Add tools for checking for compromised aws keys in a git repo

2018-06-07 11:36:29 +01:00 · 2018-06-07 11:36:29 +01:00 · 9574bc6c56
commit 9574bc6c56
parent 1250cf1c62
5 changed files with 28 additions and 13 deletions
--- a/.gitconfig.linux.private
+++ b/.gitconfig.linux.private
@ -7,3 +7,9 @@

 [alias]
 	signedcommit = !git commit -S
+[difftool "sourcetree"]
+	cmd = opendiff \"$LOCAL\" \"$REMOTE\"
+	path = 
+[mergetool "sourcetree"]
+	cmd = /Applications/Sourcetree.app/Contents/Resources/opendiff-w.sh \"$LOCAL\" \"$REMOTE\" -ancestor \"$BASE\" -merge \"$MERGED\"
+	trustExitCode = true
--- a/tools/find-aws-keys-in-tfstate
+++ b/tools/find-aws-keys-in-tfstate
@ -0,0 +1,2 @@
+git log --pretty=oneline -- terraform.tfstate | cut -f 1 -d ' ' | xargs git show | ~/tools/find-aws-keys.sh | xargs python ~/tools/find-iam-user-for-access-key.py
+
--- a/tools/find-aws-keys.sh
+++ b/tools/find-aws-keys.sh
@ -0,0 +1,3 @@
+#!/bin/bash
+python ~/tools/print-matches.py '^.*[\W]+([\w]{20})[\W]+.*$'
+
--- a/tools/find-iam-user-for-access-key.py
+++ b/tools/find-iam-user-for-access-key.py
@ -1,21 +1,14 @@
 import boto.iam
 import sys

-TARGET_ACCESS_KEY = sys.argv[1]
-
 iam = boto.connect_iam()

 users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']

-def find_key():
 for user in users:
    for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
            aws_access_key = key_result['access_key_id']
+            for TARGET_ACCESS_KEY in sys.argv[1:]:
                if aws_access_key == TARGET_ACCESS_KEY:
-				print 'Target key belongs to:'
-				print 'user : ' + user['user_name']
-				return True
-	return False
+                        print aws_access_key + ' : ' + user['user_name']

-if not find_key():
-    print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'
--- a/tools/print-matches.py
+++ b/tools/print-matches.py
@ -0,0 +1,11 @@
+import sys
+import re
+
+pattern = sys.argv[1]
+
+p = re.compile(pattern)
+
+for line in sys.stdin:
+    m = p.match(line)
+    if m:
+        print m.group(1)
				`@ -0,0 +1,2 @@`
				`git log --pretty=oneline -- terraform.tfstate \| cut -f 1 -d ' ' \| xargs git show \| ~/tools/find-aws-keys.sh \| xargs python ~/tools/find-iam-user-for-access-key.py`