AWS Recon

A multi-threaded AWS inventory collection tool.

The creators of this tool have a recurring need to be able to efficiently collect a large amount of AWS resource attributes and metadata to help clients understand their cloud security posture.

There are a handful of tools (e.g. AWS Config, CloudMapper, CloudSploit, Prowler) that do some form of resource collection to support other functions. But we found we needed broader coverage and more details at a per-service level. We also needed a consistent and structured format that allowed for integration with our other systems and tooling.

Enter AWS Recon, multi-threaded AWS inventory collection tool written in plain Ruby. Though most AWS tooling tends to be dominated by Python, the Ruby SDK is quite mature and capable. The maintainers of the Ruby SDK have done a fantastic job making it easy to handle automatic retries, paging of large responses, and threading huge numbers of requests.

Project Goals

• More complete resource coverage than available tools (especially for ECS & EKS)
• More granular resource detail, including nested related resources in the output
• Flexible output (console, JSON lines, plain JSON, file, standard out)
• Efficient (multi-threaded, rate-limited, automatic retries, and automatic result paging)
• Easy to maintain and extend

Supported Services & Resources

Current “coverage” by service is listed below. The services without coverage will eventually be added. PRs are certainly welcome. 🙂

AWS Recon aims to collect all resources and metadata that are relevant in determining the security posture of your AWS account(s). However, it does not actually examine the resources for security posture – that is the job of other tools that take the output of AWS Recon as input.

•  AdvancedShield
•  Athena
•  GuardDuty
•  Macie
•  Systems Manager
•  Trusted Advisor
•  ACM
•  API Gateway
•  AutoScaling
•  CodePipeline
•  CodeBuild
•  CloudFormation
•  CloudFront
•  CloudWatch
•  CloudWatch Logs
•  CloudTrail
•  Config
•  DirectoryService
•  DirectConnect
•  DMS
•  DynamoDB
•  EC2
•  ECR
•  ECS
•  EFS
•  ELB
•  EKS
•  Elasticsearch
•  Firehose
•  FMS
•  Glacier
•  IAM
•  KMS
•  Kafka
•  Kinesis
•  Lambda
•  Lightsail
•  Organizations
•  RDS
•  Redshift
•  Route53
•  Route53Domains
•  S3
•  SageMaker
•  SES
•  ServiceQuotas
•  Shield
•  SNS
•  SQS
•  Transfer
•  VPC
•  WAF
•  WAFv2
•  Workspaces
•  Xray

Changelog v0.5.15

• Update regions exclusions for CodeBuild

Installation

$ git clone git@github.com:darkbitio/aws-recon.git
$ cd aws-recon
$ bundle
...
Using aws-sdk-core 3.103.0
...
Bundle complete! 5 Gemfile dependencies, 259 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

Use

Tutorial

Copyright (c) 2020 Darkbit