Set of scripts to rapidly administer AWS activities. These can be run from the pip package (link) or in raw .py form
- Python 3.x
- AWS CLI (with credentials file)
- api.github.com auth token in ~/.netrc in format
machine api.github.com login %user% password %access token%. Get yours here. - jq
- Windows or *nix machine
To install this script on a system level, run pip install scimma-security-scripts.
To run them raw, download from the official repository.
When installed with pip, the scripts can be run with an sc {subcommand} command, and available arguments can be retrieved with sc {subcommand} -h.
Dump cloudtail json event records from the vault having some value matching the globstring.
A vault file is a dictionary of "Records" containing an array of json objects, one json object per cloudtrail event. There is a large variety of events, each with a different json schema.
Shell users can construct simple analysis filters using jq and sort, uniq, tabulate or even grep
Examples:
| Use | Command |
|---|---|
| find all json records in vault referring to July 1, 2020 | sc inf_find "2020-07-01*" |
| find all json records in vault describing actions taken by user named "petravic" in the first week of August | sc inf_find -da 2020-08-01 -dd 6 "*petravic*" |
| make a formatted table of events, time, and assocated IP addressed. | sc inf_find "*" | jq -r "[.eventName,.eventTime,.sourceIPAddress] | @tsv" | tabulate |
| find all json records in the vault in the first 6 days in august | sc inf_find "2020-08-0[1-6]*" |
| extract event names and display the most numerous events. | sc inf_find "2020-06*" | jq ".eventName" | sort | uniq -c | sort -n |
| use GREP to explore file | sc inf_find "2020-06*" | grep -i IPaddress |
Run tag, s3, secret, certificate, repo inventory reports
Download Cloudtrail logs to the vault directory. Downloads are incremental -- previous downloads are not re-fetched or deleted.
A vault file is bushy directory tree that is stored under $HOME/.vault. the leaves are (many json) files, each covering a small slice of time. The files contain AWS event records.
Other tools (notably find_by_content.py) based on trailscraper use the downloaded data for analysis.
Similar to Duo's Cloudmapper, but it ingests more, graphs more, and uses tags to graph
Simple IAM visualizer mapping users/groups/roles to policies
Run audits checking system dependencies, policies attached to the target role, caller's privileges if sufficient, repository state, roles existing in account, and caller's identity.
Strip all policies from target role and attach ProposedPoweruser and RoleManagementWithCondition
Strip all policies from target role and stop all EC2 instances in all regions
Simulate green button functionality
Simulate red button functionality
When invoked with sc command, the script will pull default arguments from a built-in default.cfg file. The console interface also checks for a file specified through the $SCIMMA_SECURITY_CFG variable.
This variable is auto-created if it's not detected, and can be modified by editing ~/.bash_profile (bash), ~/.zshenv (zsh), or running SETX SCIMMA_SECURITY_CFG "path/config.cfg" /M (cmd). The expected config file format is such:
[DEFAULT] profile=scimma-uiuc-aws-admin role=scimma_power_user vaultdir=~/.vault loglevel=NORMAL # info tools [TAG_REPORT] dbfile=:memory: [DOWNLOAD] bucket=s3://scimma-processes/Scimma-event-trail accountid=585193511743
While not intended to be a primary way of running, the scripts can be executed individually. For example:
python find_by_content.py -dd 14 *petravic*
Is equivalent to
sc inf_find -dd 14 *petravic*