Utility for downloading EBS snapshots using the EBS Direct API's
Project description
dsnap
Utility for downloading EBS snapshots using the EBS Direct API's.
- Blog Post: Downloading and Exploring AWS EBS Snapshots.
- This is used as a library by the Pacu module ebs__download_snapshots.
- Check out the Pacu integration section to get an idea of the tradeoff's between the using this vs the Pacu module.
Recording
Install
PyPi
% pip install -U pip
% pip install 'dsnap[cli]'
Command Reference
% dsnap --help
Usage: dsnap [OPTIONS] COMMAND [ARGS]...
A utility for managing snapshots via the EBS Direct API.
Options:
--region REGION Sets the AWS region. [default: us-east-1]
--profile PROFILE Shared credential profile to use.
--install-completion [bash|zsh|fish|powershell|pwsh]
Install completion for the specified shell.
--show-completion [bash|zsh|fish|powershell|pwsh]
Show completion for the specified shell, to
copy it or customize the installation.
--help Show this message and exit.
Commands:
create Create a snapshot for the given instances default device volume.
delete Delete a given snapshot.
get Download a snapshot for a given instance or snapshot ID.
init Write out a Vagrantfile template to explore downloaded snapshots.
list List snapshots in AWS.
IAM Permissions
Not all these permissions are strictly necessary, for example if you provide an existing snapshot ID with the get
command you'll only need ebs:ListSnapshotBlocks and ebs:GetSnapshotBlock. The rest of the permissions are either
used to find volumes and snapshots based on instance ID's, create temporary snapshots if none exist or for use with the
create and delete commands.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ebs:ListSnapshotBlocks",
"ebs:GetSnapshotBlock",
"ec2:DescribeSnapshots",
"ec2:DescribeInstances",
"ec2:DescribeVolumes",
"ec2:DeleteSnapshot",
"ec2:CreateSnapshot",
"ec2:CreateTags"
],
"Resource": "*"
}
]
}
Examples
Listing Snapshots
% dsnap list
Id | Owner ID | State
snap-0dbb0347f47e38b96 922105094392 completed
Downloading a Snapshot
% dsnap get snap-0dbb0347f47e38b96
Output Path: /cwd/snap-0dbb0347f47e38b96.img
If you don't specify a snapshot you'll get a prompt to ask which one you want to download:
% dsnap get
0) i-01f0841393cd39f06 (ip-172-31-27-0.ec2.internal, vpc-04a91864355539a41, subnet-0e56cd55282fa9158)
Select Instance: 0
0) vol-0a1aab48b0bc3039d (/dev/sdb)
1) vol-0c616d718ab00e70c (/dev/xvda)
Select Volume: 0
No snapshots found, create one? [y/N]: y
Creating snapshot for Instance(s): i-01f0841393cd39f06 /dev/sdb, Volume: vol-0a1aab48b0bc3039d
Waiting for snapshot to complete.
Output Path: /cwd/snap-0dbb0347f47e38b96.img
Cleaning up snapshot: snap-0543a8681adce0086
Mounting in Vagrant
Note: Vagrant does not offer any guarantee's of seperation between the guest and the host. It shouldn't considered a security boundry like most VM's.
This requires virtualbox to be installed. dsnap init will write a Vagrantfile to the current directory that can be used to mount a specific downloaded snapshot. Conversion to a VDI disk is handled in the Vagrantfile, it will look for the disk file specified in the IMAGE environment variable, convert it to a VDI using VBoxManage convertdd. The resulting VDI is destroyed when the Vagrant box is, however the original raw .img file will remain and can be reused as needed.
% dsnap init
% IMAGE=snap-0543a8681adce0086.img vagrant up
% vagrant ssh
Mounting With Docker
This uses libguestfs to work directly with the downloaded img file.
Build Docker Container
% git clone https://github.com/RhinoSecurityLabs/dsnap.git
% cd dsnap
% make docker/build
Run Guestfish Shell
% IMAGE=snap-0dbb0347f47e38b96.img make docker/run
This will take a second to start up. After it drops you into the shell you should be able to run commands like ls, cd, cat. However worth noting they don't always behave exactly like they do in a normal shell.
The output will give you the basics of how to use the guestfish shell. For a full list of command you can run help --list.
Below is an example of starting the shell and printing the contents of /etc/os-release.
% IMAGE=snap-0dbb0347f47e38b96.img make docker/run
docker run -it -v "/cwd/dsnap/snap-0dbb0347f47e38b96.img:/disks/snap-0dbb0347f47e38b96.img" -w /disks mount --ro -a "snap-0dbb0347f47e38b96.img" -m /dev/sda1:/
Welcome to guestfish, the guest filesystem shell for
editing virtual machine filesystems and disk images.
Type: ‘help’ for help on commands
‘man’ to read the manual
‘quit’ to quit the shell
><fs> cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"
As a Library
dsnap is also meant to be used as a library, however for this purpose it is worth keeping in mind this is an early version and it is still being developed. The interfaces will likely change as new functionality is added.
We'll do our best to make sure we follow SemVer versioning to avoid any breaking changes in minor and patch versions.
Related tools
Pacu Integration
This project is used by Pacu in the ebs__download_snapshots module. The primary benefit of using the Pacu module is to reduce unnecessary API call's, as a tradeoff it doesn't have some niceties that are included with dsnap.
For example the Pacu module reuses snapshots gathered from ebs__enum_volumes_snapshots, this prevents looking up snapshots more often then needed. At the moment it does not support some dsnap features like creating temporary snapshots or searching for snapshots by instance ID, this however may change in the future.
Other Interesting Tools
Please keep in mind that we can't vouch for the following tools. However, we felt they were worth mentioning here.
- ebs-direct-sec-tools
- In particular the scansecrets and diffsecrets commands are interesting because instead of mounting the snapshots they scan the raw image for secrets directly.
Development
For CLI development make sure you include the cli extra shown below. You'll also want to invoke the package by using python's -m (shown below) for testing local changes, the dnsap binary installed to the environment will only update when you run pip install.
Setup
% git clone https://github.com/RhinoSecurityLabs/dsnap.git
% cd dsnap
% python3 -m venv venv
% . venv/bin/activate
% python -m pip install '.[cli]'
Running With Local Changes
% python -m dsnap --help
Linting and Type Checking
% make lint
Testing
% make test
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dsnap-1.0.1.tar.gz.
File metadata
- Download URL: dsnap-1.0.1.tar.gz
- Upload date:
- Size: 15.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.1 CPython/3.13.2 Linux/6.8.0-1021-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ab2f0d25389e0a901923e700d0918739d75273b5987dfcb9ca74783c6b153e9c
|
|
| MD5 |
d5268d4302927041210111a4514a9b03
|
|
| BLAKE2b-256 |
60d9b3dfa8a7b7f2d0b31e1b8378d216ed1173f87cd2cfff178dbb4f9c689623
|
File details
Details for the file dsnap-1.0.1-py3-none-any.whl.
File metadata
- Download URL: dsnap-1.0.1-py3-none-any.whl
- Upload date:
- Size: 15.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.1.1 CPython/3.13.2 Linux/6.8.0-1021-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8c5c08c3cd5cbdcf2b1157702e4755b9becbb85d69a89e9befcc9ede685141d1
|
|
| MD5 |
bad94a8ff9dede3e052f4a0abb9aec33
|
|
| BLAKE2b-256 |
cfec9da4b82e6c8beeac775c9cbba420679741d7031438ef564b376632767a22
|
