cyplo/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add tools for checking for compromised aws keys in a git repo

Browse source
This commit is contained in:
Cyryl Płotnicki 2018-06-07 11:36:29 +01:00
parent 1250cf1c62
commit 9574bc6c56
5 changed files with 28 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.gitconfig.linux.private
View file

@ -7,3 +7,9 @@
[alias] [alias]
signedcommit = !git commit -S signedcommit = !git commit -S
[difftool "sourcetree"]
cmd = opendiff \"$LOCAL\" \"$REMOTE\"
path =
[mergetool "sourcetree"]
cmd = /Applications/Sourcetree.app/Contents/Resources/opendiff-w.sh \"$LOCAL\" \"$REMOTE\" -ancestor \"$BASE\" -merge \"$MERGED\"
trustExitCode = true

2
tools/find-aws-keys-in-tfstate Normal file
View file

@ -0,0 +1,2 @@
git log --pretty=oneline -- terraform.tfstate | cut -f 1 -d ' ' | xargs git show | ~/tools/find-aws-keys.sh | xargs python ~/tools/find-iam-user-for-access-key.py

3
tools/find-aws-keys.sh Executable file
View file

@ -0,0 +1,3 @@
#!/bin/bash
python ~/tools/print-matches.py '^.*[\W]+([\w]{20})[\W]+.*$'

19
tools/find-iam-user-for-access-key.py
View file

@ -1,21 +1,14 @@
import boto.iam import boto.iam
import sys import sys
TARGET_ACCESS_KEY = sys.argv[1]
iam = boto.connect_iam() iam = boto.connect_iam()
users = iam.get_all_users('/')['list_users_response']['list_users_result']['users'] users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']
def find_key(): for user in users:
for user in users: for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']: aws_access_key = key_result['access_key_id']
aws_access_key = key_result['access_key_id'] for TARGET_ACCESS_KEY in sys.argv[1:]:
if aws_access_key == TARGET_ACCESS_KEY: if aws_access_key == TARGET_ACCESS_KEY:
print 'Target key belongs to:' print aws_access_key + ' : ' + user['user_name']
print 'user : ' + user['user_name']
return True
return False
if not find_key():
print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'

11
tools/print-matches.py Normal file
View file

@ -0,0 +1,11 @@
import sys
import re
pattern = sys.argv[1]
p = re.compile(pattern)
for line in sys.stdin:
m = p.match(line)
if m:
print m.group(1)