toripiyo/sg_eni_rules.py

## sg_eni_rules.py
#!/usr/local/bin/python3
from __future__ import print_function

import json
import boto3

interfaces = ""
cidr_block = ""
cidr_block_description = ""
ip_protpcol = ""
from_port = ""
to_port = ""
from_source_id = ""
from_source_description = ""

print("%s,%s,%s,%s,%s,%s,%s,%s" % ("Group-Name","Group-ID","ENIs","In/Out","Protocol","Port","Source/Destination","Description"))

for region in ["ap-northeast-1"]:
	ec2=boto3.client('ec2', region )
	sgs = ec2.describe_security_groups()["SecurityGroups"]
	for sg in sgs:
		group_name = sg['GroupName']
		group_id = sg['GroupId']
		# print("%s,%s" % (group_name,group_id))

		# ENI interfaces ##########################################
		eni_ids = ""
		enis = ec2.describe_network_interfaces(Filters=[{'Name':'group-id', 'Values':[group_id]},])
		if 'NetworkInterfaces' in enis:
			eni_ids = ' '.join(list(map(lambda eni: eni['NetworkInterfaceId'], enis['NetworkInterfaces'])))

		# InBound permissions ##########################################
		inbound = sg['IpPermissions']
		# print("%s,%s,%s" % ("","","Inbound"))
		for rule in inbound:
			if rule['IpProtocol'] == "-1":
				traffic_type="All Trafic"
				ip_protpcol="All"
				to_port="All"
			else:
				ip_protpcol = rule['IpProtocol']
				from_port=rule['FromPort']
				to_port=rule['ToPort']
				#If ICMP, report "N/A" for port #
				if to_port == -1:
					to_port = "N/A"

			#Is source/target an IP v4?
			if len(rule['IpRanges']) > 0:
				for ip_range in rule['IpRanges']:
					cidr_block = ip_range['CidrIp']
					if 'Description' in ip_range:
						cidr_block_description = ip_range['Description']
						print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, cidr_block, cidr_block_description))
					else:
						print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, cidr_block))

			#Is source/target an IP v6?
			if len(rule['Ipv6Ranges']) > 0:
				for ip_range in rule['Ipv6Ranges']:
					cidr_block = ip_range['CidrIpv6']
					if 'Description' in ip_range:
						cidr_block_description = ip_range['Description']
						print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, cidr_block, cidr_block_description))
					else:
						print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, cidr_block))

			#Is source/target a security group?
			if len(rule['UserIdGroupPairs']) > 0:
				for source in rule['UserIdGroupPairs']:
					from_source_id = source['GroupId']
					if 'Description' in source:
						from_source_description = source['Description']
						print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, from_source_id, from_source_description))
					else:
						print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, from_source_id))
		# OutBound permissions ##########################################
		outbound = sg['IpPermissionsEgress']
		# print("%s,%s,%s" % ("","","Outbound"))
		for rule in outbound:
			if rule['IpProtocol'] == "-1":
				traffic_type="All Trafic"
				ip_protpcol="All"
				to_port="All"
			else:
				ip_protpcol = rule['IpProtocol']
				from_port=rule['FromPort']
				to_port=rule['ToPort']
				#If ICMP, report "N/A" for port #
				if to_port == -1:
					to_port = "N/A"

			#Is source/target an IP v4?
			if len(rule['IpRanges']) > 0:
				for ip_range in rule['IpRanges']:
					cidr_block = ip_range['CidrIp']
					if 'Description' in ip_range:
						cidr_block_description = ip_range['Description']
						print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, cidr_block, cidr_block_description))
					else:
						print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, cidr_block))


			#Is source/target an IP v6?
			if len(rule['Ipv6Ranges']) > 0:
				for ip_range in rule['Ipv6Ranges']:
					cidr_block = ip_range['CidrIpv6']
					if 'Description' in ip_range:
						cidr_block_description = ip_range['Description']
						print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, cidr_block, cidr_block_description))
					else:
						print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, cidr_block))


			#Is source/target a security group?
			if len(rule['UserIdGroupPairs']) > 0:
				for source in rule['UserIdGroupPairs']:
					from_source_id = source['GroupId']
					if 'Description' in source:
						from_source_description = source['Description']
						print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, from_source_id, from_source_description))
					else:
						print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, from_source_id))
	#!/usr/local/bin/python3
	from __future__ import print_function

	import json
	import boto3

	interfaces = ""
	cidr_block = ""
	cidr_block_description = ""
	ip_protpcol = ""
	from_port = ""
	to_port = ""
	from_source_id = ""
	from_source_description = ""

	print("%s,%s,%s,%s,%s,%s,%s,%s" % ("Group-Name","Group-ID","ENIs","In/Out","Protocol","Port","Source/Destination","Description"))

	for region in ["ap-northeast-1"]:
	ec2=boto3.client('ec2', region )
	sgs = ec2.describe_security_groups()["SecurityGroups"]
	for sg in sgs:
	group_name = sg['GroupName']
	group_id = sg['GroupId']
	# print("%s,%s" % (group_name,group_id))

	# ENI interfaces ##########################################
	eni_ids = ""
	enis = ec2.describe_network_interfaces(Filters=[{'Name':'group-id', 'Values':[group_id]},])
	if 'NetworkInterfaces' in enis:
	eni_ids = ' '.join(list(map(lambda eni: eni['NetworkInterfaceId'], enis['NetworkInterfaces'])))

	# InBound permissions ##########################################
	inbound = sg['IpPermissions']
	# print("%s,%s,%s" % ("","","Inbound"))
	for rule in inbound:
	if rule['IpProtocol'] == "-1":
	traffic_type="All Trafic"
	ip_protpcol="All"
	to_port="All"
	else:
	ip_protpcol = rule['IpProtocol']
	from_port=rule['FromPort']
	to_port=rule['ToPort']
	#If ICMP, report "N/A" for port #
	if to_port == -1:
	to_port = "N/A"

	#Is source/target an IP v4?
	if len(rule['IpRanges']) > 0:
	for ip_range in rule['IpRanges']:
	cidr_block = ip_range['CidrIp']
	if 'Description' in ip_range:
	cidr_block_description = ip_range['Description']
	print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, cidr_block, cidr_block_description))
	else:
	print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, cidr_block))

	#Is source/target an IP v6?
	if len(rule['Ipv6Ranges']) > 0:
	for ip_range in rule['Ipv6Ranges']:
	cidr_block = ip_range['CidrIpv6']
	if 'Description' in ip_range:
	cidr_block_description = ip_range['Description']
	print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, cidr_block, cidr_block_description))
	else:
	print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, cidr_block))

	#Is source/target a security group?
	if len(rule['UserIdGroupPairs']) > 0:
	for source in rule['UserIdGroupPairs']:
	from_source_id = source['GroupId']
	if 'Description' in source:
	from_source_description = source['Description']
	print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, from_source_id, from_source_description))
	else:
	print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Inbound", ip_protpcol, to_port, from_source_id))
	# OutBound permissions ##########################################
	outbound = sg['IpPermissionsEgress']
	# print("%s,%s,%s" % ("","","Outbound"))
	for rule in outbound:
	if rule['IpProtocol'] == "-1":
	traffic_type="All Trafic"
	ip_protpcol="All"
	to_port="All"
	else:
	ip_protpcol = rule['IpProtocol']
	from_port=rule['FromPort']
	to_port=rule['ToPort']
	#If ICMP, report "N/A" for port #
	if to_port == -1:
	to_port = "N/A"

	#Is source/target an IP v4?
	if len(rule['IpRanges']) > 0:
	for ip_range in rule['IpRanges']:
	cidr_block = ip_range['CidrIp']
	if 'Description' in ip_range:
	cidr_block_description = ip_range['Description']
	print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, cidr_block, cidr_block_description))
	else:
	print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, cidr_block))


	#Is source/target an IP v6?
	if len(rule['Ipv6Ranges']) > 0:
	for ip_range in rule['Ipv6Ranges']:
	cidr_block = ip_range['CidrIpv6']
	if 'Description' in ip_range:
	cidr_block_description = ip_range['Description']
	print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, cidr_block, cidr_block_description))
	else:
	print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, cidr_block))


	#Is source/target a security group?
	if len(rule['UserIdGroupPairs']) > 0:
	for source in rule['UserIdGroupPairs']:
	from_source_id = source['GroupId']
	if 'Description' in source:
	from_source_description = source['Description']
	print("%s,%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, from_source_id, from_source_description))
	else:
	print("%s,%s,%s,%s,%s,%s,%s" % (group_name, group_id, eni_ids, "Outbound", ip_protpcol, to_port, from_source_id))