Open danielpops opened 2 years ago
Hey,
I am using the awsipranges library to facilitate categorisation of IP addresses, so we're limited to:
Valid values: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CLOUDFRONT_ORIGIN_FACING | CODEBUILD | DYNAMODB | EBS | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | ROUTE53_HEALTHCHECKS_PUBLISHING | ROUTE53_RESOLVER | S3 | WORKSPACES_GATEWAYS
I think we need to see if these resources you are describing fall under the EC2 bucket - and I'm hoping that is the case. I'll do some analysis on freshly deployed resources for other services and see if that's the case.
Additionally, we would have to write logic to obtain the public IPs for the resources you mentioned. This shouldn't be too hard to do.
Thanks for the support!
I kinda doubt that the public ips that can be automatically attached to, say, eks clusters would fall in the ec2 service (I also don't think these end up as elastic ips). But I'm curious to hear what you find!
Additionally, we would have to write logic to obtain the public IPs for the resources you mentioned. This shouldn't be too hard to do.
Yeah, in my organization we're doing this. Basically calling the relevant describe* apis (redshift:describe-clusters
, etc). Each one needs its own implementation but they're mostly pretty straightforward with boto3
Another thing to add would be lightsail instances. I can confirm that they don't show up under EC2 network interfaces but they do use the EC2 IP range as well.
infosec-au than you may add check for takeover of subdomain pointing to s3 bucket with CNAME
There may be other ways that public IPs get assigned to resources in an AWS account that would be worth adding to the enumeration logic:
These are ones that I'm aware of, there may be others.