; do
app="$( echo "$row" | cut -d , -f 1 | sed -e 's/^"//' -e 's/"$//' )"
env="$( echo "$row" | cut -d , -f 2 | sed -e 's/^"//' -e 's/"$//' )"
echo " $app - $env"
result="$( aws elasticbeanstalk describe-configuration-settings --application-name "$app" --environment-name "$env" --profile "$profile" --region "$region" | jq -r '.ConfigurationSettings[].OptionSettings[] | select( .Value | strings | test(":iam:.*:server-certificate") ) | .Value ' )"
if [ "$result" == "" ]; then
echo -e "$GREEN OK.$RESET"
else
echo -e "$RED FOUND.$RESET"
indent_print " " "$result"
fi
done
done
echo "done."
echo
}
check_api_gateway() {
profile=$1
regions=$2
echo "chcking API Gateway ..."
for region in $regions; do
echo "region $region"
result="$( aws apigateway get-domain-names --profile "$profile" --region "$region" | jq -r '.items[] | select( has("certificateArn") | not ) | .domainName' )"
if [ "$result" == "" ]; then
echo -e "$GREEN OK.$RESET"
else
echo -e "$RED FOUND.$RESET"
indent_print " " "$result"
fi
done
echo "done."
echo
}
# find if any IAM cert is used or not in AWS services (CloudFront, Elastic Load Balancer, Elastic Beanstalk, API Gateway etc.)
regions="$( aws ec2 describe-regions | jq -r '.Regions[].RegionName' )"
while true; do
profile=$1
shift
if [ "$profile" == "" ]; then
exit 0
fi
echo
echo "##############################"
echo
echo "checking profile $profile"
echo
echo "##############################"
echo
check_cloudfront "$profile"
check_elb "$profile" "$regions"
check_elbv2 "$profile" "$regions"
check_eb "$profile" "$regions"
check_api_gateway "$profile" "$regions"
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment