{"id":20645480,"url":"https://github.com/leboncoin/aws-tower","last_synced_at":"2026-03-11T17:03:12.901Z","repository":{"id":37027764,"uuid":"237448309","full_name":"leboncoin/aws-tower","owner":"leboncoin","description":"AWS Tower give the ability to discover and monitor AWS account to find vulnerabilities or misconfigurations. Give also a brief overview for non-AWS expert. Not related at all of the AWS Trusted Advisor.","archived":false,"fork":false,"pushed_at":"2025-01-19T00:15:37.000Z","size":432,"stargazers_count":38,"open_issues_count":5,"forks_count":3,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-03-29T04:02:34.640Z","etag":null,"topics":["audit","aws","leboncoin","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/leboncoin.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-31T14:37:39.000Z","updated_at":"2025-03-17T10:35:55.000Z","dependencies_parsed_at":"2024-11-16T16:21:26.346Z","dependency_job_id":"e1cd6274-aa1b-4d21-8f51-3301e72b40ba","html_url":"https://github.com/leboncoin/aws-tower","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leboncoin%2Faws-tower","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leboncoin%2Faws-tower/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leboncoin%2Faws-tower/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/leboncoin%2Faws-tower/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/leboncoin","download_url":"https://codeload.github.com/leboncoin/aws-tower/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249183106,"owners_count":21226142,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","aws","leboncoin","security-tools"],"created_at":"2024-11-16T16:20:00.876Z","updated_at":"2026-03-11T17:03:12.851Z","avatar_url":"https://github.com/leboncoin.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Tower\n\nAWS Tower give the ability to discover and monitor AWS account to find vulnerabilities or misconfigurations.\nGive also a brief overview for non-AWS expert.\n\nNot related at all of the AWS Trusted Advisor.\n\nAWS Services monitored:\n- API Gateway\n- CloudFront\n- EC2\n- EKS\n- ALB/ELB\n- IAM\n- MQ\n- RDS\n- S3\n- VPC\n\n## Prerequisites\n\n```bash\n$ pip install -r requirements.txt\n$ cp config/rules.yaml.sample config/rules.yaml # if you want to use \"audit\"\n$ cp config/subnet_allow_list.txt.sample config/subnet_allow_list.txt # if you want to use a subnet allow list\n$ cp config/trusted_accounts_list.txt.sample config/trusted_accounts_list.txt # if you want to use an aws account allow list\n```\n\n## Usage\n\n```bash\n$ alias aws-tower='\u003cpath\u003e/aws_tower_cli.py'\n```\n\n```bash\n$ aws-tower --help\nusage: aws_tower_cli.py [-h] [--version] [--no-color] [--no-cache] [--clean-cache] [-l] [-p] {audit,discover,draw,iam} ...\n\npositional arguments:\n  {audit,discover,draw,iam}\n                        commands\n    audit               Audit AWS account to find security issues\n    discover            Discover assets in an AWS account\n    draw                Draw a threat model of your AWS account\n    iam                 Display IAM info for an AWS account\n\noptions:\n  -h, --help            show this help message and exit\n  --version             show program's version number and exit\n  --no-color            Disable colors\n  --no-cache            Disable cache\n  --clean-cache         Erase current cache by a new one\n  -l, --layer           [BETA] Generate a layer for the ATT\u0026CK navigator\n  -p, --list-profiles   List available profiles\n```\n\n```bash\n$ aws-tower audit --help\nusage: aws_tower_cli.py audit [-h] [-t {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,MQ,RDS,S3,VPC}] [-m {info,low,medium,high,critical}] [-M {info,low,medium,high,critical}] [-f FILTER] [-v] [-b]\n                              [-s] [-o OUTPUT]\n                              profile\n\npositional arguments:\n  profile               A valid profile name configured in the ~/.aws/config file\n\noptions:\n  -h, --help            show this help message and exit\n  -t {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,MQ,RDS,S3,VPC}, --type {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,MQ,RDS,S3,VPC}\n                        Types to display (default: display everything)\n  -m {info,low,medium,high,critical}, --min-severity {info,low,medium,high,critical}\n                        min severity level to report when security is enabled (default: medium)\n  -M {info,low,medium,high,critical}, --max-severity {info,low,medium,high,critical}\n                        max severity level to report when security is enabled (default: high)\n  -f FILTER, --filter FILTER\n                        Filter by asset value (Ex: \"something\", \"port:xxx\", \"engine:xxx\", \"version:xxx\", \"os:xxx\"\n  -v, --verbose         Verbose output of the account assets\n  -b, --brief           Brief output of the account assets\n  -s, --summary         Summary of the account assets\n  -o OUTPUT, --output OUTPUT\n                        Save the JSON output inside the specified file\n```\n\n```bash\n$ aws-tower discover --help\nusage: aws_tower_cli.py discover [-h] [-t {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,MQ,RDS,S3,VPC}] [-p] [-f FILTER] [-v] [-b] [-s] [-o OUTPUT] profile\n\npositional arguments:\n  profile               A valid profile name configured in the ~/.aws/config file\n\noptions:\n  -h, --help            show this help message and exit\n  -t {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,MQ,RDS,S3,VPC}, --type {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,MQ,RDS,S3,VPC}\n                        Types to display (default: display everything)\n  -p, --public-only     Display public assets only\n  -f FILTER, --filter FILTER\n                        Filter by asset value (Ex: \"something\", \"port:xxx\", \"engine:xxx\", \"version:xxx\", \"os:xxx\"\n  -v, --verbose         Verbose output of the account assets\n  -b, --brief           Brief output of the account assets\n  -s, --summary         Summary of the account assets\n  -o OUTPUT, --output OUTPUT\n                        Save the JSON output inside the specified file\n```\n\n```bash\n$ aws-tower draw --help\nusage: aws_tower_cli.py draw [-h] [-t {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,MQ,RDS,S3,VPC}] [--limit] [--all] [--vpc-peering-dot VPC_PEERING_DOT] profile\n\npositional arguments:\n  profile               A valid profile name configured in the ~/.aws/config file\n\noptions:\n  -h, --help            show this help message and exit\n  -t {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,MQ,RDS,S3,VPC}, --type {APIGW,CLOUDFRONT,EC2,EKS,ELB,IAM,MQ,RDS,S3,VPC}\n                        Types to display (default: display everything)\n  --limit               Restrict to only interesting assets among vulnerable\n  --all                 All assets, without lonely nodes\n  --vpc-peering-dot VPC_PEERING_DOT\n                        Save VPC peering dot file\n```\n\n```bash\n$ aws-tower iam --help\nusage: aws_tower_cli.py iam [-h] [-s SOURCE] [-a ACTION] [--min-rights {admin,poweruser,reader}] [--service SERVICE] [-d] [--only-dangerous-actions] [-v] profile\n\npositional arguments:\n  profile               A valid profile name configured in the ~/.aws/config file\n\noptions:\n  -h, --help            show this help message and exit\n  -s SOURCE, --source SOURCE\n                        Source arn\n  -a ACTION, --action ACTION\n                        Action to match\n  --min-rights {admin,poweruser,reader}\n                        Minimum actions rights\n  --service SERVICE     Action Category to match\n  -d, --display         Display informations about the source ARN\n  --only-dangerous-actions\n                        Display IAM dangerous actions only\n  -v, --verbose         Verbose output of the account assets\n```\n\n## Usage (lambda)\n\n```bash\n$ pip install -r requirements.lambda.txt --target ./package\n\n$ cp config/lambda.config.sample config/lambda.config\n$ export PATROWL_APITOKEN=xxxxxxxxxxxxxxx\n$ export PATROWL_PRO_ASSETGROUP=1\n$ export PATROWL_PRE_ASSETGROUP=2\n$ export PATROWL_DEV_ASSETGROUP=3\n$ export PATROWL_PRIVATE_ENDPOINT=http://localhost/\n$ export PATROWL_PUBLIC_ENDPOINT=http://localhost/\n\n$ python -c 'from monitoring.aws_lambda import aws_tower_child; aws_tower_child.main({ \"my-account-profile\": \"arn:aws:iam::xxxxxxxxxxxxx:role/readonly\", \"env\": \"pro|pre|dev\", \"region_name\": \"eu-west-1\", \"meta_types\": [\"S3\"] })'\n```\n\n\n## Usage (layers)\n\n```bash\n$ aws-tower --layer \u003e /tmp/aws-tower-layer.json\n```\n\nThen, go to [Attack Navigator](https://mitre-attack.github.io/attack-navigator/#comment_underline=false)\n\nClick on \"Open Existing Layer\" -\u003e \"Upload from local\"\n\nUpload your generated file, `/tmp/aws-tower-layer.json`\n\nYou will have a warning, **Click No** to refuse the upgrade on Att\u0026ck v12, stay in v11.\n\n\n## Usage (draw)\n\n```bash\n# Display demo-account with only medium, high and critical findings\n$ aws-tower draw demo-account\n\n# Display demo-account, with all assets\n$ aws-tower draw demo-account --all\n\n# Display VPC peering connexion in demo-account\n$ aws-tower draw demo-account --vpc-peering-dot /tmp/_vpc_demo_account.dot\n$ dot -Tjpg /tmp/_vpc_demo_account.dot -o /tmp/_vpc_demo_account.jpg\n\n# Display VPC peering connexion in all accounts\n$ for account in $(aws-tower -p); do aws-tower draw $account --vpc-peering-dot \"/tmp/_${account}.dot\"; done\n$ (echo 'graph {'; grep -h -- ';' /tmp/_*.dot | sort -u; echo '}')\u003e /tmp/complete.dot\n$ dot -Tjpg /tmp/complete.dot -o /tmp/graph.jpg\n```\n\n\n## Findings\n\nSome rules already exists in `config/rules.yaml.sample`, but you can add your own too.\n\n### Define finding\n\nYou need to add your findings in `config/rules.yaml` with the following format:\n```yaml\n- message:\n    text: '{arg1}: Your text ({arg2}, {arg3}), your text'\n    args:\n      arg1:\n        type: dict\n        key: key_in_dict\n        variable: dict\n      arg2:\n        type: variable\n        variable: my_variable\n      arg3:\n        type: variable\n        variable: my_other_variable\n  rules:\n    - type: in # not_in, is_cidr, is_private_cidr, ...\n      description: Check if 'all' is 'IN' 'ports'\n      conditions:\n        - type: constant\n          name: data_element\n          value: all\n      data_sources:\n        - type: variable\n          name: data_list\n          value: ports\n  severity: medium # info, medium, high, critical\n```\n\n### Types\n\nTypes already presents:\n\n- in: check if `data_element` is in `data_list`\n- not_in: check if `data_element` is not in `data_list`\n- has_attribute: check if `data_sources['asset']` has the attribute `conditions['attribute']`\n- has_not_attribute: check if `data_sources['asset']` hasn't the attribute `conditions['attribute']`\n- has_attribute_equal: check if `data_sources['attribute_value']` has the attribute equal to `conditions['attribute_value']`\n- has_attribute_equal: check if `data_sources['attribute_value']` has the attribute not equal to `conditions['attribute_value']`\n- is_cidr: check if `source` is a CIDR (example: `0.0.0.0/0` is a valid cidr).\n- is_private_cidr: check if `source` is a private CIDR (rfc 1918)\n- is_in_networks: check if `source` is one the networks in `networks`\n- is_ports: check if source is a port or range ports (example: 9000-90001 is valid)\n- engine_deprecated_version: check if `engine` version is higher than `versions`\n\nTo add a new type, you must define it in `libs/patterns.py` with the following format:\n\n- The method name must be: `_check_rule_{type}` where **type** is the name you want (like `is_cidr`, `type_regex`, ...)\n- Use 2 arguments for your method (will be changed in next update)\n\n## Developers documentation\n\nTo generate the documentation:\n```bash\n$ cd docs \u0026\u0026 make html\n```\n\nTo update the documentation:\n```bash\n$ sphinx-apidoc -o docs/source .\n```\n\n# License\nLicensed under the [Apache License](https://github.com/leboncoin/aws-tower/blob/master/LICENSE), Version 2.0 (the \"License\").\n\n# Copyright\nCopyright 2020-2023 Leboncoin\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fleboncoin%2Faws-tower","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fleboncoin%2Faws-tower","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fleboncoin%2Faws-tower/lists"}