bearmini/iam-cert-check.sh

## iam-cert-check.sh
#!/usr/bin/env bash
RED="\\033[1;31m"
GREEN="\\033[1;32m"
RESET="\\033[0m"

if [ "$1" == "" ]; then
  echo "usage: $0 <profile> ..."
  exit 1
fi

command -v aws > /dev/null 2>&1 || {
  echo "\`aws\` command is required."
  exit 1
}

command -v jq > /dev/null 2>&1 || {
  echo "\`jq\` command is required."
  exit 1
}

indent_print() {
  for line in $2; do
    echo -n "$1"
    echo "$line"
  done
}

check_cloudfront() {
  profile=$1

  echo "checking CloudFront ..."
  result="$( aws cloudfront list-distributions --profile "$profile" | jq -r '.DistributionList.Items[] | select( .ViewerCertificate.CertificateSource == "iam") | .Id' )"
  if [ "$result" == "" ]; then
    echo -e "$GREEN  OK.$RESET"
  else
    echo -e "$RED  FOUND.$RESET"
    indent_print "    " "$result"
  fi
  echo "done."
  echo
}

check_elb() {
  profile=$1
  regions=$2

  echo "checking Elastic Load Balancers ..."
  for region in $regions; do
    echo "region $region"
    result="$( aws elb describe-load-balancers --profile "$profile" --region "$region" | jq -r '.LoadBalancerDescriptions[] | select(.ListenerDescriptions[] | objects | .Listener.SSLCertificateId | strings | test(":iam:")) | .LoadBalancerName' )"
    if [ "$result" == "" ]; then
      echo -e "$GREEN  OK.$RESET"
    else
      echo -e "$RED  FOUND.$RESET"
      indent_print "    " "$result"
    fi
  done
  echo "done."
  echo
}

check_elbv2() {
  profile=$1
  regions=$2

  echo "checking Elastic Load Balancers v2 ..."
  for region in $regions; do
    echo "region $region"
    arns="$( aws elbv2 describe-load-balancers --profile "$profile" --region "$region" | jq -r '.LoadBalancers[].LoadBalancerArn' )"
    for arn in $arns; do
      echo "  $arn"
      result="$( aws elbv2 describe-listeners --load-balancer-arn "$arn" --profile "$profile" --region "$region" | jq -r '.Listeners[].Certificates[]? | select( .CertificateArn | test(":iam:.*server-certificate")) | .CertificateArn' )"
      if [ "$result" == "" ]; then
        echo -e "$GREEN    OK.$RESET"
      else
        echo -e "$RED    FOUND.$RESET"
        indent_print "      " "$result"
      fi
    done
  done
  echo "done."
  echo
}

check_eb() {
  profile=$1
  regions=$2

  echo "checking Elastic Beanstalk ..."
  for region in $regions; do
    echo "region $region"
    apps_and_envs="$( aws elasticbeanstalk describe-environments --profile "$profile" --region "$region" | jq -r '.Environments[] | [.ApplicationName, .EnvironmentName] | @csv' )"
    for row in $apps_and_envs; do
      app="$( echo "$row" | cut -d , -f 1 | sed -e 's/^"//' -e 's/"$//' )"
      env="$( echo "$row" | cut -d , -f 2 | sed -e 's/^"//' -e 's/"$//' )"
      echo "  $app - $env"
      result="$( aws elasticbeanstalk describe-configuration-settings --application-name "$app" --environment-name "$env" --profile "$profile" --region "$region" | jq -r '.ConfigurationSettings[].OptionSettings[] | select( .Value | strings | test(":iam:.*:server-certificate") ) | .Value ' )"
      if [ "$result" == "" ]; then
        echo -e "$GREEN    OK.$RESET"
      else
        echo -e "$RED    FOUND.$RESET"
        indent_print "      " "$result"
      fi
    done
  done
  echo "done."
  echo

}

check_api_gateway() {
  profile=$1
  regions=$2

  echo "chcking API Gateway ..."
  for region in $regions; do
    echo "region $region"
    result="$( aws apigateway get-domain-names --profile "$profile" --region "$region" | jq -r '.items[] | select( has("certificateArn") | not ) | .domainName' )"
    if [ "$result" == "" ]; then
      echo -e "$GREEN    OK.$RESET"
    else
      echo -e "$RED    FOUND.$RESET"
      indent_print "      " "$result"
    fi
  done
  echo "done."
  echo
}


# find if any IAM cert is used or not in AWS services (CloudFront, Elastic Load Balancer, Elastic Beanstalk, API Gateway etc.)

regions="$( aws ec2 describe-regions | jq -r '.Regions[].RegionName' )"

while true; do
  profile=$1
  shift
  if [ "$profile" == "" ]; then
    exit 0
  fi
  echo
  echo "##############################"
  echo
  echo "checking profile $profile"
  echo
  echo "##############################"
  echo

  check_cloudfront "$profile"
  check_elb "$profile" "$regions"
  check_elbv2 "$profile" "$regions"
  check_eb "$profile" "$regions"
  check_api_gateway "$profile" "$regions"

done
	#!/usr/bin/env bash
	RED="\\033[1;31m"
	GREEN="\\033[1;32m"
	RESET="\\033[0m"

	if [ "$1" == "" ]; then
	echo "usage: $0 <profile> ..."
	exit 1
	fi

	command -v aws > /dev/null 2>&1 \|\| {
	echo "\`aws\` command is required."
	exit 1
	}

	command -v jq > /dev/null 2>&1 \|\| {
	echo "\`jq\` command is required."
	exit 1
	}

	indent_print() {
	for line in $2; do
	echo -n "$1"
	echo "$line"
	done
	}

	check_cloudfront() {
	profile=$1

	echo "checking CloudFront ..."
	result="$( aws cloudfront list-distributions --profile "$profile" \| jq -r '.DistributionList.Items[] \| select( .ViewerCertificate.CertificateSource == "iam") \| .Id' )"
	if [ "$result" == "" ]; then
	echo -e "$GREEN OK.$RESET"
	else
	echo -e "$RED FOUND.$RESET"
	indent_print " " "$result"
	fi
	echo "done."
	echo
	}

	check_elb() {
	profile=$1
	regions=$2

	echo "checking Elastic Load Balancers ..."
	for region in $regions; do
	echo "region $region"
	result="$( aws elb describe-load-balancers --profile "$profile" --region "$region" \| jq -r '.LoadBalancerDescriptions[] \| select(.ListenerDescriptions[] \| objects \| .Listener.SSLCertificateId \| strings \| test(":iam:")) \| .LoadBalancerName' )"
	if [ "$result" == "" ]; then
	echo -e "$GREEN OK.$RESET"
	else
	echo -e "$RED FOUND.$RESET"
	indent_print " " "$result"
	fi
	done
	echo "done."
	echo
	}

	check_elbv2() {
	profile=$1
	regions=$2

	echo "checking Elastic Load Balancers v2 ..."
	for region in $regions; do
	echo "region $region"
	arns="$( aws elbv2 describe-load-balancers --profile "$profile" --region "$region" \| jq -r '.LoadBalancers[].LoadBalancerArn' )"
	for arn in $arns; do
	echo " $arn"
	result="$( aws elbv2 describe-listeners --load-balancer-arn "$arn" --profile "$profile" --region "$region" \| jq -r '.Listeners[].Certificates[]? \| select( .CertificateArn \| test(":iam:.*server-certificate")) \| .CertificateArn' )"
	if [ "$result" == "" ]; then
	echo -e "$GREEN OK.$RESET"
	else
	echo -e "$RED FOUND.$RESET"
	indent_print " " "$result"
	fi
	done
	done
	echo "done."
	echo
	}

	check_eb() {
	profile=$1
	regions=$2

	echo "checking Elastic Beanstalk ..."
	for region in $regions; do
	echo "region $region"
	apps_and_envs="$( aws elasticbeanstalk describe-environments --profile "$profile" --region "$region" \| jq -r '.Environments[] \| [.ApplicationName, .EnvironmentName] \| @csv' )"
	for row in $apps_and_envs; do
	app="$( echo "$row" \| cut -d , -f 1 \| sed -e 's/^"//' -e 's/"$//' )"
	env="$( echo "$row" \| cut -d , -f 2 \| sed -e 's/^"//' -e 's/"$//' )"
	echo " $app - $env"
	result="$( aws elasticbeanstalk describe-configuration-settings --application-name "$app" --environment-name "$env" --profile "$profile" --region "$region" \| jq -r '.ConfigurationSettings[].OptionSettings[] \| select( .Value \| strings \| test(":iam:.*:server-certificate") ) \| .Value ' )"
	if [ "$result" == "" ]; then
	echo -e "$GREEN OK.$RESET"
	else
	echo -e "$RED FOUND.$RESET"
	indent_print " " "$result"
	fi
	done
	done
	echo "done."
	echo

	}

	check_api_gateway() {
	profile=$1
	regions=$2

	echo "chcking API Gateway ..."
	for region in $regions; do
	echo "region $region"
	result="$( aws apigateway get-domain-names --profile "$profile" --region "$region" \| jq -r '.items[] \| select( has("certificateArn") \| not ) \| .domainName' )"
	if [ "$result" == "" ]; then
	echo -e "$GREEN OK.$RESET"
	else
	echo -e "$RED FOUND.$RESET"
	indent_print " " "$result"
	fi
	done
	echo "done."
	echo
	}


	# find if any IAM cert is used or not in AWS services (CloudFront, Elastic Load Balancer, Elastic Beanstalk, API Gateway etc.)

	regions="$( aws ec2 describe-regions \| jq -r '.Regions[].RegionName' )"

	while true; do
	profile=$1
	shift
	if [ "$profile" == "" ]; then
	exit 0
	fi
	echo
	echo "##############################"
	echo
	echo "checking profile $profile"
	echo
	echo "##############################"
	echo

	check_cloudfront "$profile"
	check_elb "$profile" "$regions"
	check_elbv2 "$profile" "$regions"
	check_eb "$profile" "$regions"
	check_api_gateway "$profile" "$regions"

	done