find_unused does things the way everyone else does now, by looking at…

… the network interfaces
m4maker · Jul 18, 2019 · 491be02 · 491be02
1 parent 76d37b5
commit 491be02
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ CloudMapper helps you analyze your Amazon Web Services (AWS) environments.  The
 - `audit`: Check for potential misconfigurations.
 - `collect`: Collect metadata about an account. More details [here](https://summitroute.com/blog/2018/06/05/cloudmapper_collect/).
 - `find_admins`: Look at IAM policies to identify admin users and roles and spot potential IAM issues. More details [here](https://summitroute.com/blog/2018/06/12/cloudmapper_find_admins/).
+- `find_unused`: Look for unused resources in the account.  Makes a best effort. Currently finds unused Security Groups.
 - `prepare`/`webserver`: See [Network Visualizations](docs/network_visualizations.md)
 - `public`: Find public hosts and port ranges. More details [here](https://summitroute.com/blog/2018/06/13/cloudmapper_public/).
 - `sg_ips`: Get geoip info on CIDRs trusted in Security Groups. More details [here](https://summitroute.com/blog/2018/06/12/cloudmapper_sg_ips/).

diff --git a/commands/find_unused.py b/commands/find_unused.py
@@ -12,40 +12,32 @@
 def run(arguments):
     _, accounts, config = parse_arguments(arguments)
 
-    # Get the data from the `prepare` command
-    outputfilter = {
-        "internal_edges": True,
-        "read_replicas": True,
-        "inter_rds_edges": True,
-        "azs": False,
-        "collapse_by_tag": None,
-        "collapse_asgs": True,
-        "mute": True,
-    }
     unused_resources = []
     for account in accounts:
         unused_resources_for_account = []
         for region_json in get_regions(Account(None, account)):
             unused_resources_for_region = {}
             used_sgs = set()
-            outputfilter["regions"] = '"{}"'.format(region_json["RegionName"])
-            network = build_data_structure(account, config, outputfilter)
-
-            for edge in pyjq.all('.[].data|select(.type=="edge")', network):
-                for sg in edge.get("node_data", []):
-                    if type(sg) is not list:
-                        used_sgs.add(sg.get("GroupId", None))
 
             region = Region(Account(None, account), region_json)
             defined_sgs = query_aws(
                 Account(None, account), "ec2-describe-security-groups", region
             )
 
+            network_interfaces = query_aws(
+                Account(None, account), "ec2-describe-network-interfaces", region
+            )
+
             defined_sg_set = {}
 
             for sg in pyjq.all(".SecurityGroups[]", defined_sgs):
                 defined_sg_set[sg["GroupId"]] = sg
 
+            for used_sg in pyjq.all(
+                ".NetworkInterfaces[].Groups[].GroupId", network_interfaces
+            ):
+                used_sgs.add(used_sg)
+
             unused_sg_ids = set(defined_sg_set) - used_sgs
             unused_sgs = []
             for sg_id in unused_sg_ids:
@@ -61,7 +53,7 @@ def run(arguments):
 
             unused_resources_for_account.append(
                 {
-                    "name": region_json["RegionName"],
+                    "region": region_json["RegionName"],
                     "unused_resources": unused_resources_for_region,
                 }
             )