Add sagemaker envs

hupe1980 · Nov 12, 2022 · 4f28c94 · 4f28c94
1 parent e744688
commit 4f28c94
Show file tree

Hide file tree

Showing 3 changed files with 165 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -69,6 +69,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/resourcegroupstaggingapi v1.13.19
 	github.com/aws/aws-sdk-go-v2/service/route53 v1.22.3
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.28.0
+	github.com/aws/aws-sdk-go-v2/service/sagemaker v1.54.0
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.3
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.31.2
 	github.com/aws/aws-sdk-go-v2/service/sts v1.16.19

diff --git a/go.sum b/go.sum
@@ -95,6 +95,8 @@ github.com/aws/aws-sdk-go-v2/service/route53 v1.22.3 h1:35r4Cz4EDdaog3XEe9nXsefr
 github.com/aws/aws-sdk-go-v2/service/route53 v1.22.3/go.mod h1:OI1l8r9umXvVMbD35wBk2YsVPYmJIwtt03Ph1x8HPtc=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.28.0 h1:2TDTNMeOdEBVhuHPS6at9eqAPdco4A1iwRO5tov9Ylg=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.28.0/go.mod h1:fmgDANqTUCxciViKl9hb/zD5LFbvPINFRgWhDbR+vZo=
+github.com/aws/aws-sdk-go-v2/service/sagemaker v1.54.0 h1:jFgUbmNSv6YoRCOQ0QqLtWU2IQh5RywBoNMDXoHxfO8=
+github.com/aws/aws-sdk-go-v2/service/sagemaker v1.54.0/go.mod h1:umigFBRAb3i0OTRXRYDLlCawnJPYCWLhod55+tZHOFA=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.3 h1:d5S+OhXne5O3cIo999RARy/N1dgXW2ldWgD53qbEAP4=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.3/go.mod h1:+X/VSQcuvHPWPRlM64HoWUJAPwsD86KpU9Z52lrsodM=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.31.2 h1:yxazp4xlXCvS8sObRSy5KRS79kIUIwMlcaDjF+lZdyk=

diff --git a/pkg/recon/envs.go b/pkg/recon/envs.go
@@ -9,6 +9,7 @@ import (
 	codebuildTypes "github.com/aws/aws-sdk-go-v2/service/codebuild/types"
 	"github.com/aws/aws-sdk-go-v2/service/ecs"
 	"github.com/aws/aws-sdk-go-v2/service/lambda"
+	"github.com/aws/aws-sdk-go-v2/service/sagemaker"
 	"github.com/hupe1980/awsrecon/pkg/audit"
 	"github.com/hupe1980/awsrecon/pkg/audit/secret"
 	"github.com/hupe1980/awsrecon/pkg/buildspec"
@@ -39,6 +40,7 @@ type EnvsRecon struct {
 	codebuildClient *codebuild.Client
 	ecsClient       *ecs.Client
 	lambdaClient    *lambda.Client
+	sagemakerClient *sagemaker.Client
 	engine          *secret.Engine
 	opts            EnvsOptions
 }
@@ -58,6 +60,7 @@ func NewEnvsRecon(cfg *config.Config, optFns ...func(o *EnvsOptions)) *EnvsRecon
 		codebuildClient: codebuild.NewFromConfig(cfg.AWSConfig),
 		ecsClient:       ecs.NewFromConfig(cfg.AWSConfig),
 		lambdaClient:    lambda.NewFromConfig(cfg.AWSConfig),
+		sagemakerClient: sagemaker.NewFromConfig(cfg.AWSConfig),
 		engine:          secret.NewEngine(opts.Verify),
 		opts:            opts,
 	}
@@ -74,6 +77,18 @@ func NewEnvsRecon(cfg *config.Config, optFns ...func(o *EnvsOptions)) *EnvsRecon
 		r.runEnumerateServicePerRegion("lambda", cfg.Regions, func(region string) {
 			r.enumerateLambdaEnvsPerRegion(region)
 		})
+
+		r.runEnumerateServicePerRegion("sagemaker-processing", cfg.Regions, func(region string) {
+			r.enumerateSagemakerProcessingJobEnvsPerRegion(region)
+		})
+
+		r.runEnumerateServicePerRegion("sagemaker-transform", cfg.Regions, func(region string) {
+			r.enumerateSagemakerTransformJobEnvsPerRegion(region)
+		})
+
+		r.runEnumerateServicePerRegion("sagemaker-training", cfg.Regions, func(region string) {
+			r.enumerateSagemakerTrainingJobEnvsPerRegion(region)
+		})
 	}, func(o *reconOptions) {
 		o.IgnoreServices = opts.IgnoreServices
 		o.BeforeHook = opts.BeforeHook
@@ -253,6 +268,153 @@ func (rec *EnvsRecon) enumerateLambdaEnvsPerRegion(region string) {
 	}
 }
 
+func (rec *EnvsRecon) enumerateSagemakerProcessingJobEnvsPerRegion(region string) {
+	p := sagemaker.NewListProcessingJobsPaginator(rec.sagemakerClient, &sagemaker.ListProcessingJobsInput{})
+	for p.HasMorePages() {
+		page, err := p.NextPage(context.TODO(), func(o *sagemaker.Options) {
+			o.Region = region
+		})
+		if err != nil {
+			rec.addError(err)
+			return
+		}
+
+		for _, item := range page.ProcessingJobSummaries {
+			output, err := rec.sagemakerClient.DescribeProcessingJob(context.TODO(), &sagemaker.DescribeProcessingJobInput{
+				ProcessingJobName: item.ProcessingJobName,
+			}, func(o *sagemaker.Options) {
+				o.Region = region
+			})
+			if err != nil {
+				rec.addError(err)
+				continue
+			}
+
+			if len(output.Environment) > 0 {
+				for key, value := range output.Environment {
+					name := fmt.Sprintf("[Processing Job] %s", aws.ToString(output.ProcessingJobName))
+
+					entropy := audit.ShannonEntropy(value)
+
+					if entropy < rec.opts.Entropy {
+						continue
+					}
+
+					hints := rec.getHints(fmt.Sprintf("%s=%s", key, value), entropy)
+
+					rec.addResult(Env{
+						AWSService: "Sagemaker",
+						Name:       name,
+						Region:     region,
+						Key:        key,
+						Value:      value,
+						Entropy:    entropy,
+						Hints:      hints,
+					})
+				}
+			}
+		}
+	}
+}
+
+func (rec *EnvsRecon) enumerateSagemakerTransformJobEnvsPerRegion(region string) {
+	p := sagemaker.NewListTransformJobsPaginator(rec.sagemakerClient, &sagemaker.ListTransformJobsInput{})
+	for p.HasMorePages() {
+		page, err := p.NextPage(context.TODO(), func(o *sagemaker.Options) {
+			o.Region = region
+		})
+		if err != nil {
+			rec.addError(err)
+			return
+		}
+
+		for _, item := range page.TransformJobSummaries {
+			output, err := rec.sagemakerClient.DescribeTransformJob(context.TODO(), &sagemaker.DescribeTransformJobInput{
+				TransformJobName: item.TransformJobName,
+			}, func(o *sagemaker.Options) {
+				o.Region = region
+			})
+			if err != nil {
+				rec.addError(err)
+				continue
+			}
+
+			if len(output.Environment) > 0 {
+				for key, value := range output.Environment {
+					name := fmt.Sprintf("[Transform Job] %s", aws.ToString(output.TransformJobName))
+
+					entropy := audit.ShannonEntropy(value)
+
+					if entropy < rec.opts.Entropy {
+						continue
+					}
+
+					hints := rec.getHints(fmt.Sprintf("%s=%s", key, value), entropy)
+
+					rec.addResult(Env{
+						AWSService: "Sagemaker",
+						Name:       name,
+						Region:     region,
+						Key:        key,
+						Value:      value,
+						Entropy:    entropy,
+						Hints:      hints,
+					})
+				}
+			}
+		}
+	}
+}
+
+func (rec *EnvsRecon) enumerateSagemakerTrainingJobEnvsPerRegion(region string) {
+	p := sagemaker.NewListTrainingJobsPaginator(rec.sagemakerClient, &sagemaker.ListTrainingJobsInput{})
+	for p.HasMorePages() {
+		page, err := p.NextPage(context.TODO(), func(o *sagemaker.Options) {
+			o.Region = region
+		})
+		if err != nil {
+			rec.addError(err)
+			return
+		}
+
+		for _, item := range page.TrainingJobSummaries {
+			output, err := rec.sagemakerClient.DescribeTrainingJob(context.TODO(), &sagemaker.DescribeTrainingJobInput{
+				TrainingJobName: item.TrainingJobName,
+			}, func(o *sagemaker.Options) {
+				o.Region = region
+			})
+			if err != nil {
+				rec.addError(err)
+				continue
+			}
+
+			if len(output.Environment) > 0 {
+				for key, value := range output.Environment {
+					name := fmt.Sprintf("[Training Job] %s", aws.ToString(output.TrainingJobName))
+
+					entropy := audit.ShannonEntropy(value)
+
+					if entropy < rec.opts.Entropy {
+						continue
+					}
+
+					hints := rec.getHints(fmt.Sprintf("%s=%s", key, value), entropy)
+
+					rec.addResult(Env{
+						AWSService: "Sagemaker",
+						Name:       name,
+						Region:     region,
+						Key:        key,
+						Value:      value,
+						Entropy:    entropy,
+						Hints:      hints,
+					})
+				}
+			}
+		}
+	}
+}
+
 func (rec *EnvsRecon) getHints(value string, entropy float64) []string {
 	hints := rec.engine.Scan(value)