Skip to content
This repository has been archived by the owner on Dec 7, 2021. It is now read-only.

Add mfa functionality #1

Merged
merged 5 commits into from
May 5, 2014
Merged

Add mfa functionality #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
993eff7
add mfa functionality
ehlertij May 2, 2014
65ea0df
5 minute session instead of an hour
ehlertij May 2, 2014
46602c2
default to 15 minute session - the minimum
ehlertij May 2, 2014
7e2254b
change error handling
ehlertij May 5, 2014
211bc7a
better error handling
ehlertij May 5, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion bin/ec2-security-czar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#! /usr/bin/env ruby
require 'ec2_security_czar'

manager = Ec2SecurityCzar::Base.new
manager = Ec2SecurityCzar::Base.new(ARGV[0])
manager.update_rules
34 changes: 29 additions & 5 deletions lib/ec2-security-czar/base.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,26 +5,50 @@ module Ec2SecurityCzar
class Base
attr_accessor :ec2

def initialize
def initialize(mfa_token=nil)
keys = YAML.load_file('config/aws_keys.yml')
AWS.config(access_key_id: keys[:access_key], secret_access_key: keys[:secret_key], region: "us-east-1")
@ec2 = AWS.ec2
if keys[:mfa_serial_number]
@ec2 = mfa_auth(keys, mfa_token)
else
@ec2 = AWS.ec2
end
rescue StandardError => e
handle_error e
end

def update_rules
security_groups.each do |sg|
security_group = SecurityGroup.new sg
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what was this doing?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was originally matching on a regex /guardhouse-.*/, which I didn't mean to leave in. I had since changed it to be based on the yml filenames. I think that works a lot better.

security_group.update_rules
end
rescue StandardError => e
handle_error(e)
end

def security_groups
ec2.security_groups.select{|sg| sg.name.match(security_group_matcher) }
ec2.security_groups
end

private
def security_group_matcher
/guardhouse-.*/
def mfa_auth(keys, mfa_token)
raise MFATokenMissing unless mfa_token
sts = AWS::STS.new(access_key_id: keys[:access_key], secret_access_key: keys[:secret_key])
session = sts.new_session(duration: keys[:mfa_duration] || 900, serial_number: keys[:mfa_serial_number], token_code: mfa_token)
AWS::EC2.new(session.credentials)
end

def handle_error(e)
case
when e.class == Ec2SecurityCzar::MFATokenMissing
puts "MFA token is required as an argument!"
else
puts e.class
puts e.message
end
exit 1
end
end

MFATokenMissing = Class.new StandardError
end