From b57553d33289e0f0e478dceb9de5f870a403ab18 Mon Sep 17 00:00:00 2001 From: Olivia Campbell Date: Mon, 12 Feb 2024 15:47:33 +0000 Subject: [PATCH] Add list of exposed ports From a security stance we should have the ability to find out which ports are opened to the world across our AWS accounts. --- bin/waf/ip-port-exposed | 57 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100755 bin/waf/ip-port-exposed diff --git a/bin/waf/ip-port-exposed b/bin/waf/ip-port-exposed new file mode 100755 index 0000000..17e74dc --- /dev/null +++ b/bin/waf/ip-port-exposed @@ -0,0 +1,57 @@ +#!/bin/bash + +# exit on failures +set -e +set -o pipefail + +usage() { + echo "Usage: $(basename "$0") [OPTIONS]" 1>&2 + echo " -h - help" + echo " -i - infrastructure name" + exit 1 +} + +# if there are no arguments passed exit with usage +if [ $# -eq 0 ] +then + usage +fi + +while getopts "i:h" opt; do + case $opt in + i) + INFRASTRUCTURE_NAME=$OPTARG + ;; + h) + usage + ;; + *) + usage + ;; + esac +done + +if [[ + -z "$INFRASTRUCTURE_NAME" +]] +then + usage +fi + +log_info() { + echo "==>[INFO] $1" +} + +log_error() { + echo "==>[ERROR] $1" >&2 +} + +EXPOSED_PORTS=$(aws ec2 describe-security-groups --query 'SecurityGroups[*].[GroupId, GroupName, IpPermissions[?IpRanges[?CidrIp == `0.0.0.0/0`]].{FromPort:FromPort, ToPort:ToPort, IpRanges:IpRanges[*].CidrIp}]' --output json | jq -r '.[] | {GroupId: .[0], GroupName: .[1], OpenToWorld: .[2][]}' | grep -v -E '(80|443)') + + +if [[ -z "$EXPOSED_PORTS" ]]; then + log_error "No exposed ports" + exit 1 +else + log_info "Retrieving list of exposed ports to the world >>> $EXPOSED_PORTS" +fi