Merge pull request duo-labs#482 from 0xdabbad00/find_unused

Find unused
m4maker · Jul 18, 2019 · a99a07b · a99a07b
2 parents e1b4cb3 + 491be02
commit a99a07b
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,7 @@ CloudMapper helps you analyze your Amazon Web Services (AWS) environments.  The
 - `audit`: Check for potential misconfigurations.
 - `collect`: Collect metadata about an account. More details [here](https://summitroute.com/blog/2018/06/05/cloudmapper_collect/).
 - `find_admins`: Look at IAM policies to identify admin users and roles and spot potential IAM issues. More details [here](https://summitroute.com/blog/2018/06/12/cloudmapper_find_admins/).
+- `find_unused`: Look for unused resources in the account.  Makes a best effort. Currently finds unused Security Groups.
 - `prepare`/`webserver`: See [Network Visualizations](docs/network_visualizations.md)
 - `public`: Find public hosts and port ranges. More details [here](https://summitroute.com/blog/2018/06/13/cloudmapper_public/).
 - `sg_ips`: Get geoip info on CIDRs trusted in Security Groups. More details [here](https://summitroute.com/blog/2018/06/12/cloudmapper_sg_ips/).

diff --git a/commands/find_unused.py b/commands/find_unused.py
@@ -0,0 +1,66 @@
+from __future__ import print_function
+from shared.common import parse_arguments
+from commands.prepare import build_data_structure
+import pyjq
+from shared.common import parse_arguments, make_list, query_aws, get_regions
+from shared.nodes import Account, Region
+import json
+
+__description__ = "Find unused resources in accounts"
+
+
+def run(arguments):
+    _, accounts, config = parse_arguments(arguments)
+
+    unused_resources = []
+    for account in accounts:
+        unused_resources_for_account = []
+        for region_json in get_regions(Account(None, account)):
+            unused_resources_for_region = {}
+            used_sgs = set()
+
+            region = Region(Account(None, account), region_json)
+            defined_sgs = query_aws(
+                Account(None, account), "ec2-describe-security-groups", region
+            )
+
+            network_interfaces = query_aws(
+                Account(None, account), "ec2-describe-network-interfaces", region
+            )
+
+            defined_sg_set = {}
+
+            for sg in pyjq.all(".SecurityGroups[]", defined_sgs):
+                defined_sg_set[sg["GroupId"]] = sg
+
+            for used_sg in pyjq.all(
+                ".NetworkInterfaces[].Groups[].GroupId", network_interfaces
+            ):
+                used_sgs.add(used_sg)
+
+            unused_sg_ids = set(defined_sg_set) - used_sgs
+            unused_sgs = []
+            for sg_id in unused_sg_ids:
+                unused_sgs.append(
+                    {
+                        "id": sg_id,
+                        "name": defined_sg_set[sg_id]["GroupName"],
+                        "description": defined_sg_set[sg_id].get("Description", ""),
+                    }
+                )
+
+            unused_resources_for_region["security_groups"] = unused_sgs
+
+            unused_resources_for_account.append(
+                {
+                    "region": region_json["RegionName"],
+                    "unused_resources": unused_resources_for_region,
+                }
+            )
+        unused_resources.append(
+            {
+                "account": {"id": account["id"], "name": account["name"]},
+                "regions": unused_resources_for_account,
+            }
+        )
+    print(json.dumps(unused_resources, indent=2, sort_keys=True))