1. 首頁
  2. 問答
  3. 獲得每個網絡接口的安全組規則與公共Ip

獲得每個網絡接口的安全組規則與公共Ip

2017-10-09 110 views
0

我在嘗試使用Boto3獲取某些信息時遇到了麻煩。 以下是我想要做的:獲得每個網絡接口的安全組規則與公共Ip

我循環遍歷AWS賬戶中的所有網絡接口,如果一個接口正在使用中並且它有一個公共IP,我得到它的安全組並查看是否有任何規則打開像0.0.0.0/0或公共IP一樣流向互聯網。目標是針對網絡接口連接到互聯網的所有實例提供安全報告。

下面是腳本:

# create dict 
ip = {} 
SGName = '' 
SGID = '' 
interfaceID = '' 
ListGroups = {} 
Message = 'Instances With Public Ips :' 
# check aws profiles 
for p in awsProfile: 
    print(p) 
    # define aws session 
    session = Session(region_name="eu-west-1", profile_name=p) 
    ec2 = session.resource('ec2') 
    client = session.client('ec2') 
    all_interfaces = ec2.network_interfaces.all() 
    for interface in all_interfaces: 
     interfaceID = interface.id 
     desc = client.describe_network_interfaces(NetworkInterfaceIds=[interfaceID]) 
     for d in desc['NetworkInterfaces']: 
      if interface.status == 'in-use' and d.get('Association') is not None: 
       interfaceID = interface.id 
       print(interfaceID) 
       desc = client.describe_network_interfaces(NetworkInterfaceIds=[interfaceID]) 
       publicIp = d.get('Association')['PublicIp'] 
       SGName = d.get('Groups')[0].get('GroupName') 
       SGID = d.get('Groups')[0].get('GroupId') 
       ListGroups[SGName] = SGID 
       Message = Message + str(p)+str(interface.vpc.id)+str(interface.attachment.get('InstanceId'))+str(interface.description)+str(interface.private_ip_address)+str(publicIp)+str(interfaceID)+str(SGID)+str(SGName) 
       for key in ListGroups: 
        sg = ec2.SecurityGroup(ListGroups[key]) 
        for i in range(len(sg.ip_permissions)): 
         for j in range(len(sg.ip_permissions[i]['IpRanges'])): 
          ip = IPNetwork(sg.ip_permissions[i]['IpRanges'][j]['CidrIp']) 
          if(ip.is_private()==False): 
           Message = Message + 'Public Securiy Groups details :' 
           Message = Message +str(ListGroups[key])+str(sg.ip_permissions[i]['ToPort'])

當我執行腳本我得到這個錯誤:

Traceback (most recent call last): 
    File "openNetwork.py", line 62, in <module> 
    for i in range(len(sg.ip_permissions)): 
    File "C:\Python\Python35-32\lib\site-packages\boto3\resources\factory.py", line 339, in property_loader 
    self.load() 
    File "C:\Python\Python35-32\lib\site-packages\boto3\resources\factory.py", line 505, in do_action 
    response = action(self, *args, **kwargs) 
    File "C:\Python\Python35-32\lib\site-packages\boto3\resources\action.py", line 83, in __call__ 
    response = getattr(parent.meta.client, operation_name)(**params) 
    File "C:\Python\Python35-32\lib\site-packages\botocore\client.py", line 310, in _api_call 
    return self._make_api_call(operation_name, kwargs) 
    File "C:\Python\Python35-32\lib\site-packages\botocore\client.py", line 599, in _make_api_call 
    raise error_class(parsed_response, operation_name) 
botocore.exceptions.ClientError: An error occurred (InvalidGroup.NotFound) when calling the DescribeSecurityGroups operation: The security group 'sg-9abc52e3' d 
oes not exist

它說,一些安全組不存在。我應該獲得連接到某個網絡接口並存在的安全組ID。我跟蹤了導致該錯誤的網絡接口,並且它有2個安全組,他們中的任何一個在錯誤中都沒有這個ID。任何想法如何讓這個工作?

來源

2017-10-09 Somar

回答

0

如果您唯一的任務只是找到可能構成安全威脅的安全組,則請致電AWS Trusted Advisor。其核心支票之一是安全組

Checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP.

來源

2017-10-09 08:38:44 hjpotter92

相關問題

 相關問題