Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

View breser's full-sized avatar

Ben Reser breser

57 followers · 1 following
View GitHub Profile
@breser
breser / gist:a9801ea9bc6c9600c49c1cbc92d508c7
Created June 19, 2018 20:10
DEBUG output: aws_default_subnet doesn't set map_public_ip_on_launch on first run.
2018/06/19 12:55:52 [INFO] Terraform version: 0.11.7 41e50bd32a8825a84535e353c3674af8ce799161
2018/06/19 12:55:52 [INFO] Go runtime version: go1.10.1
2018/06/19 12:55:52 [INFO] CLI args: []string{"/Users/reserb/bin/terraform", "apply"}
2018/06/19 12:55:52 [DEBUG] Attempting to open CLI config file: /Users/reserb/.terraformrc
2018/06/19 12:55:52 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2018/06/19 12:55:52 [INFO] CLI command args: []string{"apply"}
2018/06/19 12:55:52 [INFO] command: empty terraform config, returning nil
2018/06/19 12:55:52 [DEBUG] command: no data state file found for backend config
2018/06/19 12:55:52 [DEBUG] New state was assigned lineage "c6a3495d-8bb9-c961-8b9d-d6401ab158e0"
2018/06/19 12:55:52 [INFO] command: backend initialized: <nil>
@breser
breser / audit-ec2-store.sh
Created August 16, 2019 16:21
Audit EBS Storage for overly open permissions.
#!/bin/bash
# Audit EBS Storage
# Looks for AWS Storage that is externally shared outside of the
# AWS Organization. This is a reaction to:
# https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Morris
# https://techcrunch.com/2019/08/09/aws-ebs-cloud-backups-leak/
#
# Assumes that ~/.aws/credentials has credentials to the root account for the
# AWS Organization. Assumes that the user/role you're logged into in the
@breser
breser / remove_unused_default_vpcs.sh
Last active February 19, 2021 02:13
remove_unused_default_vpcs.sh
#!/bin/bash
# Delete Default VPCs
# Deletes Default VPCs across an entire organization if there are no ENIs in
# the default VPC.
#
# Assumes that ~/.aws/credentials has credentials to the root account for the
# AWS Organization. Assumes that the user/role you're logged into in the
# root account has permissions to assume the OrganizationAccountAccessRole in
# each member account. Requires jq and aws cli be installed on the path.
@breser
breser / aws_imdsv2_software.md
Last active January 26, 2022 17:45
AWS IMDSv2 Software Versions

Software versions that add support for AWS IMDSv2. Versions including and after this version should have support for this. The point of this list is to make it easier to communicate to developers what they need to upgrade to in order to be able to disable IMDSv1.

Software with IMDSv2 support

AWS CLI version unclear - This uses boto3 see below.

AWS Java SDK 1.11.678 - https://github.com/aws/aws-sdk-java/commit/06a2180efe02da1a0b6efcc693efc8e2de355eb7

AWS GoLang SDK 0.19.0 - https://github.com/aws/aws-sdk-go-v2/releases/tag/v0.19.0

@breser
breser / disable_guardduty_eks_support_org_wide.sh
Last active February 3, 2022 17:53
#!/bin/bash
# Disables EKS features of GuardDuty that have been automatically enabled.
# Run from the account that is your GuardDuty delegated admin account.
# Assumes that GuardDuty is enabled in all regions with a single detector and that auto-enable is turned on.
# If it isn't on in all regions you may need to adjust how you populate the list or regions.
# If you don't want auto-enable turned on change --auto-enable to --no-auto-enable
# If you have multiple detectors, I leave it as an excercise to the reader to deal with that.
# xargs is used since update-member-detectors has an apparent limit of 12 accounts per call