-
Notifications
You must be signed in to change notification settings - Fork 35
/
Copy pathscan.py
402 lines (355 loc) · 12.7 KB
/
scan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
# -*- coding: utf-8 -*-
# Required modules
import argparse
import boto3
import botocore
import concurrent.futures
import datetime
import json
import logging
import os
import time
import traceback
from datetime import datetime
import requests
import pyjq
# accomodate windows and unix path
# Define the timestamp as a string, which will be the same throughout the execution of the script.
timestamp = datetime.now().isoformat(timespec="minutes").replace(":", "-")
def get_json_from_url(url):
"""Fetch JSON from a URL."""
try:
response = requests.get(url)
response.raise_for_status() # Raises a HTTPError if the status is 4xx, 5xx
except requests.exceptions.RequestException as e:
print(f"Failed to fetch JSON from {url}: {e}")
return None
try:
return response.json()
except ValueError as e:
print(f"Failed to parse JSON from {url}: {e}")
return None
class DateTimeEncoder(json.JSONEncoder):
"""Custom JSONEncoder that supports encoding datetime objects."""
def default(self, o):
if isinstance(o, datetime):
return o.isoformat()
return super().default(o)
def setup_logging(log_dir, log_level):
"""Set up the logging system."""
os.makedirs(log_dir, exist_ok=True)
log_filename = f"aws_resources_{timestamp}.log"
log_file = os.path.join(log_dir, log_filename)
# Configure the logger
logger = logging.getLogger(__name__)
logger.setLevel(log_level)
handler = logging.FileHandler(log_file)
handler.setLevel(log_level)
formatter = logging.Formatter(
"%(asctime)s - %(name)s - %(levelname)s - %(message)s"
)
handler.setFormatter(formatter)
logger.addHandler(handler)
logging.basicConfig(level=log_level)
return logging.getLogger(__name__)
def api_call_with_retry(client, function_name, parameters, max_retries, retry_delay):
"""
Make an API call with exponential backoff.
This function will make an API call with retries. It will exponentially back off
with a delay of `retry_delay * 2^attempt` for transient errors.
"""
def api_call():
for attempt in range(max_retries):
try:
function_to_call = getattr(client, function_name)
if parameters:
return function_to_call(**parameters)
else:
return function_to_call()
except botocore.exceptions.ClientError as error:
error_code = error.response["Error"]["Code"]
if error_code == "Throttling":
if attempt < (max_retries - 1): # no delay on last attempt
time.sleep(retry_delay**attempt)
continue
elif error_code == "RequestLimitExceeded":
time.sleep(retry_delay**attempt)
continue
else:
raise
except botocore.exceptions.BotoCoreError:
if attempt < (max_retries - 1): # no delay on last attempt
time.sleep(retry_delay**attempt)
continue
return None
return api_call
def _get_service_data(session, region_name, service, log, max_retries, retry_delay):
"""
Get data for a specific AWS service in a region.
Arguments:
session -- The boto3 Session.
region_name -- The AWS region to process.
service -- The AWS service to scan.
log -- The logger object.
max_retries -- The maximum number of retries for each service.
retry_delay -- The delay before each retry.
Returns:
service_data -- The service data.
"""
function = service["function"]
result_key = service.get("result_key", None)
parameters = service.get("parameters", None)
log.info(
"Getting data on service %s with function %s in region %s",
service["service"],
function,
region_name,
)
try:
client = session.client(service["service"], region_name=region_name)
if not hasattr(client, function):
log.error(
"Function %s does not exist for service %s in region %s",
function,
service["service"],
region_name,
)
return None
api_call = api_call_with_retry(
client, function, parameters, max_retries, retry_delay
)
if result_key and result_key.startswith('.'):
response = pyjq.all(result_key, json.loads(json.dumps(api_call(), default=str)))
elif result_key and not result_key.startswith('.'):
response = api_call().get(result_key)
else:
response = api_call()
if isinstance(response, dict):
response.pop("ResponseMetadata", None)
except Exception as exception:
log.error(
"Error while processing %s, %s.\n%s: %s",
service["service"],
region_name,
type(exception).__name__,
exception,
)
log.error(traceback.format_exc())
return None
log.info("Finished: AWS Get Service Data")
log.debug(
"Result for %s, function %s, region %s: %s",
service["service"],
function,
region_name,
response,
)
return {
"region": region_name,
"service": service["service"],
"function": service["function"],
"result": response}
def process_region(
region, services, session, log, max_retries, retry_delay, concurrent_services
):
"""
Processes a single AWS region.
Arguments:
region -- The AWS region to process.
services -- The AWS services to scan.
session -- The boto3 Session.
log -- The logger object.
max_retries -- The maximum number of retries for each service.
retry_delay -- The delay before each retry.
concurrent_services -- The number of services to process concurrently for each region.
Returns:
region_results -- The scan results for the region.
"""
log.info("Started processing for region: %s", region)
region_results = []
with concurrent.futures.ThreadPoolExecutor(
max_workers=concurrent_services
) as executor:
future_to_service = {
executor.submit(
_get_service_data,
session,
region,
service,
log,
max_retries,
retry_delay,
): service
for service in services
}
for future in concurrent.futures.as_completed(future_to_service):
service = future_to_service[future]
try:
result = future.result()
if result is not None and result["result"]:
region_results.append(result)
log.info("Successfully processed service: %s", service["service"])
else:
log.info("No data found for service: %s", service["service"])
except Exception as exc:
log.error("%r generated an exception: %s" % (service["service"], exc))
log.error(traceback.format_exc())
log.info("Finished processing for region: %s", region)
return region_results
def display_time(seconds):
hours = seconds // 3600
minutes = (seconds % 3600) // 60
seconds = seconds % 60
return f"{int(hours)}h:{int(minutes)}m:{int(seconds)}s"
def check_aws_credentials(session):
"""Check AWS credentials by calling the STS GetCallerIdentity operation."""
try:
sts = session.client("sts")
identity = sts.get_caller_identity()
print(f"Authenticated as: {identity['Arn']}")
except botocore.exceptions.BotoCoreError as error:
print(f"Error verifying AWS credentials: {error}")
return False
return True
def main(
scan,
regions,
output_dir,
log_level,
max_retries,
retry_delay,
concurrent_regions,
concurrent_services,
):
"""
Main function to perform the AWS services scan.
Arguments:
scan -- The path to the JSON file or URL containing the AWS services to scan.
regions -- The AWS regions to scan.
output_dir -- The directory to store the results.
log_level -- The log level for the script.
max_retries -- The maximum number of retries for each service.
retry_delay -- The delay before each retry.
concurrent_regions -- The number of regions to process concurrently.
concurrent_services -- The number of services to process concurrently for each region.
"""
session = boto3.Session()
if not check_aws_credentials(session):
print("Invalid AWS credentials. Please configure your credentials.")
return
log = setup_logging(output_dir, log_level)
if scan.startswith("http://") or scan.startswith("https://"):
services = get_json_from_url(scan)
if services is None:
print(f"Failed to load services from {scan}. Exiting.")
return
else:
with open(scan, "r") as f:
services = json.load(f)
if not regions:
ec2_client = session.client("ec2")
regions = [
region["RegionName"]
for region in ec2_client.describe_regions()["Regions"]
if region["OptInStatus"] == "opt-in-not-required"
or region["OptInStatus"] == "opted-in"
]
start_time = time.time()
results = []
with concurrent.futures.ThreadPoolExecutor(
max_workers=concurrent_regions
) as executor:
future_to_region = {
executor.submit(
process_region,
region,
services,
session,
log,
max_retries,
retry_delay,
concurrent_services,
): region
for region in regions
}
for future in concurrent.futures.as_completed(future_to_region):
region = future_to_region[future]
try:
region_results = future.result()
results.extend(region_results)
for service_result in region_results:
directory = os.path.join(output_dir, timestamp, region)
try:
os.makedirs(directory, exist_ok=True)
except NotADirectoryError:
log.error("Invalid directory name: %s", directory)
with open(
os.path.join(directory, f"{service_result['service']}-{service_result['function']}.json"),
"w",
) as f:
json.dump(service_result["result"], f, cls=DateTimeEncoder)
except Exception as exc:
log.error("%r generated an exception: %s" % (region, exc))
log.error(traceback.format_exc())
end_time = time.time()
elapsed_time = end_time - start_time
print(f"Total elapsed time for scanning: {display_time(elapsed_time)}")
print(f"Result stored in {output_dir}/{timestamp}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="List all resources in all AWS services and regions."
)
parser.add_argument(
"-s",
"--scan",
help="The path to the JSON file or URL containing the AWS services to scan.",
required=True,
)
parser.add_argument(
"-r", "--regions", nargs="+", help="List of AWS regions to scan"
)
parser.add_argument(
"-o", "--output_dir", default="output", help="Directory to store the results"
)
parser.add_argument(
"-l",
"--log_level",
default="INFO",
help="Set the logging level (e.g., DEBUG, INFO, WARNING, ERROR, CRITICAL)",
)
# New arguments
parser.add_argument(
"--max-retries",
type=int,
default=3,
help="Maximum number of retries for each service",
)
parser.add_argument(
"--retry-delay",
type=int,
default=2,
help="Delay (in seconds) before each retry",
)
parser.add_argument(
"--concurrent-regions",
type=int,
default=None,
help="Number of regions to process concurrently. Default is None, which means the script will use as many as possible",
)
parser.add_argument(
"--concurrent-services",
type=int,
default=None,
help="Number of services to process concurrently for each region. Default is None, which means the script will use as many as possible",
)
args = parser.parse_args()
main(
args.scan,
args.regions,
args.output_dir,
args.log_level,
args.max_retries,
args.retry_delay,
args.concurrent_regions,
args.concurrent_services,
)