Skip to content

Commit

Permalink
added specific logging, updated readme, bumped version
Browse files Browse the repository at this point in the history
Signed-off-by: Aaron Lippold <[email protected]>
  • Loading branch information
aaronlippold committed May 12, 2022
1 parent be31fdb commit 4dd7a19
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 20 deletions.
1 change: 0 additions & 1 deletion .github/workflows/draft-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ name: Draft Release

on:
push:
# branches to consider in the event; optional, defaults to all
branches:
- master

Expand Down
30 changes: 21 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,28 @@

A micro-baseline to check for insecure or public S3 buckets and bucket objects in your AWS Environment. This [InSpec](https://github.com/chef/inspec) compliance profile verifies that you do not have any insure or open to public S3 Bucket or Bucket Objects in your AWS Environment in an automated way.

### Required Gems:
### Required Gems

This profile requires the following gems:

- `inspec`
- `inspec-bin`
- `aws-sdk-s3`
- `concurrent-ruby`
- `inspec`
- `inspec-bin`
- `aws-sdk-s3`
- `concurrent-ruby` (v1.1.0 or higher)

#### Warning: Large amounts of Bucket Objects
Please **install these gems** in the ruby environment that InSpec is using prior to executing the profile.

The `s3-objects-no-public-access` control iterates through and verifies every objects in each bucket in your AWS Environment, thus its runtime will depend on the number of objects in your S3 Buckets.
### Large Buckets and Profile Runtime

On average the profile can process around 500 - 1000 objects/sec.
The `s3-objects-no-public-access` control iterates through every object in each bucket in your AWS environment. The runtime will depend on the number of objects in your S3 Buckets.

On average the profile can process around ~1000 objects/sec.

If you have buckets with large numbers of objects, we suggest you script a loop and use the `single_bucket` input to parallelize the workload.

To see the processing in more details use the `-l debug` flag to get verbose output.

Then you can load all your HDF JSON results into [Heimdall Lite](https://heimdall-lite.mitre.org) to easily review all your scan results.
Then you can load all your HDF JSON results into [Heimdall Lite](https://heimdall-lite.mitre.org) to easily review all your scan results from the multiple runs by loading them in Heimdall.

## Getting Started

Expand Down Expand Up @@ -84,6 +86,16 @@ $ export AWS_SECRET_ACCESS_KEY=access-key
$ export AWS_SESSION_TOKEN=session-token # if MFA is enabled
```
## Installing the needed Gems
### Plain Old Ruby Environment
- `gem install concurrent-ruby`
### Using a Chef or CINC Omnibus Installation
- `chef gem install concurrent-ruby`
## Running This Baseline Directly from Github
### Testing all your buckets except those defined in your `excluded buckets`
Expand Down
17 changes: 9 additions & 8 deletions inspec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ maintainer: MITRE InSpec Team
copyright: MITRE, 2022
copyright_email: [email protected]
license: Apache-2.0
summary: "InSpec validation example baseline profile for AWS S3 - to test if you have public buckets"
version: 1.5.1
summary: "InSpec profile to test if you have public buckets or objects"
version: 1.5.2

inspec_version: ">= 4"
inspec_version: ">= 4.0"

supports:
- platform: aws
Expand All @@ -17,12 +17,13 @@ depends:
url: https://github.com/inspec/inspec-aws/archive/main.tar.gz

inputs:
- name: exception_bucket_list
description: "list of buckets exempted from inspection"
type: array
value:
- ""
- name: single_bucket
description: "The name of the single bucket you wish to scan"
type: string
value: ""

- name: exception_bucket_list
description: "List of buckets that should be exempted from review"
type: array
value:
- ""
7 changes: 5 additions & 2 deletions libraries/concurrent_s3.rb
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,16 @@ def objects(options = {})
end

def get_public_objects(myBucket)
Inspec::Log.debug "Processing Bucket: #{myBucket}"
myPublicKeys = []
s3 = Aws::S3::Resource.new
pool = Concurrent::FixedThreadPool.new(56)
mutex = Mutex.new

if Inspec::Log.level == :debug
Inspec::Log.debug "### Processing Bucket ### : #{myBucket} with #{s3.bucket(myBucket).objects.count} objects"
end
s3.bucket(myBucket).objects.each do |object|
Inspec::Log.debug "Examining Key: #{object.key}"
Inspec::Log.debug " Examining Key: #{object.key}" if Inspec::Log.level == :debug
pool.post do
grants = object.acl.grants
if grants.map { |x| x.grantee.type }.any? { |x| x =~ /Group/ } && grants.map do |x|
Expand Down

0 comments on commit 4dd7a19

Please sign in to comment.