Guest User

Untitled

a guest
Feb 19th, 2018
97
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.63 KB | None | 0 0
  1. import boto3
  2.  
  3. def find_public_addresses(ec2):
  4. public_instances = {}
  5. instance_public_ips = {}
  6. instance_private_ips = {}
  7. instance_ident = {}
  8. instances = ec2.instances.filter(Filters=[{'Name': 'instance-state-name', 'Values': ['running'] }])
  9.  
  10. # Ranges that you define as public subnets in AWS go here.
  11. public_subnet_ranges = ['10.128.0', '192.168.0', '172.16.0']
  12.  
  13. for instance in instances:
  14. # I only care if the private address falls into a public subnet range
  15. # because if it doesnt Internet ingress cant reach it directly anyway even with a public IP
  16. if any(cidr in instance.private_ip_address for cidr in public_subnet_ranges):
  17. owner_tag = "None"
  18. instance_name = "None"
  19. if instance.tags:
  20. for i in range(len(instance.tags)):
  21. #comment OwnerEmail tag out if you do not tag your instances with it.
  22. if instance.tags[i]['Key'] == "OwnerEmail":
  23. owner_tag = instance.tags[i]['Value']
  24. if instance.tags[i]['Key'] == "Name":
  25. instance_name = instance.tags[i]['Value']
  26. instance_ident[instance.id] = "Name: %s\n\tKeypair: %s\n\tOwner: %s" % (instance_name, instance.key_name, owner_tag)
  27. if instance.public_ip_address is not None:
  28. values=[]
  29. for i in range(len(instance.security_groups)):
  30. values.append(instance.security_groups[i]['GroupId'])
  31. public_instances[instance.id] = values
  32. instance_public_ips[instance.id] = instance.public_ip_address
  33. instance_private_ips[instance.id] = instance.private_ip_address
  34.  
  35. return (public_instances, instance_public_ips,instance_private_ips, instance_ident)
  36.  
  37. def inspect_security_group(ec2, sg_id):
  38. sg = ec2.SecurityGroup(sg_id)
  39.  
  40. open_cidrs = []
  41. for i in range(len(sg.ip_permissions)):
  42. to_port = ''
  43. ip_proto = ''
  44. if 'ToPort' in sg.ip_permissions[i]:
  45. to_port = sg.ip_permissions[i]['ToPort']
  46. if 'IpProtocol' in sg.ip_permissions[i]:
  47. ip_proto = sg.ip_permissions[i]['IpProtocol']
  48. if '-1' in ip_proto:
  49. ip_proto = 'All'
  50. for j in range(len(sg.ip_permissions[i]['IpRanges'])):
  51. cidr_string = "%s %s %s" % (sg.ip_permissions[i]['IpRanges'][j]['CidrIp'], ip_proto, to_port)
  52.  
  53. if sg.ip_permissions[i]['IpRanges'][j]['CidrIp'] == '0.0.0.0/0':
  54. #preventing an instance being flagged for only ICMP being open
  55. if ip_proto != 'icmp':
  56. open_cidrs.append(cidr_string)
  57.  
  58. return open_cidrs
  59.  
  60.  
  61. if __name__ == "__main__":
  62.  
  63. session = boto3.Session(profile_name=profile_name)
  64. ec2 = session.resource('ec2')
  65.  
  66. (public_instances, instance_public_ips, instance_private_ips, instance_ident) = find_public_addresses(ec2)
  67.  
  68. for instance in public_instances:
  69. for sg_id in public_instances[instance]:
  70. open_cidrs = inspect_security_group(ec2, sg_id)
  71. if open_cidrs: #only print if there are open cidrs
  72. print "=================================="
  73. print " %s" % (instance)
  74. print "=================================="
  75. print "\tprivate ip: %s\n\tpublic ip: %s\n\t%s" % (instance_private_ips[instance], instance_public_ips[instance], instance_ident[instance])
  76. print "\t=========================="
  77. print "\t open ingress rules"
  78. print "\t=========================="
  79. for cidr in open_cidrs:
  80. print "\t\t" + cidr
Add Comment
Please, Sign In to add comment