Friday, April 26, 2019

AWS Config Service Organization-Wide Member Account Config Aggregator

Source code and download: https://github.com/walkerk1980/AWSConfigOrgsMemberAccountAggregator

The reason that you may want to use this script - The AWS Config Service offers an option that integrates with AWS Organizations that have 'All Features' enabled to automatically create a Configuration Aggregator in your Organizations Master Account that aggregates all of your Member Accounts in all supported AWS Regions. This aggregator can only be created in the Master Account of the Organization. It is not possible to use the AWS Provided method to create an Organization-wide Aggregator in one of your Member Accounts, say for example, your account designated for Security or Monitoring. [1] 
[1] Multi-Account Multi-Region Data Aggregation - https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
The purpose of this script is to create a Config Aggregator in an Organizations Member Account that Aggregates all of your Organization's Member Accounts across all supported Regions. Normally this requires Creating an Aggregator in one of your Member Account and inviting all of the Accounts in your Organization. This would then require signing in to each Member Account in your Organization and adding an Authorization for the Aggregator Account. This script automates that process by assuming the Organizations Access Roles of each of your Member Accounts to create the Config Aggregator and to Authorize the Aggregator in the Master Account as well as all of the Member Accounts.
Note: You must run this script in an Organizations Master Account with all Features Enabled.
Each Member Account must have an OrganizationAccountAccessRole who's name matches the string provided to the variable orgs_access_role_name in the script. The OrganizationAccountAccessRoles must have the proper IAM permissions to perform all Config API calls contained in the script. The credentials used to run the script in the Organizations Master Account must have IAM permissions to List Accounts in Organizations as well as perform the requisite Config Service API calls in the Master Account.
This script requires Python3 installed and the boto3 library.
Also note that this script does not enable Config Service in your AWS Accounts, only create an Aggregator and authorize it. If you are looking for a solution to manage the Config Service and it's Rules across multiple AWS Accounts please check out the links below. [2][3]

AWS Creds Profile Manager - An easier way to manage your AWS CLI/SDK config and credentials files

Source code and download:

https://github.com/walkerk1980/AWSCredsProfileManager

examples:
awsprofilemanager.py -r us-west-2 -a AKID0123456789012 -s 'YourSecretAccessKey/klngs/a49nunf98494n'
awsprofilemanager.py -p saml -r us-east-1 -a AKID0123456789012 -s 'YourSecretAccessKey/klngs/a49nunf98494n' -t 'YourSessionToken/d932u98unf43/a93uh'
For more info on AWS config and credentials files please see the AWS Documentation. [1][2]
[2] AWS Config/Credential File Format - https://docs.aws.amazon.com/cli/latest/topic/config-vars.html


usage: awsprofilemanager.py [-h] [-p [PROFILE]]
                            [-r [{ap-south-1,ap-northeast-2,ap-southeast-1,ap-southeast-2,ap-northeast-1,ca-central-1,eu-central-1,eu-west-1,eu-west-2,eu-west-3,sa-east-1,us-east-1,us-east-2,us-west-1,us-west-2}]]
                            [-a [ACCESS_KEY_ID]] [-s [SECRET_ACCESS_KEY]]
                            [-t [SESSION_TOKEN]] [-o [{json,text,table}]]
                            [-R [ROLE_ARN]] [-S [ROLE_SESSION_NAME]]
                            [-P [SOURCE_PROFILE]]
                            [-c [{Environment,Ec2InstanceMetadata,EcsContainer}]]
                            [-e [EXTERNAL_ID]] [-m [MFA_SERIAL]]
                            [-f [CONFIG_FILE_PATH]] [-d [DURATION_SECONDS]]

optional arguments:
  -h, --help            show this help message and exit
  -p [PROFILE], --profile [PROFILE]
                        The name of the profile to create or overwrite
  -r [{ap-south-1,ap-northeast-2,ap-southeast-1,ap-southeast-2,ap-northeast-1,ca-central-1,eu-central-1,eu-west-1,eu-west-2,eu-west-3,sa-east-1,us-east-1,us-east-2,us-west-1,us-west-2}], --region [{ap-south-1,ap-northeast-2,ap-southeast-1,ap-southeast-2,ap-northeast-1,ca-central-1,eu-central-1,eu-west-1,eu-west-2,eu-west-3,sa-east-1,us-east-1,us-east-2,us-west-1,us-west-2}]
                        the region to set for the profile
  -a [ACCESS_KEY_ID], --access-key-id [ACCESS_KEY_ID]
                        AccessKeyID to set in the profile
  -s [SECRET_ACCESS_KEY], --secret-access-key [SECRET_ACCESS_KEY]
                        The SecretAccessKey to set for the profile
  -t [SESSION_TOKEN], --session-token [SESSION_TOKEN]
                        The SessionToken to set for the profile
  -o [{json,text,table}], --output [{json,text,table}]
                        Default output style
  -R [ROLE_ARN], --role-arn [ROLE_ARN]
                        The ARN of the Role to set for the profile to assume
  -S [ROLE_SESSION_NAME], --role-session-name [ROLE_SESSION_NAME]
                        The Role Session Name to set for the profile to use
  -P [SOURCE_PROFILE], --source-profile [SOURCE_PROFILE]
                        The name of the source profile to set
  -c [{Environment,Ec2InstanceMetadata,EcsContainer}], --credential-source [{Environment,Ec2InstanceMetadata,EcsContainer}]
                        The credential provider to use to get credentials for
                        the initial assume-role call
  -e [EXTERNAL_ID], --external-id [EXTERNAL_ID]
                        A unique identifier that is used by third parties to
                        assume a role
  -m [MFA_SERIAL], --mfa-serial [MFA_SERIAL]
                        The identification number of the MFA device to use
                        when assuming a role
  -f [CONFIG_FILE_PATH], --config-file-path [CONFIG_FILE_PATH]
                        Path to he file to create the profile in, defaults to
                        ~/.aws/config
  -d [DURATION_SECONDS], --duration-seconds [DURATION_SECONDS]
                        The duration, in seconds (900..max_session_duration)
                        of the role session. Default=3600

Thursday, April 25, 2019

THURSDAY, APRIL 25, 2019 CloudHSM client container based on Ubuntu with CloudHSM client, PKCS#11 library and PyKCS11 module installed and ready to use within a Docker/Kubernetes.

Docker Hub: https://hub.docker.com/r/walkerk1980/cloudhsm-pkcs11-python
View the code on GitHub: https://github.com/walkerk1980/cloudhsm-pkcs11-python

Prerequisites:
Container host Instance requires either an EC2 Instance Profile to be attached to the host Instance with IAM permissions that allow the container to pull the CloudHSM Cluster information or you can alternatively pass the container IAM Access Key Credential via Docker Environment Variables. [1][2]
This container requires you to provide the CLUSTERID of an HSM Cluster with at least one running HSM in the same Region/VPC as the host.

The Cluster/HSM requires the proper Security Groups allowing the Instance/Container to communicate with the Cluster.

For more information please see the CloudHSM documentation. [3]
Getting Started:
$ docker volume create --name cloudhsm_data
$ docker run -it -d --rm --name cloudhsm -v cloudhsm_data:/root/data/ walkerk1980/cloudhsm-pkcs11-python /bin/bash
$ docker cp /path/to/customerCA.crt cloudhsm:/root/data/
$ docker stop cloudhsm
$ docker run -it -d -e CLUSTERID=cluster-5la5cwabs7v -v cloudhsm_data:/root/data --name cloudhsm -e REGION=us-west-2 walkerk1980/cloudhsm-pkcs11-python /usr/local/bin/startup.sh
Example commands once the container is running:
ensure that client is connected: 
$ docker logs cloudhsm
connect to bash on container: 
$ docker exec -it cloudhsm
Within bash - create CA: 
$ createCA.sh
Within bash - CloudHSM Managment Utilitiy: 
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg

ENVIRONMENT VARIABLES:
CLUSTERID is for the Cluster Id of your initialized CloudHSM Cluster containing at least one running HSM.
REGION is for the AWS Region that your CloudHSM Cluster is located in.
CASUBJECT (Optional) is for the subject of the local CA to be created.
CAKEYPASS (Optional) is for the local CA private key password.
AWS_ACCESS_KEY_ID (Optional) is for pulling requried cluster information if Instance Profile is not used.
AWS_SECRET_ACCESS_KEY (Optional) is for pulling requried cluster information if Instance Profile is not used.
AWS_SESSION_TOKEN (Optional) is for pulling requried cluster information if Instance Profile is not used.

Internal Container Commands:
createCA.sh - Set up the local CA using the information provided in CASUBJECT and CAKEYPASS. This will create an openssl CA and move it to the data volume
cainfo.sh - Get info about the customerCA.crt in place within the container

Friday, September 8, 2017

Automate OpenSSL to pull a certificate thumbprint for an OIDC IDP

How to automatically pull the certificate thumbprint for an Open Identity Connect Providers certificate instead of the manual process described at http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

You could use this process along with 'aws iam update-open-id-connect-provider-thumbprint' to automate the process of regularly pulling the certificate from your IDP and updating it's thumbprint in IAM.

code can be found at: https://github.com/walkerk1980/AWSScripts/blob/master/oidcThumbprint.pl

#!/usr/bin/perl

# The purpose of this script is to automate the process described in the link below
# Use this script at your own risk
# Obtaining the Thumbprint for an OpenID Connect Identity Provider
# http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

#requires bash
#requires jq package
#requires perl
#requires openssl

#set the oidc idp URL
my $idpURL='https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration';

my $cmd='curl -s ' . $idpURL . ' |jq -r \'.jwks_uri\'';

#run output of curl through jq
my $jwksURI=`$cmd`;

#cut off prepended https://
my $fullURL=substr($jwksURI, 8);

#cut off host of URL
my $hostURL=substr($fullURL, 0, index($fullURL, '/'));

$cmd='openssl s_client -showcerts -connect ' . $hostURL . ':443 </dev/null 2>/dev/null';

#use ssl_connect to get certificate chain
my $sslclientoutput=`$cmd`;

#cut junk off beginning of last cert
my $lastcertsub1=substr(substr($sslclientoutput, rindex($sslclientoutput, 'BEGIN')-5), 'END');
#cut junk off end of cert
my $lastcert=substr($lastcertsub1, 0, index($lastcertsub1, 'END')+20);

#create pem file
$cmd='echo "' . $lastcert . '" >oidcert.pem';
system($cmd);

$cmd='openssl x509 -fingerprint -noout -in oidcert.pem';
my $opensslfinger=`$cmd`;

#cut off junk at beginning
my $fingerprint=substr($opensslfinger, index($opensslfinger, '=')+1);

#get rid of colons
$fingerprint =~  s/://g;

print $fingerprint