In the security groups view, rules that reference other security groups seem to use descriptions rather than names, which isn't very useful unless you actually have it filled in. The name is required on security groups and is likely to be descriptive.

Hello

With the last Version (git clone 02/22/2016 13h00 PM) The "IAM DASHBOARD" is flagged but No information displayed.

Is This normal ?

My "aws_config.js" file :

{"checked_items": 1,"dashboard_name": "Root account","description": "Root account used recently","entities": "iam
.credential_report.<root_account>","flagged_items": 1,"items": ["iam.credential_report.<root_account>"],"level": "danger","service": "iam"}

All of our security groups are showing as unused even though it shows the running instances.

Here is an example:

Usage
Ec2 Instances: Running 6
This group is not used by either EC2, RDS, or Redshift.

Hello

With the latest release of SCOUT2 v2.0.0rc4 the Item "User without MFA" is incorrect.
The Item is "green" with all my user are MFA device enable. However i have a few users with no MFA device .
I try with boto3 "1.2.3" and the latest release "1.3.1" no change .

Thanks for your work.

I'm using dev branch.

I'm running Scout against one of the environments:
$ python Scout2.py --env company-services --csv-credentials /tmp/sys-monitoring-credentials-company-services.csv

And getting this:

Fetching IAM credential report...
Analyzing EC2 data...
Traceback (most recent call last):
File "Scout2.py", line 197, in
sys.exit(main(args))
File "Scout2.py", line 124, in main
method(aws_config['services'][service], aws_config['account_id'], args.force_write)
File "/home/myuser/scout_dev/dev-listall/AWSScout2/utils_ec2.py", line 21, in analyze_ec2_config
link_elastic_ips(ec2_info)
File "/home/myuser/scout_dev/dev-listall/AWSScout2/utils_ec2.py", line 78, in link_elastic_ips
go_to_and_do(ec2_config, None, ['regions', 'elastic_ips'], None, link_elastic_ips_callback1, {})
File "/home/myuser/scout_dev/dev-listall/AWSScout2/utils.py", line 140, in go_to_and_do
go_to_and_do(aws_config, current_config[key][value], copy.deepcopy(path), tmp, callback, callback_args)
File "/home/myuser/scout_dev/dev-listall/AWSScout2/utils.py", line 132, in go_to_and_do
callback(aws_config, current_config[key][value], path, current_path, value, callback_args)
File "/home/myuser/scout_dev/dev-listall/AWSScout2/utils_ec2.py", line 84, in link_elastic_ips_callback1
go_to_and_do(ec2_config, None, ['regions', 'vpcs', 'instances'], None, link_elastic_ips_callback2, {'instance_id': instance_id, 'elastic_ip': elastic_ip})
File "/home/myuser/scout_dev/dev-listall/AWSScout2/utils.py", line 140, in go_to_and_do
go_to_and_do(aws_config, current_config[key][value], copy.deepcopy(path), tmp, callback, callback_args)
File "/home/myuser/scout_dev/dev-listall/AWSScout2/utils.py", line 140, in go_to_and_do
go_to_and_do(aws_config, current_config[key][value], copy.deepcopy(path), tmp, callback, callback_args)
File "/home/myuser/scout_dev/dev-listall/AWSScout2/utils.py", line 132, in go_to_and_do
callback(aws_config, current_config[key][value], path, current_path, value, callback_args)
File "/home/myuser/scout_dev/dev-listall/AWSScout2/utils_ec2.py", line 91, in link_elastic_ips_callback2
printInfo('Warning: public IP address exists (%s) for an instance associated with an elastic IP (%s)' % (ec2_info['regions'][r]['vpcs'][v]['instances'][i]['PublicIpAddress'], eip))
NameError: global name 'ec2_info' is not defined

Can you please look into this error?

Hello
Sometimes when we create a bucket on S3 Ireland region with CloudFormation, the "LocationConstraint" is not "eu-west-1" but "EU".
You will find below the error of my execution logs "Scout2".
And you will find links to the documentation on AWS S3 "LocationConstraint".

Thank you very much Good apps

https://docs.aws.amazon.com/general/latest/gr/rande.html

Hello,

I'm getting errors when "Analyzing RDS data..."
Analyzing RDS data...
'datetime.datetime' object has no attribute 'read'
Traceback (most recent call last):
File "Scout2.py", line 195, in
sys.exit(main(args))
File "Scout2.py", line 121, in main
method(aws_config['services'][service], aws_config['account_id'], args.force_write)
File "/home/username/scout/Scout2/AWSScout2/utils_rds.py", line 22, in analyze_rds_config
check_for_duplicate(rds_info)
File "/home/username/scout/Scout2/AWSScout2/utils_rds.py", line 26, in check_for_duplicate
if 'short-backup-retention-period' in rds_info['violations']:
KeyError: 'violations'

Commenting check_for_duplicate(rds_info) in /home/username/scout/Scout2/AWSScout2/utils_rds.py does the trick but needs to be fixed.

Thanks you.

This tool is awesome. Is there a way we can get more information about Security Groups? I am looking for something like the last time the Security Groups were accessed/hit.

I am willing to work full time on this. Just need to get a kick start and some direction.

Hi there are a couple of AP regions missing: Seoul and Mumbai. Just wondering if there is an AWS API to list regions so that future new regions aren't missed??

Mike

When creating a CREDENTIALS.CSV and leaving off the (,MFA Serial) field, the script generates the following error:

Traceback (most recent call last):
  File "Scout2.py", line 219, in <module>
    main(args)
  File "Scout2.py", line 39, in main
    key_id, secret, mfa_serial = fetch_creds_from_csv(args.fetch_creds_from_csv[0])
  File "/Scout2/AWSScout2/utils.py", line 208, in fetch_creds_from_csv
    return key_id.rstrip(), secret.rstrip(), mfa_serial
AttributeError: 'NoneType' object has no attribute 'rstrip'

Did further testing w/ API credentials downloaded directly from AWS and got the same errors as above.

When you use the --check-s3-acls option the python code produces a failure message:

handle_truncated_response() takes exactly 4 arguments (3 given)
Failed to get config for

This also occurs in the latest V2 rc0 version

While using Scout2 I noticed that it reported that all my users lacked the key rotation enabled. I began dig a little, and it seems that the conditions that trigger this warning are:

• account being active
• the date difference between today's date and the date of the creation of the last key is higher than 90 days

However for one specific user I had this info:

Information
Creation date: 2016-02-16 00:30:42+00:00
(...)
Access Keys: 1
<key-ID-here>, Active, created on 2016-02-17 00:09:33+00:00

I ran the script on February 25th and Scout2 still reported this user as lack of key rotation.

It seems to be a bug, however I checked the code on ListAll.py file and the check between the dates seems to be correct, so I couldn't pinpoint the problem...

Is this a bug?

Thanks

Hello
EC2 ELB page display no instances/ VPC / DNS / Security groups / Subnet .
And when i click on the left on the ELB the dedicated configuration disappears.
When the view "show all" is selected, the blue buttons do not display instances, "security groups" and subnets.

Last git clone and install requirement 19/10/2015.

thanks

https://github.com/nccgroup/Scout2/blob/master/rules/ec2-security-group-opens-all-ports-to-self.json#L8 tags the rule with "Unrestricted Network Traffic within security group" when all ports for TCP and UDP are open from instances in same security group.

I might be missing something here but I am unable to understand why it is considered as "level:danger" problem when the network is actually restricted to instances belonging to same security group. Would appreciate if you guys can help me understand this if I am missing a point.

Thanks in advance.

handle_truncated_response lacks the marker's name

Redshift SGs currently show up as unused security groups, even if they are attached to a Redshift data warehouse. This issue may be replicated across additional services, but I haven't encountered any so far.

Is the filters feature in the browser interface expected to be functional? It looks like the handlebar template isn't getting populated in my instance.

Here are two screenshots. One shows the working "Regions" dropdown, the other the result of trying to open the "Filters" dropdown. In the latter case, a little bit of what appears to be an empty dropdown appears just below the navbar.

Hello,

I'm deploying Scout2 App every morning in my AWS instance (as it is brought down during night time).
During deployment the script re-installs all Scout2 requirements:
/usr/bin/pip install -r /tmp/requirements.txt

$ cat requirements.txt
boto3>=1.1.0
requests>=2.4.0
python-dateutil>=2.2
netaddr>=0.7.11
opinel>=0.13.0

But this morning I've got this during Scout2 runs:
Traceback (most recent call last):
File "/app/securitytools/scout2/Scout2.py", line 21, in
from AWSScout2.utils_ec2 import *
File "/app/securitytools/scout2/AWSScout2/utils_ec2.py", line 4, in
from opinel.protocols_dict import *
ImportError: No module named protocols_dict

So I had to go, download opinel v 0.13, installed it and everything went fine.

Looks like opinel ver. 0.14 is broken.

Can you please have a look into that?

Cheers,
Leon

git pull is up-to-date.

Analyzing VPC config...
Traceback (most recent call last):
  File "./Scout2.py", line 237, in <module>
    sys.exit(main(args))
  File "./Scout2.py", line 125, in main
    analyze_vpc_config(aws_config, args.ip_ranges, args.ip_ranges_key_name)
  File "/Users/travis.schack/Documents/Code/Python/Scout2/AWSScout2/utils_vpc.py", line 20, in analyze_vpc_config
    go_to_and_do(aws_config, aws_config['services']['ec2'], ['regions', 'vpcs', 'elbs'], ['services', 'ec2'], list_resources_in_security_group, callback_args)
  File "/Users/travis.schack/Documents/Code/Python/Scout2/AWSScout2/utils.py", line 155, in go_to_and_do
    go_to_and_do(aws_config, current_config[key][value], copy.deepcopy(path), tmp, callback, callback_args)
  File "/Users/travis.schack/Documents/Code/Python/Scout2/AWSScout2/utils.py", line 155, in go_to_and_do
    go_to_and_do(aws_config, current_config[key][value], copy.deepcopy(path), tmp, callback, callback_args)
  File "/Users/travis.schack/Documents/Code/Python/Scout2/AWSScout2/utils.py", line 147, in go_to_and_do
    callback(aws_config, current_config[key][value], path, current_path, value, callback_args)
  File "/Users/travis.schack/Documents/Code/Python/Scout2/AWSScout2/utils_vpc.py", line 62, in list_resources_in_security_group
    sg = get_object_at(aws_config, sg_path)
  File "/Users/travis.schack/Documents/Code/Python/Scout2/AWSScout2/utils.py", line 127, in get_object_at
    o = o[p]
KeyError: 'security_groups'

Saw the following when running Scout2 against one of my AWS accounts:

Fetching CloudTrail config...
Fetching EC2 config...
region Elastic LBs Elastic IPs VPCs Sec. Groups Instances
us-east-1 0/103 41/41 5/5 352/352 245/245
ap-northeast-1 0/0 0/0 0/0 1/1 0/0
sa-east-1 0/0 0/0 0/0 1/1 0/0
ap-southeast-1 0/0 0/0 0/0 12/12 0/0
ap-southeast-2 0/0 0/0 0/0 12/12 0/0
us-west-2 0/0 0/0 0/0 1/1 0/0
us-west-1 0/0 0/0 0/0 1/1 0/0
eu-central-1 0/0 0/0 0/0 0/0 0/0
eu-west-1 0/0 0/0 0/0 12/12 0/0
Fetching IAM users...
82/82
Fetching IAM groups...
30/30
Fetching IAM roles...
35/35
Fetching IAM policies...
16/16
Fetching IAM credential report...
Fetching IAM password policy...
Fetching RDS config...
Fetching Redshift config...
Fetching S3 buckets config...
98/98
Analyzing VPC config...
Traceback (most recent call last):
File "./Scout2.py", line 237, in
sys.exit(main(args))
File "./Scout2.py", line 125, in main
analyze_vpc_config(aws_config, args.ip_ranges, args.ip_ranges_key_name)
File "/Users/jweller/Scout2-master/Scout2/AWSScout2/utils_vpc.py", line 20, in analyze_vpc_config
go_to_and_do(aws_config, aws_config['services']['ec2'], ['regions', 'vpcs', 'elbs'], ['services', 'ec2'], list_resources_in_security_group, callback_args)
File "/Users/jweller/Scout2-master/Scout2/AWSScout2/utils.py", line 155, in go_to_and_do
go_to_and_do(aws_config, current_config[key][value], copy.deepcopy(path), tmp, callback, callback_args)
File "/Users/jweller/Scout2-master/Scout2/AWSScout2/utils.py", line 155, in go_to_and_do
go_to_and_do(aws_config, current_config[key][value], copy.deepcopy(path), tmp, callback, callback_args)
File "/Users/jweller/Scout2-master/Scout2/AWSScout2/utils.py", line 147, in go_to_and_do
callback(aws_config, current_config[key][value], path, current_path, value, callback_args)
File "/Users/jweller/Scout2-master/Scout2/AWSScout2/utils_vpc.py", line 62, in list_resources_in_security_group
sg = get_object_at(aws_config, sg_path)
File "/Users/jweller/Scout2-master/Scout2/AWSScout2/utils.py", line 127, in get_object_at
o = o[p]
KeyError: 'security_groups'

First, great tool! Is there a way I could run it to only scan a single region?

Hi
I currently use the "2.0.0rc3" version of SCOUT2 .
All my users is marked with no "common group" and no "category group".
But some few of my users are in groups.
What is the "global mandatory" group ? A default params to update in Scout2 ?

Thanks
Good APP !

When viewing the list of rules under a security group, it currently only shows the ID is there any way you can add the security group's name also?

from leo100 (follow up of issue #26):

Just a quick question (as someone who's not a python expert...at all) - I'm after specifying a list of Groups as an input and then spewing a list of users belonging to those specific groups, with "Lack of MFA" (possibly via cron so I could send this list to appropriate team).
Is it possible? How do I do that?

Hello The dashboard displays no checked RDS instance. While the tab "instances" correctly displays the RDS in VPC.
So violations are not visible in the dashboard.

Git clone date --> 16/10/2015

thank you

This error happens due to conflicts between the version of opinel installed and the minimum required by Scout2 (not checked at runtime).

I ran into two scenarios where Scout2 identified a security group as unused when in fact it was in use. The first scenario is a security group that is attached to a Directory Service Directory. The other scenario is a security group that is configured as the Source Security Group for an ELB.

Does Scout2 already run on an EC2 instance with an IAM role (with read privileges to IAM, EC2 and S3) instead of having to provide API credentials specifically?

Hey all,

First let me start with I love this tool. It is clean, simple, and efficient. I found what I believe is a bug in the Network ACL portion. While reviewing some findings with my co-worker we noticed the Inbound and Outbound area weren't always correct. Things in Inbound should have been in Outbound based off our understanding of this document:

http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-network-acls.html

The specific portion is there are some rules that are being marked egress: true, but those rules are showing up as inbound when they should be outbound. Keep up the good work. Love this tool!

Fetch the password policy and add a check for complexity

Everything else reports fine, but when I turned on CloudTrail, I get these errors.

Fetching CloudTrail data...
An error occurred (TrailNotFoundException) when calling the GetTrailStatus operation: Unknown trail: bucket_name for the user: 999999999999
...

Hello,

I've actually need this "Lack of MFA" info (That's the reason I've installed Scout2 ;).
But it seems that this option was removed? Or is there a bug in the latest version of Scout2?

The report can only be written to the cwd, there should be an --output or --report command line option to specify where to output the file.

It would be amazing if there was a way to visualise VPC's, instances, security groups and ELB rules through a graph. Presumably it would use D3.

Failed to process rule defined in cloudtrail-no-global-services-logging.json

Traceback (most recent call last):
  File "./Scout2.py", line 235, in <module>
    sys.exit(main(args))
  File "./Scout2.py", line 169, in main
    aws_config['services'][service]['violations'][rule]['flagged_items'] = len(aws_config['services'][service]['violations'][rule]['items'])
KeyError: 'items'

If I remove cloudtrail-no-global-services-logging from default ruleset I got:

Analyzing AWS config...
Traceback (most recent call last):
  File "./Scout2.py", line 235, in <module>
    sys.exit(main(args))
  File "./Scout2.py", line 174, in main
    tweak_cloudtrail_findings(aws_config)
  File "/home/thor/Radialpoint/development/source/AWS/Scout2/AWSScout2/utils_cloudtrail.py", line 19, in tweak_cloudtrail_findings
    if len(aws_config['services']['cloudtrail']['violations']['cloudtrail-no-global-services-logging']['items']) != aws_config['services']['cloudtrail']['violations']['cloudtrail-no-global-services-logging']['checked_items']:
KeyError: 'cloudtrail-no-global-services-logging'

When I run "python Scout2.py --regions us-east-1", I get the following results.

Checking the version of boto...
Fetching CloudTrail data...
Error: could not fetch and/or analyze CloudTrail configuration
global name 'Counter' is not defined
Fetching IAM users...
19/19
Fetching IAM groups...
4/4
Fetching IAM roles...
5/5
Fetching IAM policies...
12/12
Fetching IAM credential report...
Error: could not fetch and/or analyze EC2 configuration
global name 'Counter' is not defined
Error: EC2 or IAM configuration is missing
local variable 'ec2_info' referenced before assignment

In the list of ports, the security group names were working, but now they all show up like this. (ID's below have been changed)

EC2 security groups:
sg-6312312 (AWS account ID 93738127378)
sg-83e3452 (AWS account ID 93738127378)

The version prior to being updated a few days ago analyzes S3 configurations just fine. The newest version however throws the following issue when it reaches the S3 portion of the audit:

Error: could not fetch and/or analyze S3 configuration
local variable 's3_info' referenced before assignment

Hello, we are trying to run the Scout2.py app with python2.7. We are getting a KeyError when running... here is the output... can you assist? Thank you - [email protected]

[user@ip-10-1-1-1 Scout2]$ /usr/local/bin/python2.7 Scout2.py
Fetching CloudTrail data...
Fetching IAM users...
22/22
Fetching IAM groups...
12/1
Fetching IAM roles...
29/1
Fetching IAM policies...
0/0
Fetching IAM credential report...
Failed to generate/download a credential report.
'Message'
Fetching S3 buckets data...
40/40
Fetching EC2 data...
region Elastic LBs Elastic IPs VPCs Sec. Groups Instances
us-east-1 16/16 2/2 0/3 79 0'FromPort'
us-east-1 16/16 2/2 3/3 112/112 166/166
ap-northeast-1 0/0 0/0 1/1 1/1 0/0
sa-east-1 0/0 0/0 1/1 1/1 0/0
ap-southeast-1 0/0 0/0 1/1 1/1 0/0
ap-southeast-2 0/0 0/0 1/1 1/1 0/0
us-west-2 0/0 0/0 1/1 2/2 1/1
us-west-1 0/0 0/0 1/1 1/1 0/0
eu-central-1 0/0 0/0 1/1 1/1 0/0
eu-west-1 0/0 0/0 1/1 1/1 0/0
Analyzing VPC config...
Analyzing IAM data...
Analyzing S3 data...
Analyzing Redshift config...
Analyzing EC2 data...
'rules'
'rules'
Traceback (most recent call last):
File "Scout2.py", line 203, in
sys.exit(main(args))
File "Scout2.py", line 128, in main
method(aws_config['services'][service], aws_config['account_id'], args.force_write)
File "/home/user/em/Scout2/AWSScout2/utils_ec2.py", line 24, in analyze_ec2_config
check_for_elastic_ip(ec2_info)
File "/home/user/em/Scout2/AWSScout2/utils_ec2.py", line 59, in check_for_elastic_ip
for i, item in enumerate(ec2_info['violations']['non-elastic-ec2-public-ip-whitelisted'].items):
KeyError: 'violations'
[user@ip-10-1-1-1 Scout2]$

Could you add a last run date and time on the about page?

Reports don't render properly when viewed on an iPhone (latest iOS) - navigation menus not shown.

Hi,

I have couple of S3 buckets used as static websites with names like "devs.mydomain.com".
This is the error message when Scout2 tries to enumerate through buckets:

BotoClientError: Bucket names cannot contain upper-case characters when using either the sub-domain or virtual hosting calling format.
hostname u'devs.mydomain.com.s3.amazonaws.com' doesn't match either of '*.s3.amazonaws.com', 's3.amazonaws.com'

There are no upper-case letters in the bucket names.

Using the Scout2-Default Policy for my user, every time I run Scout2 it gets up to Fetching EC2 Config: ap-southeast-1, and then hangs. Eventually the process is killed and doesn't print out any debug information.

Could it be the resources on my machine, not enough RAM?

Fetching IAM credential report...
Fetching IAM password policy...
Fetching EC2 config...
region Elastic LBs Elastic IPs VPCs Sec. Groups Instances
us-east-1 0/0 0/0 1/1 1/1 0/0
ap-northeast-1 0/0 0/0 1/1 1/1 0/0
sa-east-1 0/0 0/0 1/1 1/1 0/0
ap-southeast-1 0/0 0/0 1/1 1/1 0/0

Cheers,

The EC2 page doesn't seem to be working
Report generated with Scout2 version 2.0.0rc2
Using Mac OS (yosemite) and tested Chrome/Safari/Firefox

Select Show All (count of 17) - nothing; go to specific; goto specific region and select the VPC and nada.

is there a way to use this tool offline?

can i use aws ec2 describe at the command line to pull the data, then move the data offline to scout2 for analysis?

It would be nice to be able to run this tool in an automated fashion and have it render the output as JSON or some other programmatically accessible data type. Looking to use this tool to set alarms in cloudwatch.

Currently, public IPs of ELBs aren't shown in the external attack surface report, which can lead to overlooking externally exposed ports. It would be great if these were in that report, perhaps with a notation like (ELB) next to them.

I cloned and attempted to run Scout2 yesterday, but ran into this issue.

sudo python Scout2.py --role-credentials
Traceback (most recent call last):
File "Scout2.py", line 180, in
main(args)
File "Scout2.py", line 39, in main
key_id, secret = fetch_iam_role_credentials()
NameError: global name 'fetch_iam_role_credentials' is not defined

I am running this on CenOS ec2 instance with:
python 2.6.6
boto 2.32.1
I have also upgrade dateutil and requests to the latest versions.

NotResource * is not handled in update_bucket_permissions