This is WIP: Work in Progress
Working with different AWS accounts, services, and regions, could become really difficult when starting to scale. If you want to have a complete picture about what is running, there is no easy way to do it, besides using diferent API calls. If you need to inventory, monitor, audit, or scan all of those resources from a single point, it's even harder.
This tool tries to solve this issue: by dynamically listing all AWS resources from any number of accounts, regions, and services all together, and providing this data in a sigle unified way, you can take bulk actions based on your needs.
Examples: list all resources that are publicly exposed, list all resources tagged in a certain way, list all resources not using encryption.
Each resource, indepently of the service, the account, or the region, could be listed in the same way and you can use them programatically to execute actions.
- Security Scanning: Scannning your resources using different tools like Nmap or Burp (eg: Automated scan with Burp and Nmap all Public EC2 IPs, all Public Route 53 CNAMEs, all your Public CloudFront Distribution, or all together)
- Inventory: Inventoring all resources or a set of resources
- Find: Finding anything across all resources to understand if it's part of your scope (like an IP, an IAM Key or an S3 Bucket)
- Statistics: Counting how many resources with a specific configuration you have across your scope
- SQS/S3: Integrating asynchronously with any other software you are already using, with S3 or SQS
To solve these challenges, the first step is to have a complete list of all resources across accounts, regions, and services. Describer Module takes care of that.
Information is downloaded and organized by resources, regardless of the account, the region, or the service:
{
"RESOURCE ARN": {
"account": "",
"identifier": "",
"region": "",
"service": "",
'data': List or Describe calls for the resource to fetch everything about it
}
}
By default Describer Module will fetch all available services, but you can limit these by using --services and --regions.
AVAILABLE_SERVICES = [ 'rds', 'ec2', 'elb', 'elbv2', 'es', 'cloudfront', 'route53', 's3' ]
Plugins use Describer data as input to execute actions. Actions can be whatever you need to do with that data.
Plugins can be configured for certain services only, for example, an IAM resource will not be scanned by the NMAP plugin.
Plugins can be combined without amount or order restriction using --plugins inventory public nmap
The following is the list of default plugins as part of the tool.
- Public
- Find
- Inventory
- Nmap
- Burp
Returns all public resources for AWS services
python3 rawsec.py -r eu-west-1 -p public: Returns all public resources for all services in regioneu-west-1for local accountpython3 rawsec.py -s ec2 -p public: Returns all public resources for serviceec2in all regions for local accountpython3 rawsec.py -p public -a 01234556789 9876543210 -ro SecurityAudit: Returns all public resources for all services in all regions for accounts01234556789and9876543210assumingSecurityAuditrole.
Finds a pattern across all resources
python3 rawsec.py -r eu-west-1 -p find -v find:127.0.0.1: Find IP127.0.0.1across all resources in regioneu-west-1python3 rawsec.py -s ec2 -p find -v find:127.0.0.1: Find IP127.0.0.1across serviceec2in all regionspython3 rawsec.py -p find -v find:127.0.0.1 -a 01234556789 9876543210 -ro SecurityAudit: Find IP127.0.0.1across all services in all regions for accounts01234556789and9876543210assumingSecurityAuditrole.
Lists all resources with all the data fetched
python3 rawsec.py -r eu-west-1 -p inventory: Return all resources for all services in regioneu-west-1python3 rawsec.py -s cloudfront -p inventory: Return all resources for servicecloudfrontin all regionspython3 rawsec.py -p inventory -a 01234556789 9876543210 -ro SecurityAudit: Return all resources for all services in all regions for accounts01234556789and9876543210assumingSecurityAuditrole.
Executes NMAp scan across public targets.
You can configure NMAP_ARGUMENTS for Nmap scans.
python3 rawsec.py -r eu-west-1 -p nmap: Executes NMAp scan across all public services in regioneu-west-1python3 rawsec.py -s cloudfront -p nmap: Executes NMAp scan for servicecloudfrontin all regionspython3 rawsec.py -p nmap -a 01234556789 9876543210 -ro SecurityAudit: Executes NMAp scan for all services in all regions for accounts01234556789and9876543210assumingSecurityAuditrole.
Executes Burp scan across public targets.
You need to have an Enterprise/Profesional Burp license to use this plugin and enable REST Api (user Options -> Misc -> Rest API). You need to configure SERVER_URL and API_KEY.
You can also configure options for Burp options scans. You can generate this json by using the Burp Library and then exporting.
python3 rawsec.py -r eu-west-1 -p burp: Executes Burp scan across all public services in regioneu-west-1python3 rawsec.py -s cloudfront -p burp: Executes Burp scan for servicecloudfrontin all regionspython3 rawsec.py -p burp -a 01234556789 9876543210 -ro SecurityAudit: Executes Burp scan for all services in all regions for accounts01234556789and9876543210assumingSecurityAuditrole.