search

assetnote / ghostbuster

Eliminate dangling elastic IPs by performing analysis on your resources within all your AWS accounts.
GNU Affero General Public License v3.0
259 stars 35 forks source link

Support additional types of public IPs #1

Open danielpops opened 2 years ago

danielpops commented 2 years ago

There may be other ways that public IPs get assigned to resources in an AWS account that would be worth adding to the enumeration logic:

These are ones that I'm aware of, there may be others.

infosec-au commented 2 years ago

Hey,

I am using the awsipranges library to facilitate categorisation of IP addresses, so we're limited to:

Valid values: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CLOUDFRONT_ORIGIN_FACING | CODEBUILD | DYNAMODB | EBS | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | ROUTE53_HEALTHCHECKS_PUBLISHING | ROUTE53_RESOLVER | S3 | WORKSPACES_GATEWAYS

I think we need to see if these resources you are describing fall under the EC2 bucket - and I'm hoping that is the case. I'll do some analysis on freshly deployed resources for other services and see if that's the case.

Additionally, we would have to write logic to obtain the public IPs for the resources you mentioned. This shouldn't be too hard to do.

Thanks for the support!

danielpops commented 2 years ago

I kinda doubt that the public ips that can be automatically attached to, say, eks clusters would fall in the ec2 service (I also don't think these end up as elastic ips). But I'm curious to hear what you find!

Additionally, we would have to write logic to obtain the public IPs for the resources you mentioned. This shouldn't be too hard to do.

Yeah, in my organization we're doing this. Basically calling the relevant describe* apis (redshift:describe-clusters, etc). Each one needs its own implementation but they're mostly pretty straightforward with boto3

thatsmydoing commented 1 year ago

Another thing to add would be lightsail instances. I can confirm that they don't show up under EC2 network interfaces but they do use the EC2 IP range as well.

vlsecurity commented 1 year ago

infosec-au than you may add check for takeover of subdomain pointing to s3 bucket with CNAME