{"id":19498,"date":"2015-05-05T23:06:26","date_gmt":"2015-05-05T17:36:26","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=19498"},"modified":"2015-07-09T11:14:47","modified_gmt":"2015-07-09T05:44:47","slug":"continuing-with-boto-find-security-group-having-port-22-open-for-all","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/continuing-with-boto-find-security-group-having-port-22-open-for-all\/","title":{"rendered":"Continuing with Boto: Find security group having port 22 open for all"},"content":{"rendered":"<p>Consider a use case where in any <a title=\"AWS Certified Team\" href=\"http:\/\/www.tothenew.com\/devops-automation-consulting\">team members<\/a> have opened port 22 for\u00a0<b style=\"text-align: justify; color: red;\">0.0.0.0\/0<\/b> inside an EC2 security group and forgot, which is a big security concern for the Instances.<\/p>\n<p>So I have written a script using python boto library which scans all the security groups of running \/ stopped instances and sends an email to all stakeholders on daily\/weekly basis if port 22 is open for all. This script uses SNS API calls to send an email if defined rule matches.<\/p>\n<p>This script has few prerequisites<\/p>\n<p><strong>1) Create an SNS topic and configure subscription.<\/strong><\/p>\n<p>Once you create SNS topic, you get an end point that you need to configure in scripts.<\/p>\n<p><strong>2) Configure IAM User \/ Role with required policy. <\/strong><\/p>\n<p>[js]<br \/>\nimport sys<br \/>\nimport boto<br \/>\nfrom boto import ec2<br \/>\nfrom boto import sns<br \/>\nconnection=ec2.connect_to_region(&quot;region-name&quot;)<br \/>\nconnSNS = boto.sns.connect_to_region(&quot;region-name&quot;)<br \/>\nsg=connection.get_all_security_groups()<\/p>\n<p>listOfInstances=&quot;&quot;<br \/>\nmessages=&quot;Following Instances have port 22 open&quot;<\/p>\n<p>def getTag(instanceId):<br \/>\n    reservations=connection.get_all_instances(filters={&#8216;instance_id&#8217;:instanceId})<br \/>\n    for r in reservations:<br \/>\n        for i in r.instances:<br \/>\n            return i.tags[&#8216;Name&#8217;]<\/p>\n<p>try:<br \/>\n    for securityGroup in sg:<br \/>\n        for rule in securityGroup.rules:<br \/>\n            global instanceId;<br \/>\n            if (rule.from_port==&#8217;22&#8217; and rule.to_port == &#8217;22&#8217;) and &#8216;0.0.0.0\/0&#8217; in str(rule.grants):<br \/>\n                for instanceid in securityGroup.instances():<br \/>\n                    instanceId=str(instanceid)<br \/>\n                    listOfInstances += &quot;Instance Name : &quot; + getTag(instanceId.split(&#8216;:&#8217;)[1]) + &quot;\\t State:&quot; + instanceid.state + &quot;\\t SecurityGroup:&quot; +securityGroup.name + &quot;\\n&quot;<br \/>\n                    connSNS.publish(topic=&#8217;SNS-topic-arn-endpoint&#8217;,message = messages + &quot;\\n&quot; + listOfInstances, subject=&#8217;ProjectName : Server List with Port 22 Open&#8217;)<\/p>\n<p>except :<br \/>\n    print &#8216;Some Error occurred : &#8216;<br \/>\n    print sys.exc_info()<br \/>\n    connSNS.publish(topic=&#8217;SNS-topic-arn-endpoint&#8217;,message = sys.exc_info(), subject=&#8217;script ended with error&#8217;)<\/p>\n<p>[\/js]<\/p>\n<p>You can schedule this script as a cron on a daily basis to get the report over the email. You can download these scripts from our github profile <a href=\"https:\/\/github.com\/hiteshBhatia\/aws-boto-scripts\/\">AWS-Boto-Scripts.<\/a><\/p>\n<p>Leave a comment if you have any questions regarding this article.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Consider a use case where in any team members have opened port 22 for\u00a00.0.0.0\/0 inside an EC2 security group and forgot, which is a big security concern for the Instances. So I have written a script using python boto library which scans all the security groups of running \/ stopped instances and sends an email [&hellip;]<\/p>\n","protected":false},"author":100,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":6},"categories":[1174],"tags":[248,1694,521,553],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/19498"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/100"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=19498"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/19498\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=19498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=19498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=19498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}