From 9574bc6c56d81aa176d71977695e2240368cec63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= <cyplo@cyplo.net>
Date: Thu, 7 Jun 2018 11:36:29 +0100
Subject: [PATCH] Add tools for checking for compromised aws keys in a git repo

---
 .gitconfig.linux.private              |  6 ++++++
 tools/find-aws-keys-in-tfstate        |  2 ++
 tools/find-aws-keys.sh                |  3 +++
 tools/find-iam-user-for-access-key.py | 19 ++++++-------------
 tools/print-matches.py                | 11 +++++++++++
 5 files changed, 28 insertions(+), 13 deletions(-)
 create mode 100644 tools/find-aws-keys-in-tfstate
 create mode 100755 tools/find-aws-keys.sh
 create mode 100644 tools/print-matches.py

diff --git a/.gitconfig.linux.private b/.gitconfig.linux.private
index b9f343d1..ddc65158 100644
--- a/.gitconfig.linux.private
+++ b/.gitconfig.linux.private
@@ -7,3 +7,9 @@
 
 [alias]
 	signedcommit = !git commit -S
+[difftool "sourcetree"]
+	cmd = opendiff \"$LOCAL\" \"$REMOTE\"
+	path = 
+[mergetool "sourcetree"]
+	cmd = /Applications/Sourcetree.app/Contents/Resources/opendiff-w.sh \"$LOCAL\" \"$REMOTE\" -ancestor \"$BASE\" -merge \"$MERGED\"
+	trustExitCode = true
diff --git a/tools/find-aws-keys-in-tfstate b/tools/find-aws-keys-in-tfstate
new file mode 100644
index 00000000..1ea97749
--- /dev/null
+++ b/tools/find-aws-keys-in-tfstate
@@ -0,0 +1,2 @@
+git log --pretty=oneline -- terraform.tfstate | cut -f 1 -d ' ' | xargs git show | ~/tools/find-aws-keys.sh | xargs python ~/tools/find-iam-user-for-access-key.py
+
diff --git a/tools/find-aws-keys.sh b/tools/find-aws-keys.sh
new file mode 100755
index 00000000..9496a6cb
--- /dev/null
+++ b/tools/find-aws-keys.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+python ~/tools/print-matches.py '^.*[\W]+([\w]{20})[\W]+.*$'
+
diff --git a/tools/find-iam-user-for-access-key.py b/tools/find-iam-user-for-access-key.py
index 0e29e39b..f2913372 100644
--- a/tools/find-iam-user-for-access-key.py
+++ b/tools/find-iam-user-for-access-key.py
@@ -1,21 +1,14 @@
 import boto.iam
 import sys
 
-TARGET_ACCESS_KEY = sys.argv[1]
-
 iam = boto.connect_iam()
 
 users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']
 
-def find_key():
-	for user in users:
-		for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
-			aws_access_key = key_result['access_key_id']
-			if aws_access_key == TARGET_ACCESS_KEY:
-				print 'Target key belongs to:'
-				print 'user : ' + user['user_name']
-				return True
-	return False
+for user in users:
+    for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
+            aws_access_key = key_result['access_key_id']
+            for TARGET_ACCESS_KEY in sys.argv[1:]:
+                if aws_access_key == TARGET_ACCESS_KEY:
+                        print aws_access_key + ' : ' + user['user_name']
 
-if not find_key():
-    print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'
diff --git a/tools/print-matches.py b/tools/print-matches.py
new file mode 100644
index 00000000..7923ff6a
--- /dev/null
+++ b/tools/print-matches.py
@@ -0,0 +1,11 @@
+import sys
+import re
+
+pattern = sys.argv[1]
+
+p = re.compile(pattern)
+
+for line in sys.stdin:
+    m = p.match(line)
+    if m:
+        print m.group(1)