A AWS Security graph generator

Project description

aws-sec-graph

Purpose

Give a graph of the AWS Security Groups and EC2 instances relation.

This allow you to see relations over instances X security groups X opened ports based on AWS Filters(with boto3, Port filters or in all ec2 available instances and Security Groups.

Requirements

Packages

python3
awscli
graphviz
pip
boto3

Prerequisites

awscli configured
sudo apt install graphviz (https://graphviz.org/download/)
install graphviz (https://graphviz.readthedocs.io/en/stable/manual.html#installation)

Installation

pip install requirements.txt

AWS Permissions

Read-Only

Permissions:

ec2:DescribeInstances
ec2:DescribeTags
ec2:DescribeSecurityGroups

Resources:

*(All)

Example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        }
    ]
}

Options:

--command : 
    Only "analyze" command available
--profile  : Inform aws profile to authenticate using boto3 lib
--filter : Filter to apply on describe instances (https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html)
--format : output format (https://graphviz.org/doc/info/output.html)
--port-filter : Inform a especific port or a range of ports to filter the output, example: 1 unique port "22" or range of ports "20:22"

Usage

General usage

python3 run.py --command=analyze

Using filter

 python run.py --command=analyze --profile=default --filter='[{"Name": "tag:environment","Values": ["staging"]}]'

Using port filter

Range of ports:

 python run.py --command=analyze --profile=default --port-filter=20:22

Unique port:

 python run.py --command=analyze --profile=default --port-filter=22

Change output format (based on graphviz lib)

python run.py --command=analyze --profile=default --filter='[{"Name": "tag:environment","Values": ["staging"]}]' --format=xdot

Recomendations

TODO

Use aws profile: done (08/11/2020)
Filter for instances to graph: done (08/11/2020)
Filter for ports: done (18/12/2020)
Generate different page for security group

Project details

Release history Release notifications | RSS feed

This version

0.0.1

Dec 18, 2020

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws_sec_graph-0.0.1.tar.gz (7.0 kB view hashes)

Uploaded Dec 18, 2020 Source

Built Distribution

aws_sec_graph-0.0.1-py3-none-any.whl (7.7 kB view hashes)

Uploaded Dec 18, 2020 Python 3

Hashes for aws_sec_graph-0.0.1.tar.gz

Hashes for aws_sec_graph-0.0.1.tar.gz
Algorithm	Hash digest
SHA256	`889904d760ed59eceacf6d7b79dba16cb7ca64809e493ba5c529a108e3434ff4`
MD5	`850f457044fa6ef5a6b832fb9fd82861`
BLAKE2b-256	`a15bfb1d17c11979058fa08dd203c1766b9001e6b43083df927a63f8c7bf4ce1`

Hashes for aws_sec_graph-0.0.1-py3-none-any.whl

Hashes for aws_sec_graph-0.0.1-py3-none-any.whl
Algorithm	Hash digest
SHA256	`8dc9d21aadc37be2b9412d0368b8efd37801fb1bf5190d273791e7bd5d5e4db3`
MD5	`76728be1444e7ce859bf4889b0481f30`
BLAKE2b-256	`d2d5f017447d65b0fef835235973ef06ccfcf18a9f55a662e1a49b9eacb74d1a`