Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Here you will find some useful AWS scripts I use often.
All the scripts relies on Boto, a Python package that provides interfaces to Amazon Web Services.
So, to use these scripts, you need to install Boto and provide your AWS credentinals:
To install aws-scripts and all the required Python packages just type:
pip install aws-scripts
If dependencies are already satisfied, nothing will be installed.
If you already have aws-scripts installed in your computer you can update to the latest version as follows:
pip install --upgrade aws-scripts
To provide your AWS credentials use the boto/boto3 config file ~/.aws/credentials
:
[default]
aws_access_key_id = <XXXXXXXXXXXXXXXXXXX>
aws_secret_access_key = <xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
region=xx-xxxx-x
Note that you can use the environment variable:
AWS_DEFAULT_REGION=xx-xxxx-x
to override the default region on the config file. In the ec2-instances.py script you can also use the--region
option for the same purpose
Lists the EC2 instances including the Name Tag, IP, type, zone, vpc, subnet and the status.
You can filter the result by name, type, status and/or public or private IP address. Or you can provide a list of instance IDs instead.
Finally you can execute remote commands on all the instances returned by the filter or the list.
The execution method support both: direct connections against the public instance IP or using a bastion host.
When this method is used, the .ssh/config file is used to establish the connection.
The '-h' option shows you how to use the available options.
usage: ec2-instances.py [-h] [-n NAME] [-t TYPE] [-s STATUS] [-z ZONE] [-v VPC] [-S SUBNET] [--public_ip PUBLIC_IP] [--private_ip PRIVATE_IP] [-l ID_LIST [ID_LIST ...]] [-i IGNORE] [-e EXECUTE] [-r REGION]
[-u USER] [-c {direct,bastion-host}]
Shows a list with your EC2 instances, then you can execute remote commands on those instances.
options:
-h, --help show this help message and exit
-n NAME, --name NAME Filter result by name.
-t TYPE, --type TYPE Filer result by type.
-s STATUS, --status STATUS
Filter result by status.
-z ZONE, --zone ZONE Filter result by Availability Zone.
-v VPC, --vpc VPC Filter result by VPC Id.
-S SUBNET, --subnet SUBNET
Filter result by Subnet Id.
--public_ip PUBLIC_IP
Filter result by public ip address. You can provide the whole IP address string or just a portion of it.
--private_ip PRIVATE_IP
Filter result by private ip adreess. You can provide the whole IP address string or just a portion of it.
-l ID_LIST [ID_LIST ...], --id_list ID_LIST [ID_LIST ...]
Do not filter the result. Provide a InstanceIds list instead.
-i IGNORE, --ignore IGNORE
Do not show hosts lines containing the "IGNORE" pattern in the tag Name
-e EXECUTE, --execute EXECUTE
Execute a command on instances
-r REGION, --region REGION
Specify an alternate region to override the one defined in the .aws/credentials file
-u USER, --user USER User to run commands (if -e option is used). A user is always required, even if you have one defined in .ssh/config file
-c {direct,bastion-host}, --connection_method {direct,bastion-host}
The Method to connect to the instance (if -e option is used). If the instance exposes the SSH port on a public IP, use direct. Otherwhise choose bastion-host. This method look for
the hostname and username inside the .ssh/config file to reach the target instance.
Lists details of all your Instance Reservations, including a summary of the active reservations by type and size.
The summary also shows your reserved active capacity after apply the normalization factor. This is useful to compare the reserved capacity with the deployed in production.
You can also use the option --create-google-calendar-events
to add the expiration date of the active reservations in your Google Calendar Account.
usage: ec2-reserved.py [-h]
[-s {payment-pending,active,payment-failed,retired}]
[--create-google-calendar-events] [-t TYPE]
Show reserved EC2 instances
optional arguments:
-h, --help show this help message and exit
-s {payment-pending,active,payment-failed,retired}, --state {payment-pending,active,payment-failed,retired}
Filer result by reservation state.
--create-google-calendar-events
Create events in your Google Calendar, using the
expiration dates of your active reservations
-t TYPE, --type TYPE Filer result by instance type.
To use the Google calendar feature you just have to enable the calendar API in your Google Account and create a calendar called aws in the Google Calendar. Then create the OAuth client ID credentials. Download the credentials file and save it as client_secret.json
in the aws-scripts folder repo. When you run the script using the --create-google-calendar-events
option for the first time, a web browser will be opened asking your to login with the Google account you want to use.
Then, whenever you buy new reservations on Amazon Web Services, you can add the new reservations in your calendar by just running the script.
Set the desired state for an EC2 instance or a list of instances.
You can use it form a cron task in order to manage the instance state of one or several instances. You can even use it without providing the IAM user credentials, thanks to the assume role support.
The '-h' optipn shows you how to use the available options.
usage: ec2-instance-state.py [-h] [-s {stop,start,reboot,terminate}] -l ID_LIST [ID_LIST ...] [--role_arn ROLE_ARN] [-r REGION]
Set desired EC2 instance state
optional arguments:
-h, --help show this help message and exit
-s {stop,start,reboot,terminate}, --state {stop,start,reboot,terminate}
Set the desired state for the instances provided
-l ID_LIST [ID_LIST ...], --id_list ID_LIST [ID_LIST ...]
InstanceIds list
--role_arn ROLE_ARN If the script run on an EC2 instance with an IAM role attached, then the Security Token Service will provide a set of temporary credentials allowing the actions of the assumed role.
With this method, no user credentials are required, just the Role ARN to be assumed.
-r REGION, --region REGION
Specify an alternate region to override the one defined in the .aws/credentials file
This is an example of the minimum permissions required in the Role Policy in order to auto-stop an instance from a cron job.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:StopInstances",
"Resource": "arn:aws:ec2:<AWS-REGION>:<ACCOUNT_ID>:instance/<INSTANCE_ID>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<AUTOSTOP_ROLE_NAME>"
}
]
}
Lists the EC2 Security Groups within an AWS region. The result can be filtered by name. You can also show the Inbound and Outbound rules of the chosen security group.
As a sysadmin and/or developer, you or your team mates, will probably find yourself updating your public IP address frequently in order to gain SSH access to your EC2 instances.
This command help you to do so. Just use the argument --allow_my_public_ip
providing the Security Group ID and the Security Group Rule ID you want to update. The command will find out your public IP and will update the rule allowing you the SSH access.
usage: ec2-sg.py [-h] [-n NAME] [-l GID_LIST [GID_LIST ...]] [-r REGION] [-s SHOW] [--allow_my_public_ip ALLOW_MY_PUBLIC_IP] [--security_group_rule_id SECURITY_GROUP_RULE_ID] [--description DESCRIPTION]
Security Groups Management
options:
-h, --help show this help message and exit
-n NAME, --name NAME Filter result by group name.
-l GID_LIST [GID_LIST ...], --gid_list GID_LIST [GID_LIST ...]
Do not filter the result. Provide a GroupIds list instead.
-r REGION, --region REGION
Specify an alternate region to override the one defined in the .aws/credentials file
-s SHOW, --show SHOW Show inbound and outbound rules for the provided SG ID
--allow_my_public_ip ALLOW_MY_PUBLIC_IP
Modify the SSH inbound rule with your current public IP address inside the provided Security Group ID.
--security_group_rule_id SECURITY_GROUP_RULE_ID
Modify the SSH inbound rule with your current public IP address inside the provided Security Group Rule ID
--description DESCRIPTION
Allows you to append a string to the rule description field
Lists the EC2 EBS volumes including the Name Tag, size, device, ID, attached instance ID, Attached instance Tag Name, type, IOPS, zone and status.
You can filter the result by type, status and Tag name.
The '-h' option shows you how to use the available options.
usage: ec2-ebs.py [-h] [-n NAME] [-t {gp2,io1,st1,sc1,standard}] [-s {creating,available,in-use,deleting,deleted,error}]
List all the Elastic Block Storage volumes
optional arguments:
-h, --help show this help message and exit
-n NAME, --name NAME Filter result by name.
-t {gp2,io1,st1,sc1,standard}, --type {gp2,io1,st1,sc1,standard}
Filer result by type.
-s {creating,available,in-use,deleting,deleted,error}, --status {creating,available,in-use,deleting,deleted,error}
Filter result by status.
Lists all your Elastic Load Balancers and his related instances.
usage: ec2-elb.py [-h] [-t {classic,current,all}]
For every Elastic Load Balancer list the attached instances
options:
-h, --help show this help message and exit
-t {classic,current,all}, --type {classic,current,all}
It shows the current generation of ELBs (Application, Network and/or Gateway) and/or the previous one (Classic).
Without parameters just lists the target groups within a region. You can also list the targets in a given target group. Finally, you can also register or deregister targets to/from a group.
usage: ec2-tg.py [-h] [-s SHOW] [-a {register,deregister}] [--target_type {instances,ip_address,lambda_function,alb}] [--targets_id_list TARGETS_ID_LIST [TARGETS_ID_LIST ...]]
[--target_group_arn TARGET_GROUP_ARN] [--role_arn ROLE_ARN] [-r REGION]
Shows a list of Target Grops. Also allows you to register/deregister targets in/from a provided Targer Group
options:
-h, --help show this help message and exit
-s SHOW, --show SHOW Shows the target for the provided Target Group ARN
-a {register,deregister,details}, --action {register,deregister,details}
Set the desired action.
--target_type {instances,ip_address,lambda_function,alb}
Set the desired state for the instances provided
--targets_id_list TARGETS_ID_LIST [TARGETS_ID_LIST ...]
Targets Id list
--target_group_arn TARGET_GROUP_ARN
Target Group ARN
--role_arn ROLE_ARN If the script run on an EC2 instance with an IAM role attached, then the Security Token Service will provide a set of temporary credentials allowing the actions of the assumed role.
With this method, no user credentials are required, just the Role ARN to be assumed.
-r REGION, --region REGION
Specify the region to override the one setted in the credentials file or if you are using --role_arn.
This is the minimum permissions required in the assumed role policy in order to allow register or deregister a target from the same target.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:<AWS_REGION>:<ACCOUNT_ID>:targetgroup/<TG_NAME>/<TG_ID>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ACCOUNT_ID>:role/TPS-TargetGroup-management"
}
]
}
In addition, you need to perform a little modification in the Trusted Relationships to allow the Elastic Load Balancing as a AWS service or as role session.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"elasticloadbalancing.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::<ACCOUNT_ID>:assumed-role/<TG_ROLE_NAME>/<INSTANCE_ID>",
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
With this script you can see the relationships between your snapshots and your EBS volumes and AMIs. This allows you to choose the snapshots you don't need to keep in the AWS S3 service.
By default the script shows all the volumes and AMIs related to each snapshost.
You you can also show all the snapshots related with each volume. This option is specially usefull when you only want to keep a certain number of snapshots per volume.
Finally, you can show all the snapshots related with each AMI.
The '-h' option shows you how to use the available options.
usage: ec2-snap-mgmt.py [-h] [-v {orphan,volumes}] owner_id
positional arguments:
owner_id 12-digit AWS Account Number
optional arguments:
-h, --help show this help message and exit
-v {orphan,volumes,images}, --view {orphan,volumes,images}
Available views: orphan and volumes. Orphan is the
default one.
The script doesn't delete anything actually, just shows you the relationship in a tree view.
This is a tool to make MongoDB backups on Amazon.
Two methods are supported: dump and snapshot.
mongodump
to perform a binary backup of your local or remote MongoDB instance. The dumped files are compressed in a tarball file and uploaded to a Amazon S3 bucket.For the dump method, you can specify the number of copies to retain in the bucket or in the EC2 snapshot area. The oldest ones will be automatically removed.
usage: mongodb-backup.py [-h] [-m {dump,snapshot}] [-u USER] [-p PASSWORD] [-H HOST] [-d DATABASE] [-c COLLECTION] [-e EXCLUDE_COLLECTION] [-o OUT] [-n NUMBER] [-b BUCKET] [-P PREFIX]
[-v VOLUME_ID [VOLUME_ID ...]] [--no_journal] [-r REGION]
A tool to make mongodb backups on Amazon
optional arguments:
-h, --help show this help message and exit
-m {dump,snapshot}, --method {dump,snapshot}
Backup method. Dump if none is provided
-u USER, --user USER Mongodb user (optional)
-p PASSWORD, --password PASSWORD
Mongodb password (optional)
-H HOST, --host HOST Mongodb host: <hostname>:<port>. By default: localhost:27017
-d DATABASE, --database DATABASE
For the dump method: The database to backup (all if not provided)
-c COLLECTION, --collection COLLECTION
For the dump method: The collection to backup. Requires '-d' option
-e EXCLUDE_COLLECTION, --exclude_collection EXCLUDE_COLLECTION
For the dump method: The collection to exclude from backup. Requires '-d' option
-o OUT, --out OUT For the dump method: The output directory for dumped files
-n NUMBER, --number NUMBER
Number of copies to retain
-b BUCKET, --bucket BUCKET
For the dump method: Amazon s3 bucket.
-P PREFIX, --prefix PREFIX
For the dump method: For grouped objects aka s3 folders, provide the prefix key
-v VOLUME_ID [VOLUME_ID ...], --volume_id VOLUME_ID [VOLUME_ID ...]
For the snapshot method: Provide the data and journal volume_id list to snapshot: If data and journal resides in a separate volumes, both volumes are required.
--no_journal For the snapshot method: If pressent, the instance is either running without journaling or has the journal files on a separate volume, you must flush all writes to disk and lock the
database to prevent writes during the backup process.
-r REGION, --region REGION
Specify an alternate region to override the one defined in the .aws/credentials file
This script allows you to automatically set predictable DNS records for instances launched using AWS Auto Scaling.
It is intended to be executed from the ec2 instance at launch time. The script looks for an available name matching the provided pattern in the DNS zone. Then, it adds this name as a CNAME record in the DNS zone pointing to the EC2 instance public name.
usage: route53-set-hostname.py [-h] --HostedZoneId HOSTEDZONEID --HostStr
HOSTSTR [--rangeSize RANGESIZE] [--dryrun]
AWS Route53 hostname managment for Autoscaled EC2 Instances
optional arguments:
-h, --help show this help message and exit
--HostedZoneId HOSTEDZONEID
The ID of the hosted zone where the new resource
record will be added.
--HostStr HOSTSTR The host string used to build the new name
--rangeSize RANGESIZE
The maximun number to be assigned. The first available
will be used
--dryrun Shows what is going to be done but doesn't change
anything actually
Example:
user@host:~$ ./route53-set-hostname.py --HostedZoneId XXXXXXXXXXXXXX --HostStr websrv --rangeSize 10
15:41:58 06/09/16: creating CNAME websrv03.example.com. -> ec2-XX-XX-XXX-XX.compute-1.amazonaws.com......INSYNC
This script is executed from the ec2 instance at shutdown. The script delete his host record zone from the passed DNS zone identifier.
usage: route53-del-hostname.py [-h] --HostedZoneId HOSTEDZONEID [--dryrun]
AWS Route53 hostname managment for Autoscaled EC2 Instances
optional arguments:
-h, --help show this help message and exit
--HostedZoneId HOSTEDZONEID
The ID of the hosted zone where the new resource
record will be added.
--dryrun Shows what is going to be done but doesn't change
anything actually
This script just download the requested S3 object.
usage: s3-download-file.py [-h] -b BUCKET -o OBJECTKEY -f FILEPATH
Donwload file from AWS S3
optional arguments:
-h, --help show this help message and exit
-b BUCKET, --bucket BUCKET
The bucket name.
-o OBJECTKEY, --objectkey OBJECTKEY
The host string used to build the new name
-f FILEPATH, --filepath FILEPATH
The filepath of the file to be saved
As its own name says, this worker is designed to use auto scaling lifecycle hooks.
The process looks for incoming messages into the SQS queue associated with the autoscaling group. Then, when a message comes for the instance, it is consumed and the associated custom action is triggered. Finally, using the lifecycle action token, the worker completes the autoscaling action going on with the launch or ending the instance action.
usage: lifecycle-hook-worker.py [-h] -q QUEUE -s {LAUNCHING,TERMINATING} -g
GROUP -H HOOKNAME -e EXECUTE [-w WAIT]
SQS Lifecycle hook consumer and trigger
optional arguments:
-h, --help show this help message and exit
-q QUEUE, --queue QUEUE
Queue resource.
-s {LAUNCHING,TERMINATING}, --state {LAUNCHING,TERMINATING}
Indicates if the consumer is waiting for LAUNCHING or
TERMINATING state
-g GROUP, --group GROUP
Auto Scaling Group Name
-H HOOKNAME, --hookName HOOKNAME
Life Cycle Hook Name
-e EXECUTE, --execute EXECUTE
The filepath of the triggered script
-w WAIT, --wait WAIT Time between query loops in seconds (default: 60)
Shows the main info regarding all the RDS instances such as: endpoint, engine, version, status etc.
usage: rds-instances.py [-h]
List all the RDS instances
optional arguments:
-h, --help show this help message and exit
FAQs
Some useful AWS scripts I use from time to time
We found that aws-scripts demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.