DevOps@RajeshKumar.XYZ
Verifies who you are
Verifies what you are allowed to do
Source: http://www.cyberciti.biz/faq/authentication-vs-authorization/
aws iam list-users --query Users[*].UserName
aws iam list-groups-for-user --user-name <username>
Useful for aggregating permissions for multiple users
Can have managed or inline policies
Group Access Advisor
aws iam list-groups --query Groups[*].GroupName--output text
aws iam get-group --group-name <groupname>
aws iam list-roles --query Roles[*].RoleName--output text
aws iam list-role-policies --role-name <rolename>
aws iam list-attached-role-policies --role-name <rolename>
aws iam list-policies --scope Local --query Policies[*].Arn--output text
aws iam list-entities-for-policy --policy-arn<policyarn>
for i in `aws iam list-users --query Users[*].UserName`
do
echo "username $i”
aws iam list-user-policies --user-name $i
done
aws iam get-account-authorization-details
aws iam get-account-summary
aws iam get-account-password-policy
for i in `aws ec2 describe-regions --query
Regions[*].RegionName`
do
echo “region $i”
aws ec2 describe-vpcs --region $i
done
for i in `aws ec2 describe-regions --query
Regions[*].RegionName`
do
echo “region $i”
aws ec2 describe-vpcs--region $i--query Vpcs[*].CidrBlock
done
for i in `aws ec2 describe-regions --query
Regions[*].RegionName`
do
echo “region $i”
aws ec2 describe-dhcp-options--region $i–output text
done
aws ec2 describe-internet-gateways --query
'InternetGateways[].{GwId:InternetGatewayId,
VpcId:Attachments[].VpcId}'--output text --region <region>
Print the ID of each Internet Gateway in the region and which VPC it is attached to. Use JMES query format to customize output of the command.
for i in `aws ec2 describe-regions --query Regions[*].RegionName`
do
echo “region $i”
aws ec2 describe-vpc-peering-connections --region us-west-2 -
-query
'VpcPeeringConnections[].[AccepterVpcInfo.VpcId,RequesterVpcInfo.VpcId]’
done
for i in `aws ec2 describe-regions --query Regions[*].RegionName`
do
echo “region $i”
aws ec2 describe-vpc-endpoints --query 'VpcEndpoints[].[VpcId,ServiceName]'
done
for i in `aws ec2 describe-regions --query Regions[*].RegionName`
do
echo “region $i”
awse c2 describe-vpc-classic-link --output json--query Vpcs[].[VpcId,ClassicLinkEnabled]
done
Any cidr network range or endpoint object
Egress point
Select from list
aws ec2 describe-route-tables --query
'RouteTables[].[[VpcId,Routes[].GatewayId][]]’ --output text
Print each VPC ID, and all targets used by route tables in the VPC.
Useful for discovering possible egress points from the VPC.
aws ec2 describe-network-acls--output table --region
<region>
Print easy-to-read text output of all NACLs in a region, including the associated VPC ID and Subnet ID
Data centers
Hardware
Hypervisor
API
OS access
OS updates
Security patches
Penetration testing
SSH using private key
Decrypt Administrator PW
#!/bin/bash
REGION=us-west-1
SGOUT="/tmp/sginfo”
aws ec2 describe-security-groups --region $REGION --output text > $SGOUT
IFS=$'\n'
cat $SGOUT | while read line
do
SECURITYGROUPS registration frontend sg-c21df0a7 vpc1w2-reg2.0-prod-frontend 168369983848 vpc-0ef6e36c
IPPERMISSIONS 80 tcp 80
IPRANGES 0.0.0.0/0
IPPERMISSIONS -1
IPRANGES 10.0.0.0/18
IPRANGES 10.0.128.0/18
IPRANGES 10.0.64.0/18
IPPERMISSIONS 22 tcp 22
IPRANGES 208.76.0.0/22
IPPERMISSIONS 443 tcp 443
IPRANGES 0.0.0.0/0
IPPERMISSIONSEGRESS -1
IPRANGES 0.0.0.0/0
case $line in
SECURITYGROUPS*)
GID=(`echo $line | awk–F”\t” '{print $3}'`)
GNAME=(`echo $line | awk–F”\t” '{print $4}'`)
;;
IPPERMISSIONSEGRESS*)
PROTO=“EGRESS”
;;
IPPERMISSIONS*)
FROMPORT=(`echo $line | awk–F”\t” '{print $2}'`)
PROTO=(`echo $line | awk–F”\t” '{print $3}'`)
TOPORT=(`echo $line | awk–F”\t” '{print $4}'`)
;;
IPRANGES*)
CIDR=(`echo $line | awk–F”\t” '{print $2}'`)
if [[ "$CIDR" = "0.0.0.0/0" && "$PROTO" != ”EGRESS" ]]; then
echo "$GNAME,$GID,$CIDR,$PROTO,$FROMPORT,$TOPORT"
fi
;;
esac
Done
rm $SGOUT
tu-prod-gateway,sg-3a05610a,0.0.0.0/0,tcp,22,22
vpc2w2-reg2.0-loadtest-frontend,sg-e318f586,0.0.0.0/0,tcp,80,80
vpc2w2-reg2.0-loadtest-frontend,sg-e318f586,0.0.0.0/0,tcp,443,443
vpc2w2-wp-stage-frontend,sg-c4abe6a3,0.0.0.0/0,tcp,80,80
vpc2w2-wp-stage-frontend,sg-c4abe6a3,0.0.0.0/0,tcp,443,443
aws ec2 describe-instances --output text --region <region>
--filter Name=instance-state-code,Values=16 --query
'Reservations[*].Instances[*].[InstanceId,PublicDnsName]'
Print the Instance ID of each running instance (instance state code 16) and its associated Public DNS.
Great for inventory and loop-and-ssh functions.
aws ec2 describe-instances --output text --region <region>
--query
Reservations[].Instances[].[[InstanceId,SecurityGroups[].Gr
oupId,SecurityGroups[].GroupName][]]| tr'\t' ','
Print each Instance ID in the region with its Security Group IDs and Security Group Names in CSV format.
The [] at the end of the query forces output to stay on the same line.
#!/bin/bash
REGION="us-west-2"
TAG="CostCenter"
TAGFILE="/tmp/ec2tags"
aws ec2 describe-tags --region $REGION --filters=Name=resource-
type,Values=instance--output text > $TAGFILE
ec2instances=`awsec2 describe-instances --region $REGION --query
Reservations[].Instances[].InstanceId--output text |tr'\t' '\n'`
for i in `echo $ec2instances`; do
if [[ `grep $i $TAGFILE |grep "$TAG"` = "" ]]; then
echo "$i is missing $TAG"
fi
done
rm $TAGFILE
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
AWS uses the techniques detailed in DoD5220.22 -M (“National Industrial Security Program Operating Manual “) or NIST 800 -88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry -standard practices.
By Type
By Size
Detached
Rotation
Region Copy
Orphans
aws ec2 describe-volumes --region <region> \
--query Volumes[].VolumeId\
--filters Name=status,Values=available
#!/bin/bash
VOLUMEID=$1
REGION=$2
NUMKEEP=$3
TAIL=$(( $NUMKEEP + 1 ))
SNAPIDS=`aws ec2 describe-snapshots \
--output text --region $REGION \
--query Snapshots[].[SnapshotId,StartTime] \
--filters Name=volume-id,Values=$VOLUMEID \
|sort -r -k2 |cut -f1 |tail -n +$TAIL`
if [ "$SNAPIDS" != "" ]; then
for SNAP in $SNAPIDS; do
echo "Deleting snapshot $SNAP"
aws ec2 delete-snapshot --region $REGION --snapshot-id $SNAP
done
else
echo "Not enough snapshots, exiting"
fi
By Region
By Name
By Size
By Prefix
By Size
By Encryption Status
PRESORTFILE="/tmp/notsorted"
POSTSORTFILE="/tmp/sorted"
rm $PRESORTFILE $POSTSORTFILE
BUCKETLIST=`aws s3api list-buckets --query 'Buckets[].Name' |tr'\t' '\n'`
for BUCKET in $BUCKETLIST; do
LOCATION=`aws s3api get-bucket-location --bucket $BUCKET`
echo "$LOCATION,$BUCKET" >> $PRESORTFILE
done
sort -n $PRESORTFILE > $POSTSORTFILE
cat $POSTSORTFILE
#!/bin/bash
BUCKETLIST="/tmp/sorted"
for BUCKETINFO in `cat $BUCKETLIST`; do
REGION=`echo $BUCKETINFO |cut -f1 -d,`
if [[ $REGION == "None" ]]; then
REGION="us-east-1 --endpoint-urlhttps://s3.amazonaws.com"
fi
BUCKET=`echo $BUCKETINFO |cut -f2 -d,`
SIZE=`aws s3api list-objects --region $REGION --bucket $BUCKET --output json--query '[sum(Contents[].Size)]'`
echo "$BUCKET,$SIZE"
done