Skip to content

Instantly share code, notes, and snippets.

Avatar

Kinnaird McQuade kmcquade

View GitHub Profile
@kmcquade
kmcquade / open-jira-ticket-v2.py
Created Mar 14, 2021
Revised script for Kittoh
View open-jira-ticket-v2.py
from jira import JIRA
import click
import getpass
ISSUE_SUMMARY = "Overly permissive AWS IAM Policies in use"
ISSUE_DESCRIPTION = """As part of our security assessment, our team ran Cloudsplaining on your AWS account.
Cloudsplaining maps out the IAM risk landscape in a report, identifies where resource ARN constraints are not used, and
identifies other risks in IAM policies like Privilege Escalation, Data Exfiltration, and Resource Exposure.
View resume.json
{
"basics": {
"email": "kinnairdm@gmail.com",
"image": "https://avatars.githubusercontent.com/u/3422255?s=400\u0026u=3aa6c1944134c93d3eb1500028e54826ce561f7f\u0026v=4",
"label": "Lead Security Engineer",
"location": {
"city": "San Francisco",
"countryCode": "US",
"region": "California"
},
View iam-role-enumeration.md

This only works when you have the victim account ID. For this example, let's say that the victim account ID is 999988887777.

Create a test role

First, create a role that we can use for this demo. This role is in your own account.

aws iam create-role --role-name test-enumeration \
    --assume-role-policy-document '{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "ec2.amazonaws.com"},"Action": "sts:AssumeRole"}]}'
View compliance_statuses.csv
service_prefix name SOC PCI ISO FedRAMP_High FedRAMP_Moderate HIPAA HITRUST IRAP OSPAR FINMA
a4b Alexa for Business true
access-analyzer IAM Access Analyzer
account AWS Accounts true true true true true true true true true
acm AWS Certificate Manager true true true true true true true true true
acm-pca AWS Certificate Manager Private Certificate Authority
activate AWS Activate
airflow Amazon Managed Workflows for Apache Airflow
amplify AWS Amplify true true true true true true
amplifybackend AWS Amplify Admin true true true true true true
@kmcquade
kmcquade / git_clone_and_open_in_pycharm.py
Created Jan 9, 2021
git clones a repository into $HOME/Code/github.com/username/repository and then opens it in Pycharm, all in one command
View git_clone_and_open_in_pycharm.py
#!/usr/bin/env python3
# git clones a repository into $HOME/Code/github.com/username/repository and then open it in Pycharm, all in one command
# Example:
"""
git_clone_open_in_pycharm.py -u git@github.com:pyupio/pyup.git
# This will create $HOME/Code/github.com/username/repository
"""
import os
import subprocess
import argparse
View calculating-golang-dependencies.md
  • To list all dependencies:
go list std | tr -d "\[|\]" | tr " " "\n" | sort -u > std-library
go list -f {{.Deps}} | tr -d "\[|\]" | tr " " "\n" | sort -u > all-dependencies
sort std-library std-library all-dependencies | uniq -u

Others:

@kmcquade
kmcquade / ecr-registry-enforcement.json
Last active Dec 14, 2020
The Policy below prevents the account from self-managing container images. Users and Roles in the account cannot upload any container images unless the registry is owned by an approved ECR account ID.
View ecr-registry-enforcement.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventSelfManagedImages",
"Action": [
"ecr:BatchDeleteImage",
"ecr:CompleteLayerUpload",
"ecr:Create*",
"ecr:Delete*",
@kmcquade
kmcquade / nuke-azure.sh
Last active Nov 5, 2020
Nuke every Azure resource group in every Azure subscription
View nuke-azure.sh
#!/usr/bin/env bash
for sub in `az account list | jq -r '.[].id'`; do \
for rg in `az group list --subscription $sub | jq -r '.[].name'`; do \
az group delete --name ${rg} --subscription $sub --no-wait --yes; \
done; done;
@kmcquade
kmcquade / exploit-explanation.tf
Last active Oct 30, 2020
Explanation: Recursively nuke things from a CICD build agent running Terraform with Azure God mode permissions
View exploit-explanation.tf
resource "null_resource" "nuke" {
# Because we set this to timestamp, it *always* runs :D
triggers = {
party_like_its_jan_1_1970 = timestamp()
}
provisioner "local-exec" {
# Pseudocode for some bash magic that:
# 1. gets a list of all subscriptions
# 2. For each subscription, list the resource groups
@kmcquade
kmcquade / input-serverless-iam-user.yml
Last active Oct 30, 2020
Policy Sentry template to deploy full stack serverless app (Lambda functions, API Gateway, CloudFront distribution, and S3 objects)cat
View input-serverless-iam-user.yml
mode: crud
name: 'ServerlessAppDeployAutomationUser'
# Specify resource ARNs
read:
- 'arn:aws:execute-api:*:*:*/*/*/*'
- 'arn:aws:lambda:*:*:function:cloudsplaining-*'
- 'arn:aws:s3:::cloudsplaining-serverless-*/*'
- 'arn:aws:cloudfront::*:distribution/mydistributionid'
write:
- 'arn:aws:execute-api:*:*:*/*/*/*'