Created
May 6, 2021 21:43
-
-
Save jonrau1/91e852b30cc9c1a18a6ac2bbc78f5299 to your computer and use it in GitHub Desktop.
Use Yelp's Detect-Secrets to find API keys, passwords, AWS access keys, or high entropy strings in EC2 User Data
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| https://github.com/Yelp/detect-secrets | |
| pip3 install --upgrade pip | |
| pip3 install --upgrade awscli | |
| pip3 install --upgrade boto3 | |
| pip3 install --upgrade detect-secrets | |
| ''' | |
| import json | |
| import boto3 | |
| import os | |
| import time | |
| import base64 | |
| scanFile = "./data-sample.json" | |
| resultsFile = "./scan-result.json" | |
| scanCommand = "detect-secrets scan " + scanFile + " > " + resultsFile | |
| ec2 = boto3.client("ec2") | |
| # Paginate through Running and Stopped EC2 Instances | |
| paginator = ec2.get_paginator("describe_instances") | |
| for page in paginator.paginate(Filters=[{'Name': 'instance-state-name','Values': ['running','stopped']}]): | |
| for r in page["Reservations"]: | |
| for i in r["Instances"]: | |
| instanceId = str(i["InstanceId"]) | |
| try: | |
| response = ec2.describe_instance_attribute(Attribute="userData",InstanceId=instanceId) | |
| idata = response["UserData"]["Value"] | |
| except Exception as e: | |
| if str(e) == "'Value'": | |
| continue | |
| else: | |
| print(e) | |
| continue | |
| userdata = base64.b64decode(idata) | |
| with open(scanFile, 'w') as writejson: | |
| json.dump({"value": str(userdata)}, writejson, indent=2, default=str) | |
| # execute command | |
| os.system(scanCommand) | |
| time.sleep(1) | |
| # read the results file | |
| with open(resultsFile, 'r') as readjson: | |
| data = json.load(readjson) | |
| # if results is an empty dict then there are no secrets found! | |
| if str(data["results"]) == "{}": | |
| # this is a passing check | |
| print('All good for ' + instanceId) | |
| else: | |
| # this is a failing check - we won't actually parse the full payload of potential secrets | |
| secretType = str(data["results"]["data-sample.json"][0]["type"]) | |
| print('Not good for ' + instanceId + ' at least one secret has been found of the type ' + secretType) | |
| # clear out memory and prevent duplicates from being cached | |
| os.system("rm " + scanFile) | |
| os.system("rm " + resultsFile) | |
| del userdata | |
| del writejson | |
| del readjson | |
| del data |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment