Add tools for checking for compromised aws keys in a git repo

This commit is contained in:
Cyryl Płotnicki 2018-06-07 11:36:29 +01:00
parent 1250cf1c62
commit 9574bc6c56
5 changed files with 28 additions and 13 deletions

View file

@ -7,3 +7,9 @@
[alias]
signedcommit = !git commit -S
[difftool "sourcetree"]
cmd = opendiff \"$LOCAL\" \"$REMOTE\"
path =
[mergetool "sourcetree"]
cmd = /Applications/Sourcetree.app/Contents/Resources/opendiff-w.sh \"$LOCAL\" \"$REMOTE\" -ancestor \"$BASE\" -merge \"$MERGED\"
trustExitCode = true

View file

@ -0,0 +1,2 @@
git log --pretty=oneline -- terraform.tfstate | cut -f 1 -d ' ' | xargs git show | ~/tools/find-aws-keys.sh | xargs python ~/tools/find-iam-user-for-access-key.py

3
tools/find-aws-keys.sh Executable file
View file

@ -0,0 +1,3 @@
#!/bin/bash
python ~/tools/print-matches.py '^.*[\W]+([\w]{20})[\W]+.*$'

View file

@ -1,21 +1,14 @@
import boto.iam
import sys
TARGET_ACCESS_KEY = sys.argv[1]
iam = boto.connect_iam()
users = iam.get_all_users('/')['list_users_response']['list_users_result']['users']
def find_key():
for user in users:
for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
aws_access_key = key_result['access_key_id']
if aws_access_key == TARGET_ACCESS_KEY:
print 'Target key belongs to:'
print 'user : ' + user['user_name']
return True
return False
for user in users:
for key_result in iam.get_all_access_keys(user['user_name'])['list_access_keys_response']['list_access_keys_result']['access_key_metadata']:
aws_access_key = key_result['access_key_id']
for TARGET_ACCESS_KEY in sys.argv[1:]:
if aws_access_key == TARGET_ACCESS_KEY:
print aws_access_key + ' : ' + user['user_name']
if not find_key():
print 'Did not find access key (' + TARGET_ACCESS_KEY + ') in ' + str(len(users)) + ' IAM users.'

11
tools/print-matches.py Normal file
View file

@ -0,0 +1,11 @@
import sys
import re
pattern = sys.argv[1]
p = re.compile(pattern)
for line in sys.stdin:
m = p.match(line)
if m:
print m.group(1)