Skip to main content

Vulnerability Management

AWS​

Check CVE on all instances​

#!/bin/bash

# This script will check your CVE-ID against all AWS accounts and regions.
# Usage: ./check_cve.sh CVE-2022-4022
# Be mindful of the CVE-ID syntax in the example above. Also you can only search for one CVE-ID at the time.
# From standard output you can follow on which account and region the script is working
# The results can be found in the `output` folder.
## A folder will be created inside the `output` for each CVE-ID you will look for.
### Inside each CVE-ID folder you will find raw json files for each account and region with vulnerable instances.
## You can then filter and retrieve data from the json using `jq`.
### Example: cat raw_Prod_us-east-1.json | jq -r '.findings[].resources[].id'
#-----------------------------------------------------------------------------------------------------------------

# Listing all accounts and regions
accounts=<"Development PreProd Production">
regions=<"eu-west-1 us-east-1"> 

# Output folder
mkdir -p output

# For each account on each region retrieve all ressources vulnerable to your CVE-ID
for account in $accounts
do

    # Authentication
    <INSERT YOUR AUTHENTICATION COMMAND WITH THE VARIABLE $account> 

    for region in $regions
    do
        # Standard output for following the script activity
        echo $account $region

        # Creating a folder for your CVE and a file for each account and region inside this folder.
        mkdir -p output/$1
        file="output/$1/raw_${account}_${region}.json"

        # Listing all CVE-ID and filtering on your CVE-ID and the status finding as "ACTIVE"
        aws inspector2 list-findings --filter-criteria="vulnerabilityId=[{comparison="EQUALS",value="$1"}],findingStatus=[{comparison="EQUALS",value="ACTIVE"}]" --region $region > $file

        # Remove the file if no instance has been found vulnerable for the current account and region 
        if [[ $(awk 'END{print NR}' $file) -eq 3 ]];
        then
            rm -f $file
        fi
    done
done

Filtering on the output​

# How many instances are vulnerable?
cat output/CVE-2022-0847/raw_* | jq -r '.findings[].resources[].id' | grep "i-" | sort -u | wc -l
# What are the vulnerable images?
cat output/CVE-2022-0847/raw_* | grep -i iamInstanceProfileArn | cut -f 2 -d "/" | sort -u | cut -f 1 -d "\""

Execute a command on all instances​

#!/bin/bash

#This script was used during the log4j investigation as a quick-win.
#The script takes as argument the command that will be executed on all instances from the region hardcoded in the script with the account your are logged.
#Here, the use case was to retrieve all jar files and push them in a S3 bucket.
#You may want to modify this script depending on the command you execute on the instances.
#-----------------------------------------------------------------------------------------------------------------

# Retrieve all instances from a region based on your access (authentication via CLI before)
instances=$(aws ssm describe-instance-information --region eu-west-1 --query "InstanceInformationList[].InstanceId" --output text)

for instance in $instances
do 
    echo $instance

    #Execute the command
    command_id=$(aws ssm send-command --region eu-west-1 --instance-ids "$instance" --document-name "AWS-RunShellScript" --parameters "commands='$*'" --query "Command.CommandId" | sed 's/^.\(.*\).$/\1/')

    # Wait the command to finish only 100 sec
    aws ssm wait command-executed --region eu-west-1 --command-id "$command_id" --instance-id "$instance"

    # Retrieve the result of the command
    result_command_raw=$(aws ssm get-command-invocation --region eu-west-1 --command-id "$command_id" --instance-id "$instance" --query "StandardOutputContent")

    # Formatting 
    sed 's/\\n/\'$'\n''/g' <<< $result_command_raw > tmp
    sed 's/"//' tmp | sed 's/ /\\ /g' | sed '/^[[:space:]]*$/d'> result_command.txt

    # Copy each file in the S3 bucket
    while read jar_path
    do
        filename=$(basename $jar_path)
        command_id2=$(aws ssm send-command --region eu-west-1 --instance-ids "$instance" --document-name "AWS-RunShellScript" --parameters "commands='aws s3 cp $jar_path s3://<your_S3_bucket>/jar/$instance/$filename'" --query "Command.CommandId" | sed 's/^.\(.*\).$/\1/')
        aws ssm wait command-executed --region eu-west-1 --command-id "$command_id2" --instance-id "$instance"
        result=$(aws ssm get-command-invocation --region eu-west-1 --command-id "$command_id2" --instance-id "$instance" --query "StandardOutputContent")   
        echo $result
    done<result_command.txt

    echo
done