aws-samples / service-screener-v2 Goto Github PK

A tool for customers to evaluate their AWS service configurations based on AWS and community best practices and receive recommendations on potential improvements.

License: Apache License 2.0

Python 58.30% CSS 19.42% JavaScript 21.61% HTML 0.67%

service-screener-v2's Introduction

Service Screener

An open source guidance tool for the AWS environment. Click here for sample report.

Disclaimer: The generated report has to be hosted locally and MUST NOT be internet accessible

Overview

Service Screener is a tool that runs automated checks on AWS environments and provides recommendations based on AWS and community best practices.

AWS customers can use this tool on their own environments and use the recommendations to improve the Security, Reliability, Operational Excellence, Performance Efficiency and Cost Optimisation at the service level.

This tool aims to complement the AWS Well Architected Tool.

How does it work?

Service Screener uses AWS Cloudshell, a free serivce that provides a browser-based shell to run scripts using the AWS CLI. It runs multiple describe and get API calls to determine the configuration of your environment.

How much does it cost?

Running this tool is free as it is covered under the AWS Free Tier. If you have exceeded the free tier limits, each run will cost less than $0.01.

Prerequisites

Please review the DISCLAIMER before proceeding.
You must have an existing AWS Account.
You must have an IAM User with sufficient read permissions. Here is a sample policy. Additionally, the IAM User must also have the following permissions: a. AWSCloudShellFullAccess b. cloudformation:CreateStack c. cloudformation:DeleteStack

Installing service-screener V2

Log in to your AWS account using the IAM User with sufficient permissions described above.
Launch AWS CloudShell in any region.

Launch AWS Cloudshell Walkthrough

In the AWS CloudShell terminal, run this script this to install the dependencies:

python3 -m venv .
source bin/activate
python3 -m pip install --upgrade pip
rm -rf service-screener-v2
git clone https://github.com/aws-samples/service-screener-v2.git
cd service-screener-v2
pip install -r requirements.txt
alias screener="python3 $(pwd)/main.py"

Install Dependecies Walkthrough

Using Service Screener

When running Service Screener, you will need to specify the regions and services you would like it to run on. It currently supports Amazon Cloudfront, AWS Cloudtrail, Amazon Dynamodb, Amazon EC2, Amazon EFS, Amazon RDS, Amazon EKS, Amazon Elasticache, Amazon Guardduty, AWS IAM, Amazon Opensearch, AWS Lambda, and Amazon S3.

We recommend running it in all regions where you have deployed workloads in. Adjust the code samples below to suit your needs then copy and paste it into Cloudshell to run Service Screener.

Example 1: Run in the Singapore region, check all services

screener --regions ap-southeast-1

Example 2: Run in the Singapore region, check only Amazon S3

screener --regions ap-southeast-1 --services s3

Example 3: Run in the Singapore & North Virginia regions, check all services

screener --regions ap-southeast-1,us-east-1

Example 4: Run in the Singapore & North Virginia regions, check RDS and IAM

screener --regions ap-southeast-1,us-east-1 --services rds,iam

Example 5: Run in the Singapore region, filter resources based on tags (e.g: Name=env Values=prod and Name=department Values=hr,coe)

screener --regions ap-southeast-1 --tags env=prod%department=hr,coe

Example 6: Run in all regions and all services

screener --regions ALL

Other parameters

##mode
--mode api-full | api-raw | report

# api-full: give full results in JSON format
# api-raw: raw findings
# report: generate default web html

Get Report Walkthrough

Downloading the report

The output is generated as a ~/service-screener-v2/output.zip file. You can download the file in the CloudShell console by clicking the Download file button under the Actions menu on the top right of the Cloudshell console.

Download Output & Report Viewing Walkthrough

Once downloaded, unzip the file and open 'index.html' in your browser. You should see a page like this:

Ensure that you can see the service(s) run on listed on the left pane. You can navigate to the service(s) listed to see detailed findings on each service.

Sample Output Walkthrough

Using the report

The report provides you an easy-to-navigate dashboard of the various best-practice checks that were run.

Use the left navigation bar to explore the checks for each service. Expand each check to read the description, find out which resources were highlighted, and get recommendations on how to remediate the findings.

Contributing to service-screener

We encourage public contributions! Please review CONTRIBUTING for details on our code of conduct and development process.

Contact

Please review CONTRIBUTING to raise any issues.

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

service-screener-v2's People

Contributors

Stargazers

Watchers

service-screener-v2's Issues

Terminated EC2 causing unhandling errors on _checkEC2SubnetAutoPublicIP

Describe the bug
Terminated EC2 causing unhandling errors on _checkEC2SubnetAutoPublicIP function

To Reproduce
Steps to reproduce the behavior:

Clone Repo
Setup Alias
Run command while EC2 is terminating or terminated

Full commands used to reproduce this bug
e.g: screener --regions ALL --services ec2

Expected behavior
Traceback (most recent call last):
File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/Evaluator.py", line 28, in run
getattr(self, method)()
File "/home/cloudshell-user/sscreenerv2/service-screener-v2/services/ec2/drivers/Ec2Instance.py", line 306, in _checkEC2SubnetAutoPublicIP
results = self.ec2Client.describe_subnets(
File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 530, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 923, in _make_api_call
request_dict = self._convert_to_request_dict(
File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/client.py", line 991, in _convert_to_request_dict
request_dict = self._serializer.serialize_to_request(
File "/home/cloudshell-user/sscreenerv2/lib64/python3.9/site-packages/botocore/validate.py", line 381, in serialize_to_request
raise ParamValidationError(report=report.generate_report())
botocore.exceptions.ParamValidationError: Parameter validation failed:
Invalid type for parameter SubnetIds[0], value: None, type: <class 'NoneType'>, valid types: <class 'str'>

AWS CloudShell (please complete the following information):

Region: [e.g. us-east-1]
Python version [e.g. 7.2]
AWS SDK version (boto3) [e.g. 3.0]
Browser (to display output) [e.g. chrome, safari]

Execution Environment (PLEASE FILL THIS UP IF YOU ARE NOT RUNNING THIS IN AWS CLOUDSHELL):

Instance type: [e.g. t2.small]
OS: [e.g. Linux]
EBS volume size [e.g. 20GiB]
Region: [e.g. us-east-1]
Python version [e.g. 3.8]
AWS SDK version (boto3) [e.g. 1.29.3]
Browser (to display output) [e.g. chrome, safari]

Additional context
Add any other context about the problem here.

Original submitter: awhitespace

Rule kms::DisabledKey available in reporter, but missing ref

Hi @kuettai . Referring to issue #69 , understand that you have addressed it recently but after running the screener again, I received the following error:

RdspageBuilder class not found, using default pageBuilder EfspageBuilder class not found, using default pageBuilder S3pageBuilder class not found, using default pageBuilder Ec2pageBuilder class not found, using default pageBuilder CloudfrontpageBuilder class not found, using default pageBuilder ElasticachepageBuilder class not found, using default pageBuilder LambdapageBuilder class not found, using default pageBuilder CloudtrailpageBuilder class not found, using default pageBuilder OpensearchpageBuilder class not found, using default pageBuilder [__!! WARNING !!__] Rule kms::DisabledKey available in reporter, but missing ref, please submit an issue to github. KmspageBuilder class not found, using default pageBuilder Traceback (most recent call last): File "/home/ec2-user/service-screener-v2/main.py", line 273, in <module> Screener.generateScreenerOutput(runmode, contexts, hasGlobal, regions, uploadToS3, bucket) File "/home/ec2-user/service-screener-v2/Screener.py", line 178, in generateScreenerOutput pb.buildPage() File "/home/ec2-user/service-screener-v2/services/PageBuilder.py", line 68, in buildPage output.append(self.buildContentSummary()) File "/home/ec2-user/service-screener-v2/services/PageBuilder.py", line 89, in buildContentSummary return getattr(self, method)() File "/home/ec2-user/service-screener-v2/services/PageBuilder.py", line 650, in buildContentSummary_default body = self.generateSummaryCardContent(attrs) File "/home/ec2-user/service-screener-v2/services/PageBuilder.py", line 202, in generateSummaryCardContent if summary['__links']: KeyError: '__links'

I've pulled from the latest main branch prior testing. Kindly assist.

High Risk - Group by Service: The pice chart legend should be dynamic instead of static

UI improvement

The "High Risk - Group by Service" widget shows a fixed legend although the particular service might not contain any High Risk findings at all.

It would be very useful if we could use that widget as a real summary of which services have High Risk issues that need to be remediated.

Issue running the service screener

Describe the bug
encouter.
[!! WARNING !!] Rule rds::SnapshotTooOld is not available in reporter, please submit an issue to github.

To Reproduce
Steps to reproduce the behavior:

Run the following command
python3 -m venv .
source bin/activate
python3 -m pip install --upgrade pip
rm -rf service-screener-v2
git clone https://github.com/aws-samples/service-screener-v2.git
cd service-screener-v2
pip install -r requirements.txt
alias screener="python3 $(pwd)/main.py"
Run service screener
screener --regions ALL

Full commands used to reproduce this bug
screener --regions ALL

Expected behavior
To be able to generated an output.

Screenshots

PREPARING -- CLOUDFRONT::us-east-1
Skipped runtime version check due to unable to locate runtime option path
... (Lambda) inspecting aws-controltower-NotificationForwarder
... (EBS) inspecting vol-03af1b0988a9ff1a1
Skipped runtime version check due to unable to locate runtime option path
... (Lambda) inspecting cwsyn-influasia-heartbeat-341f6852-5ff8-43a9-9888-223a23842bb6
... (EBS) inspecting vol-0136fc860832f318e
... (EBS) inspecting vol-027f8718245a01a10
Skipped runtime version check due to unable to locate runtime option path
... (Lambda) inspecting ECSScheduler
... (EBS) inspecting vol-0ed44c61609253ee4
... (EBS) inspecting vol-059869a83b59a98bf
Skipped runtime version check due to unable to locate runtime option path
... (Lambda) inspecting ecs-task-scheduler-by-tag
... (EBS::Snapshots) inspecting
Skipped runtime version check due to unable to locate runtime option path
... (ELB::Load Balancer) inspecting wof-load-balancer
... (Lambda) inspecting testingecs
... (ELB::Load Balancer) inspecting ALB-common
Skipped runtime version check due to unable to locate runtime option path
COMPLETED -- LAMBDA::ap-southeast-1 (5.004s)
Unable to capture S3 MFA settings: AccessDenied
Unable to capture S3 Logging settings: AccessDenied
IAM Users scan will be skip, unable to acquire IamCredentialReports
DynamodbpageBuilder class not found, using default pageBuilder
S3pageBuilder class not found, using default pageBuilder
EfspageBuilder class not found, using default pageBuilder
OpensearchpageBuilder class not found, using default pageBuilder
CloudfrontpageBuilder class not found, using default pageBuilder
LambdapageBuilder class not found, using default pageBuilder
CloudtrailpageBuilder class not found, using default pageBuilder
EkspageBuilder class not found, using default pageBuilder

[!! WARNING !!] Rule rds::SnapshotTooOld is not available in reporter, please submit an issue to github.
Traceback (most recent call last):
File "/home/cloudshell-user/service-screener-v2/main.py", line 274, in
Screener.generateScreenerOutput(runmode, contexts, hasGlobal, regions, uploadToS3, bucket)
File "/home/cloudshell-user/service-screener-v2/Screener.py", line 171, in generateScreenerOutput
reporter.process(resultSets).getSummary().getDetails()
File "/home/cloudshell-user/service-screener-v2/services/Reporter.py", line 186, in getSummary
dashboard['CATEGORY'][region][mainCategory][critical] += itemSize
KeyError: 'X'

AWS CloudShell (please complete the following information):

Region: us-east-1
Python version Python 3.9.1
AWS SDK version (boto3) 1.26.165
Browser (to display output) chrome

Additional context
Add any other context about the problem here.

Unrecognized arguments --filters

Describe the bug
When I run the latest service screener, getting an error "Screener: error: unrecognized arguments: --filters"

To Reproduce
Steps to reproduce the behavior:

Clone Repo
Setup Alias
Run command

Full commands used to reproduce this bug
screener --regions us-east-1 --filters xxx=xxx

Expected behavior
It should expect the tag name and value

RDS Scanner Unsupported Operand type

Describe the bug
File "/home/cloudshell-user/service-screener-v2/services/Evaluator.py", line 28, in run
getattr(self, method)()
File "/home/cloudshell-user/service-screener-v2/services/rds/drivers/RdsCommon.py", line 401, in _checkOldSnapshots
diff = now - oldest_copy_date
TypeError: unsupported operand type(s) for -: 'datetime.date' and 'datetime.datetime'

To Reproduce
Steps to reproduce the behavior:

Clone Repo
Setup Alias
Run command: screener --regions us-east-1 --services rds

Full commands used to reproduce this bug
e.g: screener --regions ALL --services rds,iam,ec2
screener --regions us-east-1 --services rds

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

AWS CloudShell (please complete the following information):

Region: [e.g. us-east-1] us-east-1
Python version [e.g. 7.2] Python 3.9.16
AWS SDK version (boto3) [e.g. 3.0]
Browser (to display output) [e.g. chrome, safari]

Text tags error

Describe the bug
In the main screen, "Cost Optimisation" and "Performance Efficieny" are shown, and there's one typo in each one

To Reproduce
Steps to reproduce the behavior:
open a generated report.

Expected behavior
A clear and concise description of what you expected to happen.
"Cost Optimization" and "Performance Efficiency" is the correct text

Screenshots
If applicable, add screenshots to help explain your problem.

AWS CloudShell (please complete the following information):

Region: [e.g. us-east-1]
PHP version [e.g. 7.2]
AWS SDK version [e.g. 3.0]
Browser (to display output) [e.g. chrome, safari]

AWS Cloud9 (please complete the following information):

Instance type: [e.g. t2.small]
OS: [e.g. Linux]
EBS volume size [e.g. 20GiB]
Region: [e.g. us-east-1]
PHP version [e.g. 7.2]
AWS SDK version [e.g. 3.0]
Browser (to display output) [e.g. chrome, safari]

Desktop (please complete the following information):

OS: [e.g. Linux]
Version [e.g. 22]
PHP version [e.g. 7.2]
AWS SDK version [e.g. 3.0]
Browser (to display output) [e.g. chrome, safari]

Additional context
Add any other context about the problem here.

screener-v2 throws error when inspecting certain cloudfront distribution, S3 bucket

Describe the bug
screener-v2 throws error when inspecting certain cloudfront distribution, S3 bucket

To Reproduce

Run main.py and specify any region

Error
... (S3Bucket) inspecting XXXXX Traceback (most recent call last): File "/home/cloudshell-user/screenerv2/service-screener-v2/services/Evaluator.py", line 27, in run getattr(self, method)() File "/home/cloudshell-user/screenerv2/service-screener-v2/services/lambda_/drivers/LambdaCommon.py", line 180, in _check_runtime runtime = self.lambda_['Runtime'] KeyError: 'Runtime

... (CloudFront::Distribution) inspecting XXX Traceback (most recent call last): File "/home/cloudshell-user/screenerv2/service-screener-v2/services/Evaluator.py", line 27, in run getattr(self, method)() File "/home/cloudshell-user/screenerv2/service-screener-v2/services/lambda_/drivers/LambdaCommon.py", line 180, in _check_runtime runtime = self.lambda_['Runtime'] KeyError: 'Runtime'

AWS CloudShell (please complete the following information):

Region: ap-southeast-1

__fork directory creation missing leads to error

Describe the bug
When I run the screener command:

screener --regions ap-southeast-1

The system reports an error due to a missing __fork directory

To Reproduce
Steps to reproduce the behaviour:

Set up a new CloudShell in ap-southeast-1
Install screener with the following commands

python3 -m venv .
source bin/activate
python3 -m pip install --upgrade pip
rm -rf service-screener-v2
git clone https://github.com/aws-samples/service-screener-v2.git
cd service-screener-v2
pip install -r requirements.txt
alias screener="python3 $(pwd)/main.py"

Received error due to missing __fork directory

(cloudshell-user) [cloudshell-user@ip-10-6-21-223 service-screener-v2]$ screener --regions ap-southeast-1 
 -- Acquiring identify info...
[info] Empty CF stacked created successfully, name:ssv2-3fb1fb9ff47d
Traceback (most recent call last):
  File "/home/cloudshell-user/service-screener-v2/main.py", line 102, in <module>
    files_in_directory = os.listdir(directory)
FileNotFoundError: [Errno 2] No such file or directory: '__fork'
(cloudshell-user) [cloudshell-user@ip-10-6-21-223 service-screener-v2]$

Manually creating the __fork directory allows the program to proceed, but it eventually aborts with the following error:

COMPLETED -- IAM::ap-southeast-1 (52.748s)
Total Resources scanned: 51.00 | No. Rules executed: 236.00
Time consumed (seconds): 52.92
CloudtrailpageBuilder class not found, using default pageBuilder
IampageBuilder class not found, using default pageBuilder
Ec2pageBuilder class not found, using default pageBuilder
S3pageBuilder class not found, using default pageBuilder
DynamodbpageBuilder class not found, using default pageBuilder
ElasticachepageBuilder class not found, using default pageBuilder
RdspageBuilder class not found, using default pageBuilder
<S3AccountPublicAccessBlock> not exists in cloudfront.reporter.json
<S3AccountPublicAccessBlock> not exists in cloudfront.reporter.json
Traceback (most recent call last):
  File "/home/cloudshell-user/service-screener-v2/main.py", line 194, in <module>
    Screener.generateScreenerOutput(runmode, contexts, hasGlobal, regions, uploadToS3, bucket)
  File "/home/cloudshell-user/service-screener-v2/Screener.py", line 149, in generateScreenerOutput
    reporter.process(resultSets).getSummary().getDetails()
  File "/home/cloudshell-user/service-screener-v2/services/Reporter.py", line 157, in getSummary
    dashboard['MAP'][self.service][critical] += itemSize
KeyError: 'X'

Expected behavior
I expect the necessary directory to be created, and for the program to run correctly in order to generate the report

Screenshots
If applicable, add screenshots to help explain your problem.

AWS CloudShell (please complete the following information):

Region: [e.g. us-east-1]
PHP version [e.g. 7.2]
AWS SDK version [e.g. 3.0]
Browser (to display output) [e.g. chrome, safari]

AWS Cloud9 (please complete the following information):

Instance type: [e.g. t2.small]
OS: [e.g. Linux]
EBS volume size [e.g. 20GiB]
Region: [e.g. us-east-1]
PHP version [e.g. 7.2]
AWS SDK version [e.g. 3.0]
Browser (to display output) [e.g. chrome, safari]

Desktop (please complete the following information):

OS: [e.g. Linux]
Version [e.g. 22]
PHP version [e.g. 7.2]
AWS SDK version [e.g. 3.0]
Browser (to display output) [e.g. chrome, safari]

Additional context
Add any other context about the problem here.

Scan the resources based on list of tags

Pick a category

[] New Features (e.g: new parameter, new filter, new page)

Is your feature request related to a problem? Please describe.
No, we have a shared account, we would like to scan the specific resources based on tags

Describe the solution you'd like
While running the tool, we would like to pass the list of tags parameter and the tool should scan only the resources mentioned in the tags

Describe alternatives you've considered
Not really

Unable to generate report

Describe the bug
screener-v2 throws error after completing inspecting and exits

To Reproduce
Steps to reproduce the behavior:

Run main.py as described with region parameter and output parameter set to report
Error thrown
<EnableCloudTrailLogging> not exists in cloudtrail.reporter.json <EnableCloudTrailLogging> not exists in cloudtrail.reporter.json Traceback (most recent call last): File "main.py", line 165, in <module> Screener.generateScreenerOutput(runmode, contexts, hasGlobal, regions, uploadToS3, bucket) File "/home/cloudshell-user/screenerv2/service-screener-v2/Screener.py", line 136, in generateScreenerOutput reporter.process(resultSets).getSummary().getDetails() File "/home/cloudshell-user/screenerv2/service-screener-v2/services/Reporter.py", line 157, in getSummary dashboard['MAP'][self.service][critical] += itemSize KeyError: 'X

Expected behavior
A clear and concise description of what you expected to happen.

AWS CloudShell (please complete the following information):

Region: ap-southeast-1

Tags not supported in this region: [us-east-1], ignoring tags filter

When do we see this message "Tags not supported in this region: [us-east-1], ignoring tags filter"

DeprecatedSSLProtocolSecurity Inaccurate

[DeprecatedSSLProtocolSecurity - Your CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. Avoid using SSLv3 in your CloudFront distributions.]

This was flagged although the CloudFront distribution origin is using HTTP instead of HTTPS.

Rule kms::DisabledKey is not available in reporter

Ran the report from central account with cross account enabled. The script stopped when this error occurred. Region is ap-southeast-1.

[__!! WARNING !!__] Rule kms::DisabledKey is not available in reporter, please submit an issue to github.
Traceback (most recent call last):
  File "/home/cloudshell-user/service-screener-v2/main.py", line 274, in <module>
    Screener.generateScreenerOutput(runmode, contexts, hasGlobal, regions, uploadToS3, bucket)
  File "/home/cloudshell-user/service-screener-v2/Screener.py", line 171, in generateScreenerOutput
    reporter.process(resultSets).getSummary().getDetails()
  File "/home/cloudshell-user/service-screener-v2/services/Reporter.py", line 186, in getSummary
    dashboard['CATEGORY'][region][mainCategory][critical] += itemSize
KeyError: 'X'

Please assist.

Error when inspecting container-based lambda

Describe the bug
Screener throws error when inspecting container-based lambda

To Reproduce
Steps to reproduce the behavior:

Run screener against container-based lambda

Errors reported:
... (Lambda) inspecting XXXXX InvalidParameterValueException Code signing is not supported for functions created with container images. Traceback (most recent call last): File "/home/cloudshell-user/screenerv2/service-screener-v2/services/Evaluator.py", line 27, in run getattr(self, method)() File "/home/cloudshell-user/screenerv2/service-screener-v2/services/lambda_/drivers/LambdaCommon.py", line 112, in _check_code_signing_disabled FunctionName=self.function_name File "/home/cloudshell-user/screenerv2/lib64/python3.7/site-packages/botocore/client.py", line 530, in _api_call return self._make_api_call(operation_name, kwargs) File "/home/cloudshell-user/screenerv2/lib64/python3.7/site-packages/botocore/client.py", line 964, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.InvalidParameterValueException: An error occurred (InvalidParameterValueException) when calling the GetFunctionCodeSigningConfig operation: Code signing is not supported for functions created with container images.

Expected behavior
Skip if unable to inspect with an Info or Error message?

AWS CloudShell (please complete the following information):

Region: ap-southeast-1

Additional context
Add any other context about the problem here.

Multiprocessing error

Describe the bug
Multiprocessing error

To Reproduce
Steps to reproduce the behavior:

Clone Repo
Setup Alias
Run command

Expected behavior
Execute without any errors

AWS CloudShell (please complete the following information):

Region: us-east-1

Additional context
[!! WARNING !!] Unable to describe the CUR report. It is likely that this account is part of AWS Organizations
multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker
result = (True, func(*args, **kwds))
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 51, in starmapstar
return list(itertools.starmap(args[0], args[1]))
File "/home/cloudshell-user/service-screener-v2/Screener.py", line 77, in scanByService
contexts[service[0]][region] = serv.advise()
File "/home/cloudshell-user/service-screener-v2/services/rds/Rds.py", line 159, in advise
self.getSecrets()
File "/home/cloudshell-user/service-screener-v2/services/rds/Rds.py", line 88, in getSecrets
self.registerSecrets(results)
File "/home/cloudshell-user/service-screener-v2/services/rds/Rds.py", line 101, in registerSecrets
if self.resourceHasTags(secret['Tags']) == False:
KeyError: 'Tags'
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/home/cloudshell-user/service-screener-v2/main.py", line 194, in
pool.starmap(Screener.scanByService, input_ranges)
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 372, in starmap
return self._map_async(func, iterable, starmapstar, chunksize).get()
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get
raise self._value
KeyError: 'Tags'

AttributeError: Module 'os' has no attribute 'move'

Describe the bug
Module 'os' has no attribute 'move' error. No output.zip file created after screener completes run.

To Reproduce
Steps to reproduce the behavior:

Run script to install dependencies in CloudShell
screener --regions ap-southeast-1

Expected behavior
output.zip file is created

AWS CloudShell (please complete the following information):

Region: ap-southeast-1
PHP version [e.g. 7.2]
AWS SDK version: aws-cli/2.13.21 Python/3.11.5 Linux/4.14.255-322-265.538.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off
Browser (to display output): Chrome

Wrong sample IAM policy stated

Under prerequisites, the sample "Read-Only" policy is directed to "IAM_Read-Only" reference. "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_read-only-console.html"

The correct policy to be used should be AWS managed policy, named "ReadOnlyAccess"?(arn:aws:iam::aws:policy/ReadOnlyAccess)

Error when using in All Region

Describe the bug
Error when using ALL Region Parameter

To Reproduce
Steps to reproduce the behavior:
python3 -m venv .
source bin/activate
python3 -m pip install --upgrade pip
rm -rf service-screener-v2
git clone https://github.com/aws-samples/service-screener-v2.git
cd service-screener-v2
pip install -r requirements.txt
alias screener="python3 $(pwd)/main.py"
screener --regions ALL

Full commands used to reproduce this bug
screener --regions ALL

Expected behavior
output.zip

Screenshots
COMPLETED -- S3::us-west-2 (11.197s)
multiprocessing.pool.RemoteTraceback:
"""
Traceback (most recent call last):
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 125, in worker
result = (True, func(*args, **kwds))
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 51, in starmapstar
return list(itertools.starmap(args[0], args[1]))
File "/home/cloudshell-user/service-screener-v2/Screener.py", line 97, in scanByService
json.dump(contexts[service[0]], f)
File "/usr/lib64/python3.9/json/init.py", line 179, in dump
for chunk in iterable:
File "/usr/lib64/python3.9/json/encoder.py", line 431, in _iterencode
yield from _iterencode_dict(o, _current_indent_level)
File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict
yield from chunks
File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict
yield from chunks
File "/usr/lib64/python3.9/json/encoder.py", line 405, in _iterencode_dict
yield from chunks
File "/usr/lib64/python3.9/json/encoder.py", line 325, in _iterencode_list
yield from chunks
File "/usr/lib64/python3.9/json/encoder.py", line 438, in _iterencode
o = _default(o)
File "/usr/lib64/python3.9/json/encoder.py", line 179, in default
raise TypeError(f'Object of type {o.class.name} '
TypeError: Object of type datetime is not JSON serializable
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/home/cloudshell-user/service-screener-v2/main.py", line 195, in
pool.starmap(Screener.scanByService, input_ranges)
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 372, in starmap
return self._map_async(func, iterable, starmapstar, chunksize).get()
File "/usr/lib64/python3.9/multiprocessing/pool.py", line 771, in get
raise self._value
TypeError: Object of type datetime is not JSON serializable

AWS CloudShell (please complete the following information):

Region: [ap-southeast-1]
Python version [e3.9]

Execution Environment (PLEASE FILL THIS UP IF YOU ARE NOT RUNNING THIS IN AWS CLOUDSHELL):

Instance type: CLOUDSHELL
OS: [Linux]
Region: [e.g. ap-southeast-1]
Python version [e.g. 3.9]
Browser (to display output) [e.g. chrome, edge]

EFS Policy Not Found Error

Describe the bug
Error prompt when inspecting EFS

Expected behavior
EFS with disabled "Automatic backups", thus "policy not found" prompted.

Screenshot

**Error Captured"
... (EFS) inspecting fs-090404821061821eb
PolicyNotFound None
Traceback (most recent call last):
File "/home/cloudshell-user/service-screener-v2/services/Evaluator.py", line 46, in run
getattr(self, method)()
File "/home/cloudshell-user/service-screener-v2/services/efs/drivers/EfsDriver.py", line 32, in _checkBackupPolicy
backup = self.efs_client.describe_backup_policy(
File "/home/cloudshell-user/lib64/python3.9/site-packages/botocore/client.py", line 530, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/cloudshell-user/lib64/python3.9/site-packages/botocore/client.py", line 964, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.PolicyNotFound: An error occurred (PolicyNotFound) when calling the DescribeBackupPolicy operation: None

enableGuardDuty finding labelled wrongly as Cost Optimization pillar

Describe the bug
A clear and concise description of what the bug is.
EnableGuardDuty finding is labelled Cost Optimization instead of Security

Expected behavior
A clear and concise description of what you expected to happen.
Should be Security finding

Screenshots
If applicable, add screenshots to help explain your problem.

screener-v2: noUsersFound incorrect

The noUsersFound check is incorrect.

The account contains IAM users, but the item was flagged out.

aws-samples / service-screener-v2 Goto Github PK

service-screener-v2's Introduction

Service Screener

Overview

How does it work?

How much does it cost?

Prerequisites

Installing service-screener V2

Using Service Screener

Other parameters

Downloading the report

Using the report

Contributing to service-screener

Contact

Security

License

service-screener-v2's People

Contributors

Stargazers

Watchers

Forkers

service-screener-v2's Issues

Recommend Projects

Recommend Topics

Recommend Org