Last active
February 28, 2019 07:42
-
-
Save bearmini/e21197813833b8f4f2f1f81df6d3c2ae to your computer and use it in GitHub Desktop.
Detects if any IAM cert is used in the specified AWS accounts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
RED="\\033[1;31m" | |
GREEN="\\033[1;32m" | |
RESET="\\033[0m" | |
if [ "$1" == "" ]; then | |
echo "usage: $0 <profile> ..." | |
exit 1 | |
fi | |
command -v aws > /dev/null 2>&1 || { | |
echo "\`aws\` command is required." | |
exit 1 | |
} | |
command -v jq > /dev/null 2>&1 || { | |
echo "\`jq\` command is required." | |
exit 1 | |
} | |
indent_print() { | |
for line in $2; do | |
echo -n "$1" | |
echo "$line" | |
done | |
} | |
check_cloudfront() { | |
profile=$1 | |
echo "checking CloudFront ..." | |
result="$( aws cloudfront list-distributions --profile "$profile" | jq -r '.DistributionList.Items[] | select( .ViewerCertificate.CertificateSource == "iam") | .Id' )" | |
if [ "$result" == "" ]; then | |
echo -e "$GREEN OK.$RESET" | |
else | |
echo -e "$RED FOUND.$RESET" | |
indent_print " " "$result" | |
fi | |
echo "done." | |
echo | |
} | |
check_elb() { | |
profile=$1 | |
regions=$2 | |
echo "checking Elastic Load Balancers ..." | |
for region in $regions; do | |
echo "region $region" | |
result="$( aws elb describe-load-balancers --profile "$profile" --region "$region" | jq -r '.LoadBalancerDescriptions[] | select(.ListenerDescriptions[] | objects | .Listener.SSLCertificateId | strings | test(":iam:")) | .LoadBalancerName' )" | |
if [ "$result" == "" ]; then | |
echo -e "$GREEN OK.$RESET" | |
else | |
echo -e "$RED FOUND.$RESET" | |
indent_print " " "$result" | |
fi | |
done | |
echo "done." | |
echo | |
} | |
check_elbv2() { | |
profile=$1 | |
regions=$2 | |
echo "checking Elastic Load Balancers v2 ..." | |
for region in $regions; do | |
echo "region $region" | |
arns="$( aws elbv2 describe-load-balancers --profile "$profile" --region "$region" | jq -r '.LoadBalancers[].LoadBalancerArn' )" | |
for arn in $arns; do | |
echo " $arn" | |
result="$( aws elbv2 describe-listeners --load-balancer-arn "$arn" --profile "$profile" --region "$region" | jq -r '.Listeners[].Certificates[]? | select( .CertificateArn | test(":iam:.*server-certificate")) | .CertificateArn' )" | |
if [ "$result" == "" ]; then | |
echo -e "$GREEN OK.$RESET" | |
else | |
echo -e "$RED FOUND.$RESET" | |
indent_print " " "$result" | |
fi | |
done | |
done | |
echo "done." | |
echo | |
} | |
check_eb() { | |
profile=$1 | |
regions=$2 | |
echo "checking Elastic Beanstalk ..." | |
for region in $regions; do | |
echo "region $region" | |
apps_and_envs="$( aws elasticbeanstalk describe-environments --profile "$profile" --region "$region" | jq -r '.Environments[] | [.ApplicationName, .EnvironmentName] | @csv' )" | |
for row in $apps_and_envs; do | |
app="$( echo "$row" | cut -d , -f 1 | sed -e 's/^"//' -e 's/"$//' )" | |
env="$( echo "$row" | cut -d , -f 2 | sed -e 's/^"//' -e 's/"$//' )" | |
echo " $app - $env" | |
result="$( aws elasticbeanstalk describe-configuration-settings --application-name "$app" --environment-name "$env" --profile "$profile" --region "$region" | jq -r '.ConfigurationSettings[].OptionSettings[] | select( .Value | strings | test(":iam:.*:server-certificate") ) | .Value ' )" | |
if [ "$result" == "" ]; then | |
echo -e "$GREEN OK.$RESET" | |
else | |
echo -e "$RED FOUND.$RESET" | |
indent_print " " "$result" | |
fi | |
done | |
done | |
echo "done." | |
echo | |
} | |
check_api_gateway() { | |
profile=$1 | |
regions=$2 | |
echo "chcking API Gateway ..." | |
for region in $regions; do | |
echo "region $region" | |
result="$( aws apigateway get-domain-names --profile "$profile" --region "$region" | jq -r '.items[] | select( has("certificateArn") | not ) | .domainName' )" | |
if [ "$result" == "" ]; then | |
echo -e "$GREEN OK.$RESET" | |
else | |
echo -e "$RED FOUND.$RESET" | |
indent_print " " "$result" | |
fi | |
done | |
echo "done." | |
echo | |
} | |
# find if any IAM cert is used or not in AWS services (CloudFront, Elastic Load Balancer, Elastic Beanstalk, API Gateway etc.) | |
regions="$( aws ec2 describe-regions | jq -r '.Regions[].RegionName' )" | |
while true; do | |
profile=$1 | |
shift | |
if [ "$profile" == "" ]; then | |
exit 0 | |
fi | |
echo | |
echo "##############################" | |
echo | |
echo "checking profile $profile" | |
echo | |
echo "##############################" | |
echo | |
check_cloudfront "$profile" | |
check_elb "$profile" "$regions" | |
check_elbv2 "$profile" "$regions" | |
check_eb "$profile" "$regions" | |
check_api_gateway "$profile" "$regions" | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment