trek10inc/awsets trek10inc/awsets

  • Stars
    star
    194
  • Rank 199,037 (Top 4 %)
  • Language
    Go
  • License
    MIT License
  • Created about 4 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
trek10inc/awsets
github

trek10inc

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A utility for crawling an AWS account and exporting all its resources for further analysis.

AWSets

A utility for crawling an AWS account and exporting all its resources for further analysis.

Badges

Release Software License Build status

Motivation

Trek10 frequently gets pulled into existing AWS accounts that lack documentation, don’t practice proper tagging, don’t use infrastructure as code, or just contain so many resources that it is difficult to get an understanding of what we’re working with. Unfortunately, there is no single AWS call or service that can provide a complete assessment of everything in an account so that we can start to piece together a map of what is going on.

After exploring existing solutions in this space, we were unable to find anything that both had the resource coverage we desired, and also aligned with the goals we set out with.

Goals

This project has two main goals:

  • Support as many AWS resources as possible
  • Build relationships between those resources
  • Normalize output to facilitate post-processing.

Notes

  • global resources (iam, route53, waf) are always queried regardless of region filter as long as the resource type is valid
  • Not every resource has support yet, not every resource has tags yet, and not all relationships are in place. If a gap in functionality has been identified, please submit a request to have it fixed/added.

The output of this tool is a JSON array of objects in the following format:

{
    "Account": "123456789",              // account resource is in
    "Region": "us-east-1",               // region resource is in
    "Id": "12345",                       // resource id
    "Version": "",                       // resource version
    "Type": "ec2/instance",              // resource type
    "Name": "test-instance",             // resource name
    "Attributes": {},                    // full dump of resource attributes
    "Tags": {},                          // normalized tags for resource
    "Relations": [                       // array of the identifiers of related resources
        {
        "Account": "123456789",
        "Region": "us-east-1",
        "Id": "vpc-123abc123",
        "Version": "",
        "Type": "ec2/vpc"
        }
    ]
}

Filters can be added to the query in order to restrict regions and resource types. A list of currently supported AWS resource types can be found here.

Getting Started

Installation

From source

git clone https://github.com/trek10inc/awsets.git
cd awsets/cmd/awsets
go build && go install

Homebrew

brew tap trek10inc/tap
brew install awsets

From binaries

Binaries are available here

Usage:

USAGE:
   awsets [global options] command [command options] [arguments...]

COMMANDS:
   list     lists all requested aws resources
   regions  lists regions supported by account
   types    lists supported resource types
   process  runs processors on results json
   version  prints version information
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h  show help (default: false)

Region Filter: This is a comma separated list of region prefixes. For example, --regions us-e would run in us-east-1 and us-east-2. --regions us-e,us-west-1 would run in us-east-1, us-east-2, and us-west-1. --regions all will run in all regions.

Resource filter: This is broken into two flags: --include and --exclude. Both are comma-delimited list of resource types, with the exclusions processing last.

awsets list --include iam will query iam/group, iam/instanceprofile, iam/policy, iam/role, and iam/user

awsets list --include iam --exclude iam/g will query iam/instanceprofile, iam/policy, iam/role, and iam/user

Subcommands

list

Primary command - used to do the actual query.

USAGE:
   awsets list [command options]

OPTIONS:
   --dryrun                  do a dry run of query (default: false)
   --include value           comma separated list of resource type prefixes to include
   --exclude value           comma separated list of resource type prefixes to exclude
   --output value, -o value  output file to save results
   --profile value           AWS profile to use
   --refresh                 force a refresh of cache (default: false)
   --regions value           comma separated list of region prefixes
   --show-progress           toggle progress bar (default: false)
   --verbose, -v             toggle verbose logging (default: false)
   --help, -h                show help (default: false)

Examples:

Query everything, save to all.json awsets list -o all.json

Query all resources managed by the IAM & EC2 services in us-east-1: awsets list --regions us-east-1 -o all.json --include iam,ec2

regions

Simple command to output all supported and enabled regions for the current AWS account. The arguments are used to filter the regions by prefix.

USAGE:
   awsets regions [command options] [region prefixes]

OPTIONS:
   --profile value  AWS profile to use
   --help, -h  show help (default: false)

types

Simple command to output all supported AWS resource types. Flags can be passed in include/exclude specific resource types by prefix.

USAGE:
   awsets types [command options]  

OPTIONS:
   --include value  comma separated list of resource type prefixes to include
   --exclude value  comma separated list of resource type prefixes to exclude
   --help, -h       show help (default: false)

process

A section of experimentation. There are a few custom processors here that are used to manipulate the output awsets json. Most will likely be split out to be separate applications or scripts, but for ease of development have been placed here. Long term, this may still contain general utilities to help search and organize the data (like a DOT graph builder?, stats), but will not contain specialized analysis (Cloudformation healthcheck) or anything that can already be done better by other CLI tools like jq.

dot

Command that takes a file that is output from awsets list and generates a DOT graph. This can then be rendered into an image via fdp <dot file> -Tsvg -o <output.svg>. This step can take a while to complete, and the resulting image is typically rather large. There is ongoing work to try and improve this process.

USAGE:
   awsets process dot [command options] [arguments...]

OPTIONS:
   --input value, -i value   input file containing data to process
   --output value, -o value  output file to save results
   --show-all                include all unrelated items (default: false)
   --help, -h                show help (default: false)

Future Work

Although AWSets is in a place where it provides solid resource coverage and works well for a lot of use cases, there is more work to be done:

  • Supporting more AWS resources and relationships - 300+ is a good start, but there are many more to go
  • In addition to supporting more resources, existing resources may have some gaps. For example, some resources require secondary calls to get Tags
  • Improve relationship building - AWSets should be able to match a DynamoDB table to a Lambda Function when the DDB table is passed in via environment variable

More Repositories

1

awsume

A utility for easily assuming AWS IAM roles from the command line.
Python
493
star
2

aws-lambda-debugger

Run Node in Lambda. Debug from your machine.
JavaScript
291
star
3

serverless-secrets

An opinionated tool for safely managing and deploying Serverless projects and their secrets.
JavaScript
165
star
4

ddb-single-table-example

Companion code to this blog post https://www.trek10.com/blog/dynamodb-single-table-relational-modeling/
Python
151
star
5

ecr-cleaner

A Serverless implementation for removing old images from ECR Repositories with some intelligence.
JavaScript
78
star
6

awsume-console-plugin

This is a plugin that enables you to use your assumed role credentials to open the AWS console in your default browser.
Python
62
star
7

serverless-graph

Outputs your serverless architecture and resources as a Graphviz dot compatible output
JavaScript
61
star
8

cloudformation-graph

Generate dot files for GraphViz from an AWS CloudFormation template.
JavaScript
56
star
9

serverless-cloudformation-changesets

Natively deploy to CloudFormation via Change sets, instead of directly. Allowing you to queue changes, and safely require escalated roles for final deployment.
JavaScript
47
star
10

dynamodb-autoscaling

Serverlessly monitor and autoscale DynamoDB
JavaScript
41
star
11

gitlab-boilerplate-injector

A small tool for injecting files into new GitLab repos
JavaScript
33
star
12

serverless-cognito-manager

Make it easy to use and manage cognito in your serverless projects
JavaScript
24
star
13

serverless-cloudformation-parameter-setter

Set cloudformation parameters when deploying using serverless framework
JavaScript
21
star
14

lambda-error-hound

Utility for quickly finding cloudwatch logs surrounding an lambda error
JavaScript
18
star
15

lambda-clock

An awesome little utility for 1-minute serverless cron on AWS, brought to you by the AWS experts at Trek10.
JavaScript
17
star
16

graphql-default-value-transformer

TypeScript
16
star
17

sfn-yaml-macro

DEPRECATED - An AWS CloudFormation macro to allow the definition of Amazon States Language in YAML within a CloudFormation template
Python
16
star
18

config-excess-access-exorcism

An AWS config rule that uses IAM Access Advisor to find over-permissioned IAM users, groups, and roles.
Python
16
star
19

iam-scrapbook

A collection of IAM policies we use
11
star
20

lambda-local-cache

JavaScript
10
star
21

lambda-router

Simple lightweight lambda router
JavaScript
10
star
22

serverless-aws-lambda-fanout

Quickly add a fanout lambda with targets to a serverless project
JavaScript
8
star
23

appsync-cloudformation-transformer-cli

JavaScript
8
star
24

jekyll-rocket

A quickstart for building and deploying high performance static websites with Jekyll.
CSS
8
star
25

aws-serverless-workshops

JavaScript
8
star
26

serverless-secrets-python

Python
7
star
27

serverless-kinesis-stream-management

JavaScript
6
star
28

dynamodb-mutex

npm module that implements a mutex using DynamoDB
JavaScript
6
star
29

cognito-login

A CLI to get a jwt from cognito login credentials
Python
6
star
30

serverless-video-sharing

Workshop lab for building a serverless video sharing site
JavaScript
6
star
31

event-driven-security

Hands on lab for event-driven security on AWS
Python
5
star
32

lambda-powertools-typescript-examples

Example code for Lambda Powertools for Typescript from the "Power-up Lambda functions with AWS Lambda Powertools for TypeScript" blog post.
TypeScript
4
star
33

cloudformation-toolbox

Various cloudformation utilities we've built over time
Python
3
star
34

cake

CloudFormation Make
Makefile
2
star
35

dynamodb-table-cache

JavaScript
2
star
36

awsume-key-rotation-plugin

Python
2
star
37

trek10-ci

Dockerfile
2
star
38

cohesive-networks-vns3-vpn-monitoring

Python
2
star
39

cfn-changeset-viewer

View CloudFormation ChangeSets
JavaScript
1
star
40

generative-ai-curriculum

Trek10's curriculum for running generative AI workloads on AWS
Jupyter Notebook
1
star
41

serverless-xkcd-for-slack

A super efficient, fast XKCD slash command for Slack.
JavaScript
1
star
42

serverless-chatbot

Hands-on lab for building a serverless chatbot
JavaScript
1
star
43

s3-permissions-blog-post

Companion code to this blog post https://www.trek10.com/blog/s3-permissions
Python
1
star
44

cloudoffset.com

Save the Cloud, Save the Earth
JavaScript
1
star
45

LBR-Context-Manager

The best tool for AWS lambda-backed custom resources since sliced cheese!
Python
1
star