Add tools for checking for compromised aws keys in a git repo
This commit is contained in:
parent
1250cf1c62
commit
9574bc6c56
5 changed files with 28 additions and 13 deletions
|
@ -7,3 +7,9 @@
|
|||
|
||||
[alias]
|
||||
signedcommit = !git commit -S
|
||||
[difftool "sourcetree"]
|
||||
cmd = opendiff \"$LOCAL\" \"$REMOTE\"
|
||||
path =
|
||||
[mergetool "sourcetree"]
|
||||
cmd = /Applications/Sourcetree.app/Contents/Resources/opendiff-w.sh \"$LOCAL\" \"$REMOTE\" -ancestor \"$BASE\" -merge \"$MERGED\"
|
||||
trustExitCode = true
|
||||
|
|
2
tools/find-aws-keys-in-tfstate
Normal file
2
tools/find-aws-keys-in-tfstate
Normal file
|
@ -0,0 +1,2 @@
|
|||
git log --pretty=oneline -- terraform.tfstate | cut -f 1 -d ' ' | xargs git show | ~/tools/find-aws-keys.sh | xargs python ~/tools/find-iam-user-for-access-key.py
|
||||
|
3
tools/find-aws-keys.sh
Executable file
3
tools/find-aws-keys.sh
Executable file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/bash
|
||||
python ~/tools/print-matches.py '^.*[\W]+([\w]{20})[\W]+.*$'
|
||||
|
|
@ -1,21 +1,14 @@
|
|||
import boto.iam
|
||||
import sys
|
||||
|
||||
TARGET_ACCESS_KEY = sys.argv[1]
|
||||
|
||||
iam = boto.connect_iam()
|
||||
|
||||
users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']
|
||||
|
||||
def find_key():
|
||||
for user in users:
|
||||
for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
|
||||
aws_access_key = key_result['access_key_id']
|
||||
if aws_access_key == TARGET_ACCESS_KEY:
|
||||
print 'Target key belongs to:'
|
||||
print 'user : ' + user['user_name']
|
||||
return True
|
||||
return False
|
||||
for user in users:
|
||||
for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
|
||||
aws_access_key = key_result['access_key_id']
|
||||
for TARGET_ACCESS_KEY in sys.argv[1:]:
|
||||
if aws_access_key == TARGET_ACCESS_KEY:
|
||||
print aws_access_key + ' : ' + user['user_name']
|
||||
|
||||
if not find_key():
|
||||
print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'
|
||||
|
|
11
tools/print-matches.py
Normal file
11
tools/print-matches.py
Normal file
|
@ -0,0 +1,11 @@
|
|||
import sys
|
||||
import re
|
||||
|
||||
pattern = sys.argv[1]
|
||||
|
||||
p = re.compile(pattern)
|
||||
|
||||
for line in sys.stdin:
|
||||
m = p.match(line)
|
||||
if m:
|
||||
print m.group(1)
|
Loading…
Reference in a new issue