This Python script checks your AWS security groups in all regions for "open" (i.e. 0.0.0.0/0) statements and reports the results.

Requirements:

• Tested w/ python version 2.7 / boto version 2.34

• A valid profile in ~/.aws/config or ${AWS_CONFIG_FILE} with the appropriate API keys.

Steps:

1.  Install python.
   

   sudo yum install python27

2.  Install PIP:curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py"python get-pip.py

3. Install AWS CLI:

pip install awscli

4. Run below command:

aws configure

5. Put your AWS credentials:

           In the file ~/.boto

Failed to render LaTeX expression — no expression found

            In the file ~/.aws/credentials

             [default]
AWS_ACCESS_KEY_ID = xxxxxxxxxxxxxxxxxxxxx
AWS_SECRET_ACCESS_KEY = xxxxxxxxxxxxxxxxxxxxxxxxxx[user2]
AWS_ACCESS_KEY_ID = xxxxxxxxxxxxxxxxxxxx
AWS_SECRET_ACCESS_KEY = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

            In the file ~/.aws/config

             [default]
region=us-west-2
output=json[profile user2]
region=us-east-1
output=text

     6. Create the script to check the SG:   sg-chkr.py

----------------------------------------------------------------------------------------------------------------------------------------------------

#!/usr/bin/env python
#
# Python Version: 2.7
#
# Scan for "open" security groups# Must be the first line
from __future__ import print_functionimport boto.vpc
import boto.ec2
import sys

# ** Modify these variables as needed **
REGIONS = ( 'us-east-1', 'eu-west-1', 'ap-northeast-1', 'us-west-1', 'us-west-2', 'ap-southeast-1', 'ap-northeast-2', 'ap-southeast-2', 'sa-east-1', 'eu-central-1' ,'ap-south-1' )
# **

# Make our text pretty
class bcolors:
HEADER = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'

def usage():
"""Usage Statement"""

print("""
Security group checker..
""")

print("\t* use: --profile <profile_name>")
print("\t" + bcolors.GREEN + "profile_name " + bcolors.ENDC + "from your ~/.boto (~/.aws/config)\n\n")

exit()

# Check for arguments
args = len(sys.argv)
if args != 3:
usage()

if '--profile' in (str(sys.argv[1]).lower()):
profile = str(sys.argv[2]).lower()
else:
usage()

reg_total = len(REGIONS)
reg_no = 0

# Test in each region (main loop)
while reg_total > 0:

# Do the work
sg_no = 0
reg_name = REGIONS[reg_no]
myregion = boto.ec2.get_region(region_name=reg_name)
try:
conn = boto.vpc.VPCConnection(profile_name=profile, region=myregion)
except Exception,e:
print("\nCheck your profile_name in ~/.boto and try again.")
print(e)
usage()

print("\nRegion:", reg_name)

# Get all security groups
all_sgs = conn.get_all_security_groups()
sg_total = len(all_sgs)
print("Number of SGs:", sg_total, "\n")

# Scan the rules in each security group
# Look for 0.0.0.0/0 as the source - ports 80 and 443 probably ok, but print them anyway
while sg_no < sg_total:

sg = all_sgs[sg_no]
for rule in sg.rules:
if str(rule.from_port) == "80" or str(rule.from_port) == "443":
textc = bcolors.WARNING
else:
textc = bcolors.FAIL
for grant in rule.grants:
if str(grant) in ("0.0.0.0/0"):
print(textc + "WARNING: Open security group >>>", sg.name, "(", sg.id, ")")
textc = bcolors.ENDC
print(textc + "Proto:", rule.ip_protocol, "\tPorts:", rule.from_port, "\t", rule.to_port, "\tSource:", rule.grants, "\n")

sg_no += 1

reg_no += 1
reg_total -= 1
#
# (end main loop)

----------------------------------------------------------------------------------------------------------------------------------------------------

7. Run this script:

python sg-chkr.py --profile user2

Save the output in a file:

python sg-chkr.py --profile user2 >> sg-output.txt

Output:

./sg-chkr.py --profile eng

Region: us-east-1
Number of SGs: 29 

WARNING: Open security group >>> launch-wizard-1 ( sg-6b72f506 )
Proto: tcp  Ports: 22    22     Source: [0.0.0.0/0] 

WARNING: Open security group >>> launch-wizard-2 ( sg-5ff54632 )
Proto: tcp  Ports: 0     65535  Source: [0.0.0.0/0] 

WARNING: Open security group >>> launch-wizard-3 ( sg-6b4b230f )
Proto: tcp  Ports: 22    22     Source: [0.0.0.0/0] 

WARNING: Open security group >>> app-server ( sg-9b505afe )
Proto: tcp  Ports: 8080      8080   Source: [0.0.0.0/0] 

WARNING: Open security group >>> rds-launch-wizard ( sg-5062e234 )
Proto: tcp  Ports: 3306      3306   Source: [0.0.0.0/0] 


Region: eu-west-1
Number of SGs: 7 


Region: ap-northeast-1
Number of SGs: 1 


Region: us-west-1
Number of SGs: 1 


Region: us-west-2
Number of SGs: 6 

WARNING: Open security group >>> launch-wizard-1 ( sg-5dfde938 )
Proto: tcp  Ports: 22    22     Source: [0.0.0.0/0] 

WARNING: Open security group >>> gateway-elb ( sg-85111ae0 )
Proto: tcp  Ports: 80    80     Source: [0.0.0.0/0] 


Region: ap-southeast-1
Number of SGs: 1 


Region: ap-southeast-2
Number of SGs: 1 


Region: sa-east-1
Number of SGs: 1 


Region: eu-central-1
Number of SGs: 1 

Hope this will help you!

Please Remember me in your prayers!

Enjoy :-)