Tool for scanning unsecure & unattached Security Groups on AWS environment.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
readme.md
sgscanner-policy.json
sgscanner.py

readme.md

SG Scanner

Scanning tool for unused/unattached/unsecure security group on Amazon. If group is not attached to any network interfaces it will be returned as unused. Generally all security groups binded to AWS Services (EC2, RDS, Lambda, Load Balancers, WorkSpaces, AppStream and more) must be attached to network interface. Security scan checks all security groups rules for open ports from 0.0.0.0/0.

Requirments

Python 2.x or 3.x

Python libs: tabulate, boto3, argparse

Installation

$ pip install boto3
$ pip install tabulate
$ pip install argparse

Usage

SG Scanner uses IAM role by default (if started from EC2 instance). If you want to start it from on-premise host then you should pass credentials. Also region should be given.

Using IAM role:

$ python sgscanner.py region mode

Using credentials:

$ python sgscanner.py region mode --accesskey="yourAccessKey" --secretkey="yourSecretKey"

Usage example:

$ python sgscanner.py eu-west-1 unattached
$ python sgscanner.py eu-west-1 unsecure --accesskey="ABCDEF" --secretkey="123456"
$ python sgscanner.py eu-west-1 unsecure --accesskey="ABCDEF" --secretkey="123456" --ignoreports="40,80,443"

IAM Policy

Policy with minimum required permissions can be found in sgscanner-policy.json file.

Changelog

  • v0.1.1 - 10.09.2018 - Added possibility to ignore list of ports while scanning security.
  • v0.1.0 - 09.09.2018 - Public Release