Skip to content

guardian/fsbp-tools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

171 Commits
.github
.github
 
 
bucket-utils
bucket-utils
 
 
common
common
 
 
script
script
 
 
vpc-utils
vpc-utils
 
 
.gitignore
.gitignore
 
 
.releaserc.json
.releaserc.json
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

FSBP tools

What is this thing?

fsbp-fix is a tool that searches for and automatically remediates auto-fixable violations of the AWS FSBP standard. Currently, just S3.8, which states that all buckets should have individual configurations blocking public access, and EC2.2, which states that default security groups in VPCs should not allow any inbound or outbound traffic, are supported.

Installation

brew tap guardian/homebrew-devtools && \
brew install fsbp-fix

S3.8 - S3 general purpose buckets should block public access

Usage

The minimal flags required to resolve S3.8 are as follows. This will execute in dry run mode.

fsbp-fix S3.8 -profile <PROFILE> -region <REGION> [OPTIONAL_FLAGS]
Details ### Function

First, we find all the buckets that are breaking this rule. It skips over any that are in CloudFormation stacks (to avoid introducing stack drift), and then blocks public access to the remaining buckets.

flowchart TB
    stack[Is it part of a cloudformation stack]
    excl[Is it in a list of excluded \n buckets provided by the user?]
    block[Block public access to the bucket]
    ruleBreak[Does the bucket break S3.8?]
    break[Do nothing.]
    noAccess[No. Access already \n blocked]

    ruleBreak --> Yes --> stack --> No --> excl --> Nope --> block
    ruleBreak --> noAccess --> break
    stack --> Yeah --> break
    excl --> Yep --> break
Loading

There are a few extra features, controlled by flags, enumerated below.

CLI options fsbp-fix takes a subcommand and up to 3 flags:

  • profile: Required. The profile to use when connecting to AWS.

  • region: Required. The region you want to search in.

  • execute: Optional. Takes no value. If present, it will ask the user to confirm, then block the buckets. If not, it will only print the buckets that would have been blocked.

  • exclusions: Optional. Comma-delimited list of buckets to exclude from blocking.

  • max: Optional. The maximum number of buckets to block. Between 1 and 100. Defaults to 100, which is the maximum number of buckets that can exist in an AWS account.

You will also need credentials for the relevant AWS account from Janus.

Local development While developing locally, you can test the application using the following command from the bucket-blocker subdirectory, without needing to build the binary: 
go run main.go s3.8 -profile <PROFILE> -region <REGION> [OPTIONAL_FLAGS]

EC2.2

Usage

The minimal flags required to resolve EC2.2 are as follows. This will execute in dry run mode.

fsbp-fix ec2.2 -profile <PROFILE> -region <REGION> [OPTIONAL_FLAGS]
Details AWS Security Hub Control [EC2.2](https://docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2) states that default security groups in VPCs should not allow any inbound or outbound traffic. VPCs set up recently are compliant by default, but older VPCs are not.

The tool will search for relevant security groups that are not compliant with this control, and check to see if the security group is being used. If the group is not in use, it will remove the offending ingress/egress rules.

flowchart TB
    usage[Is the group in use?]
    block[Delete all security group rules]
    ruleBreak[Does the group break EC2.2?]
    break[Do nothing.]
    inUse[Yeah]

    ruleBreak --> Yes --> usage --> No --> block
    usage --> inUse --> break
    ruleBreak --> Nope --> break
Loading
CLI options ingress-inquisition takes the following flags:

  • profile: Required. The profile to use when connecting to AWS.

  • region: Required. The region you want to search in.

  • execute: Optional. Takes no value. If present, it will ask the user to confirm, then delete the rules. Otherwise, it will just list the rules that would have been deleted.

Local development While developing locally, you can test the application using the following command from the ingress-inquisitor subdirectory, without needing to build the binary: 
go run main.go ec2.2 -profile <PROFILE> -region <REGION> [OPTIONAL_FLAGS]
FAQ ### FAQ

How do we know if a security group is being used?

Security groups are associated with resources such as EC2 instances, databases, etc via an Elastic Network Interface (ENI). Ingress inquisition queries the AWS API to check all ENIs in the region, and if a security group is associated with an ENI, it is considered in use, and the rules will not be deleted.

Local development

When committing your changes, please use the conventional commit format. This will allow us to automatically generate a changelog and correctly version the application when it is released.

Releasing to brew

Creating a new release of the application on brew, is currently a manual process. You will need to update the version, urls, and SHAs in homebrew-devtools. The SHAs are generated by running shasum -a 256 <filename> on the binary, or by checking the annotations on the release step in the GitHub Actions workflow.

About

No description or website provided.

Topics

production

Resources

Readme

License

MIT license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases 14

v3.1.0 Latest
Nov 6, 2024
+ 13 releases

Packages

No packages published

Contributors 5

Languages