A AWS Security graph generator

Project description

aws-sec-graph

Purpose

Give a graph of the AWS Security Groups and EC2 instances relation.

This allow you to see relations over instances X security groups X opened ports based on AWS Filters(with boto3, Port filters or in all ec2 available instances and Security Groups.

Requirements

Packages

python3
awscli
graphviz
pip
boto3

Prerequisites

awscli configured
sudo apt install graphviz (https://graphviz.org/download/)
install graphviz (https://graphviz.readthedocs.io/en/stable/manual.html#installation)

Installation

pip install requirements.txt

AWS Permissions

Read-Only

Permissions:

ec2:DescribeInstances
ec2:DescribeTags
ec2:DescribeSecurityGroups

Resources:

*(All)

Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        }
    ]
}

Options:

--command : 
    Only "analyze" command available
--profile  : Inform aws profile to authenticate using boto3 lib
--filter : Filter to apply on describe instances (https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html)
--format : output format (https://graphviz.org/doc/info/output.html)
--port-filter : Inform a especific port or a range of ports to filter the output, example: 1 unique port "22" or range of ports "20:22"

Usage

General usage

python3 run.py --command=analyze

Using filter

 python run.py --command=analyze --profile=default --filter='[{"Name": "tag:environment","Values": ["staging"]}]'

Using port filter

Range of ports:

 python run.py --command=analyze --profile=default --port-filter=20:22

Unique port:

 python run.py --command=analyze --profile=default --port-filter=22

Change output format (based on graphviz lib)

python run.py --command=analyze --profile=default --filter='[{"Name": "tag:environment","Values": ["staging"]}]' --format=xdot

Recomendations

TODO

Use aws profile: done (08/11/2020)
Filter for instances to graph: done (08/11/2020)
Filter for ports: done (18/12/2020)
Generate different page for security group

Project details

Release history Release notifications | RSS feed

This version

0.0.1

Dec 18, 2020

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws_sec_graph-0.0.1.tar.gz (7.0 kB view details)

Uploaded Dec 18, 2020 Source

Built Distribution

aws_sec_graph-0.0.1-py3-none-any.whl (7.7 kB view details)

Uploaded Dec 18, 2020 Python 3

File details

Details for the file aws_sec_graph-0.0.1.tar.gz.

File metadata

Download URL: aws_sec_graph-0.0.1.tar.gz
Upload date: Dec 18, 2020
Size: 7.0 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.25.1 setuptools/49.2.1 requests-toolbelt/0.9.1 tqdm/4.54.1 CPython/3.9.1

File hashes

Hashes for aws_sec_graph-0.0.1.tar.gz
Algorithm	Hash digest
SHA256	`889904d760ed59eceacf6d7b79dba16cb7ca64809e493ba5c529a108e3434ff4`
MD5	`850f457044fa6ef5a6b832fb9fd82861`
BLAKE2b-256	`a15bfb1d17c11979058fa08dd203c1766b9001e6b43083df927a63f8c7bf4ce1`

See more details on using hashes here.

File details

Details for the file aws_sec_graph-0.0.1-py3-none-any.whl.

File metadata

Download URL: aws_sec_graph-0.0.1-py3-none-any.whl
Upload date: Dec 18, 2020
Size: 7.7 kB
Tags: Python 3
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.25.1 setuptools/49.2.1 requests-toolbelt/0.9.1 tqdm/4.54.1 CPython/3.9.1

File hashes

Hashes for aws_sec_graph-0.0.1-py3-none-any.whl
Algorithm	Hash digest
SHA256	`8dc9d21aadc37be2b9412d0368b8efd37801fb1bf5190d273791e7bd5d5e4db3`
MD5	`76728be1444e7ce859bf4889b0481f30`
BLAKE2b-256	`d2d5f017447d65b0fef835235973ef06ccfcf18a9f55a662e1a49b9eacb74d1a`