jasonmcintosh/find_missing_cf_aliases.sh

## find_missing_cf_aliases.sh
###########################################################################################################
## Requires:  jq, awk, sed, aws-cli - and that you are using creds for the aws account you want to connect to
###########################################################################################################


function evaluateMissingAliasesInCloudFront() {
#INFO:  This has been tested with the following use cases...
#INFO:  * RECORD (CNAME) -> CF Distro
#INFO:  * RECORD (A) -> CF Distro
#INFO:  * RECORD (CNAME) -> RECORD(A) -> CF Distro
#INFO:  Note that Alias records are "A" records
  ALIASES=`aws cloudfront list-distributions|jq -r '.DistributionList[][]|select(.Aliases.Items != null)|.Aliases.Items[]'`
  #echo "INFO: Evaluating aliases $ALIASES for missing Route53 records"

  ZONE_IDS="`aws route53 list-hosted-zones|jq -r '.HostedZones[]|select(.Config.PrivateZone == false)|.Id'|awk -F/ '{print $3}'`"
  for zoneId in $ZONE_IDS; do
    ## Attack vector 1 - someone has a cname to a record that points to CF.  CF misses this record, and someone else can take over the CNAME CF Distro
    CNAMES=`aws route53 list-resource-record-sets --hosted-zone-id $zoneId|jq -r '.ResourceRecordSets[]|select(.Type == "CNAME")|"\(.ResourceRecords[0].Value),\(.Name)"'|sed 's/\.,/,/g'|sed 's/.\$//g'`

    ## Attack vector 2 someone has a Route53 record pointing to CF, but no alias in CF for that record.
    RECS=`aws route53 list-resource-record-sets --hosted-zone-id $zoneId|jq -r '.ResourceRecordSets[]|select(.Type == "A")|select(.AliasTarget.DNSName!=null)|select(.AliasTarget.DNSName|contains(".cloudfront.net")).Name' |sed 's/\.$//'`
    echo "INFO: Looking for CF aliases missing a CF alias"
    for rec in $RECS; do
      FOUND=`echo "$ALIASES"|grep "^$rec\$"`
      #echo "INFO: Looking to see if $rec has a CF Alias"
      if [[ -z "$FOUND" ]]; then
        echo "FAILED: Found Route53 record pointing to CloudFront with NO CloudFront alias for the record!  $rec"
      fi
    done

    echo "INFO: Looking for CNAMES missing a CF alias"
    for cname in $CNAMES; do
      AREC=`echo $cname|awk -F, '{print $1}'`
      R53_RECORD=`echo $cname|awk -F, '{print $2}'`
      ## Evaluate if the destination points to a CF Distro...
      if [[ ! -z "`echo $AREC|grep "cloudfront.net"`" ]] && [[ -z "`echo \"$ALIASES\"|grep \"$R53_RECORD\"`" ]];then
        echo "FAILED: Found a $R53_RECORD CNAME that points $AREC (CF Distro) and CF is missing the alias. Another account could create a CF distro with the cname and hijack our content"
      fi
      ## Check the chain... look for a pointer to a record which points to CF
      if [[ ! -z "`echo $RECS|grep "$AREC"`" ]] && [[ -z "`echo \"$ALIASES\"|grep \"$R53_RECORD\"`" ]];then
        echo "FAILED: Found a $R53_RECORD ALIAS -> $AREC -> CF, but CF is missing an alias for $R53_RECORD Another account could create a CF distro with the alias and hijack our content"

      fi
    done
  done
}


evaluateMissingAliasesInCloudFront
	###########################################################################################################
	## Requires: jq, awk, sed, aws-cli - and that you are using creds for the aws account you want to connect to
	###########################################################################################################


	function evaluateMissingAliasesInCloudFront() {
	#INFO: This has been tested with the following use cases...
	#INFO: * RECORD (CNAME) -> CF Distro
	#INFO: * RECORD (A) -> CF Distro
	#INFO: * RECORD (CNAME) -> RECORD(A) -> CF Distro
	#INFO: Note that Alias records are "A" records
	ALIASES=`aws cloudfront list-distributions\|jq -r '.DistributionList[][]\|select(.Aliases.Items != null)\|.Aliases.Items[]'`
	#echo "INFO: Evaluating aliases $ALIASES for missing Route53 records"

	ZONE_IDS="`aws route53 list-hosted-zones\|jq -r '.HostedZones[]\|select(.Config.PrivateZone == false)\|.Id'\|awk -F/ '{print $3}'`"
	for zoneId in $ZONE_IDS; do
	## Attack vector 1 - someone has a cname to a record that points to CF. CF misses this record, and someone else can take over the CNAME CF Distro
	CNAMES=`aws route53 list-resource-record-sets --hosted-zone-id $zoneId\|jq -r '.ResourceRecordSets[]\|select(.Type == "CNAME")\|"\(.ResourceRecords[0].Value),\(.Name)"'\|sed 's/\.,/,/g'\|sed 's/.\$//g'`

	## Attack vector 2 someone has a Route53 record pointing to CF, but no alias in CF for that record.
	RECS=`aws route53 list-resource-record-sets --hosted-zone-id $zoneId\|jq -r '.ResourceRecordSets[]\|select(.Type == "A")\|select(.AliasTarget.DNSName!=null)\|select(.AliasTarget.DNSName\|contains(".cloudfront.net")).Name' \|sed 's/\.$//'`
	echo "INFO: Looking for CF aliases missing a CF alias"
	for rec in $RECS; do
	FOUND=`echo "$ALIASES"\|grep "^$rec\$"`
	#echo "INFO: Looking to see if $rec has a CF Alias"
	if [[ -z "$FOUND" ]]; then
	echo "FAILED: Found Route53 record pointing to CloudFront with NO CloudFront alias for the record! $rec"
	fi
	done

	echo "INFO: Looking for CNAMES missing a CF alias"
	for cname in $CNAMES; do
	AREC=`echo $cname\|awk -F, '{print $1}'`
	R53_RECORD=`echo $cname\|awk -F, '{print $2}'`
	## Evaluate if the destination points to a CF Distro...
	if [[ ! -z "`echo $AREC\|grep "cloudfront.net"`" ]] && [[ -z "`echo \"$ALIASES\"\|grep \"$R53_RECORD\"`" ]];then
	echo "FAILED: Found a $R53_RECORD CNAME that points $AREC (CF Distro) and CF is missing the alias. Another account could create a CF distro with the cname and hijack our content"
	fi
	## Check the chain... look for a pointer to a record which points to CF
	if [[ ! -z "`echo $RECS\|grep "$AREC"`" ]] && [[ -z "`echo \"$ALIASES\"\|grep \"$R53_RECORD\"`" ]];then
	echo "FAILED: Found a $R53_RECORD ALIAS -> $AREC -> CF, but CF is missing an alias for $R53_RECORD Another account could create a CF distro with the alias and hijack our content"

	fi
	done
	done
	}


	evaluateMissingAliasesInCloudFront