-
Notifications
You must be signed in to change notification settings - Fork 216
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
3084d98
commit a5c536c
Showing
374 changed files
with
48,704 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| reports/* | ||
| .idea* | ||
| .idea/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| import time | ||
| import datetime | ||
| from termcolor import colored | ||
| import subprocess | ||
| print "\n\n" | ||
| print "################" | ||
| print " CERTS " | ||
| print "################" | ||
| epoch=int(time.time()) | ||
| certs = subprocess.check_output(['aws', 'iam', 'list-server-certificates', '--region', 'us-east-1', '--query', 'ServerCertificateMetadataList[].ServerCertificateName', '--output', 'text']) | ||
| print certs | ||
| if certs: | ||
| for cert in certs.split('\t'): | ||
| cert=str(cert).strip() | ||
| expire_date=subprocess.check_output(['aws', 'iam','--region','us-east-1', 'get-server-certificate', '--server-certificate-name', '%s'%(cert), '--query', 'ServerCertificate.ServerCertificateMetadata.Expiration', '--output', 'text']).strip() | ||
| expire_time=time.mktime(time.strptime(expire_date,'%Y-%m-%dT%H:%M:%SZ')) | ||
| epoch=int(time.time()) | ||
| if epoch > expire_time: | ||
| print colored("certificate %s has expired",'red') % cert | ||
| else: | ||
| print colored("certificate %s not expired", 'green') % cert |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| #!/usr/bin/env bash | ||
| # audit_aws_cf | ||
| # | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/CloudFormation/cloudformation-stack-notification.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/CloudFormation/cloudformation-stack-policy.html | ||
| #. | ||
| RED='\033[0;31m' | ||
| NC='\033[0m' | ||
| GREEN='\033[0;32m' | ||
| BOLD='\033[1m' | ||
| # Check Cloud Formation stacks are using SNS | ||
| printf "\n\n" | ||
| printf "${BOLD}##############\n" | ||
| printf "CloudFormation\n" | ||
| printf "##############${NC}\n\n" | ||
| for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do | ||
| stacks=`aws cloudformation list-stacks --region $aws_region --query 'StackSummaries[].StackId' --output text` | ||
| for stack in $stacks; do | ||
| check=`aws cloudformation describe-stacks --region $aws_region --stack-name $stack --query 'Stack[].NotificationARNs' --output text` | ||
| stack=`printf "$stack" |cut -f2 -d/` | ||
| if [ ! "$check" ]; then | ||
| printf "${RED}SNS topic does not exist for CloudFormation stack $stack${NC}\n" | ||
| else | ||
| printf "${GREEN}SNS topic does exist for CloudFormation stack $stack${NC}\n" | ||
| fi | ||
| done | ||
| # Check stacks have a policy | ||
| stacks=`aws cloudformation list-stacks --region $aws_region --query 'StackSummaries[].StackName' --output text` | ||
| for stack in $stacks; do | ||
| check=`aws cloudformation get-stack-policy --region $aws_region --stack-name $stack --query 'StackPolicyBody' --output text 2> /dev/null` | ||
| if [ ! "$check" ]; then | ||
| printf "${RED}CloudFormation stack $stack does not have a policy${NC}\n" | ||
| else | ||
| printf "${GREEN}CloudFormation stack $stack has a policy${NC}\n" | ||
| fi | ||
| done | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| #!/usr/bin/env bash | ||
| # audit_aws_config | ||
| # | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/Config/aws-config-enabled.html | ||
| #. | ||
| RED='\033[0;31m' | ||
| NC='\033[0m' | ||
| GREEN='\033[0;32m' | ||
| BOLD='\033[1m' | ||
| printf "\n\n" | ||
| printf "${BOLD}############\n" | ||
| printf " Config\n" | ||
| printf "############${NC}\n\n" | ||
| for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do | ||
| check=`aws configservice describe-configuration-recorders --region $aws_region` | ||
| if [ ! "$check" ]; then | ||
| printf "${RED}AWS Configuration Recorder not enabled${NC}\n" | ||
| else | ||
| printf "${GREEN}AWS Configuration Recorder enabled${NC}\n" | ||
| fi | ||
| check=`aws configservice --region $aws_region get-status |grep FAILED` | ||
| if [ "$check" ]; then | ||
| printf "${RED}AWS Config not enabled${NC}\n" | ||
| else | ||
| printf "${GREEN}AWS Config enabled in region $aws_region${NC}\n" | ||
| fi | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| #!/usr/bin/env bash | ||
| # audit_aws_dns | ||
| # | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/Route53/route-53-domain-auto-renew.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/Route53/route-53-domain-expired.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/Route53/sender-policy-framework-record-present.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/Route53/route-53-domain-transfer-lock.html | ||
| #. | ||
|
|
||
| RED='\033[0;31m' | ||
| NC='\033[0m' | ||
| GREEN='\033[0;32m' | ||
| BOLD='\033[1m' | ||
| printf "\n\n" | ||
| printf "${BOLD}############\n" | ||
| printf " Route53\n" | ||
| printf "############${NC}\n\n" | ||
| for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do | ||
| domains=`aws route53domains --region $aws_region list-domains --query 'Domains[].DomainName' --output text 2> /dev/null` | ||
| for domain in $domains; do | ||
| check=`aws route53domains get-domain-detail --region $aws_region --domain-name $domain |grep true` | ||
| if [ ! "$check" ]; then | ||
| printf "${RED}Domain $domain does not auto renew${NC}\n" | ||
| else | ||
| printf "${GREEN}Domain $domain does auto renew${NC}\n" | ||
| fi | ||
| cur_secs=`date "+%s"` | ||
| exp_secs=`aws route53domains get-domain-detail --region $aws_region --domain-name $domain --query "ExpirationDate" --output text 2> /dev/null` | ||
| if [ "$exp_secs" -lt "$cur_secs" ]; then | ||
| printf "${RED}Warning: Domain $domain registration has expired${NC}\n" | ||
| else | ||
| printf "${GREEN}Domain $domain registration has not expired${NC}\n" | ||
| fi | ||
| check=`aws route53domains get-domain-detail --region $aws_region --domain-name $domain --query "Status" --output text 2> /dev/null | grep clientTransferProhibited` | ||
| if [ ! "$check" ]; then | ||
| printf "${RED}Domain $domain does not have Domain Transfer Lock enabled${NC}\n" | ||
| else | ||
| printf "${GREEN}Domain $domain does have Domain Transfer Lock enabled${NC}\n" | ||
| fi | ||
| done | ||
| zones=`aws route53 list-hosted-zones --region $aws_region --query "HostedZones[].Id" --output text 2> /dev/null |cut -f3 -d'/'` | ||
| for zone in $zones; do | ||
| spf=`aws route53 list-resource-record-sets --region $aws_region --hosted-zone-id $zone --query "ResourceRecordSets[?Type == 'SPF']" --output text` | ||
| if [ ! "$spf" ]; then | ||
| printf "${RED}Zone $zone does not have SPF records${NC}\n" | ||
| else | ||
| printf "${GREEN}Zone $zone has SPF records${NC}\n" | ||
| fi | ||
| done | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| #!/usr/bin/env bash | ||
| # audit_aws_ec | ||
| # | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/ElastiCache/elasticache-multi-az.html | ||
| #. | ||
| RED='\033[0;31m' | ||
| NC='\033[0m' | ||
| GREEN='\033[0;32m' | ||
| BOLD='\033[1m' | ||
| printf "\n\n" | ||
| printf "${BOLD}############\n" | ||
| printf " ElastiCache\n" | ||
| printf "############${NC}\n\n" | ||
| for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do | ||
| caches=`aws elasticache describe-replication-groups --region $aws_region --query 'ReplicationGroups[].ReplicationGroupId' --output text` | ||
| for cache in $caches; do | ||
| check=`aws elasticache describe-replication-groups --region $aws_region --replication-group-id $cache --query 'ReplicationGroups[].AutomaticFailover' |grep enabled` | ||
| if [ ! "$check" ]; then | ||
| printf "${RED}ElastiCache $cache is not Multi-AZ enabled${NC}\n" | ||
| else | ||
| printf "${GREEN}ElastiCache $cache is Multi-AZ enabled${NC}\n" | ||
| fi | ||
| done | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| #!/usr/bin/env bash | ||
| # audit_aws_ec2 | ||
| # | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/EC2/default-securitygroups-in-use.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/EC2/ec2-instance-using-iam-roles.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/EC2/publicly-shared-ami.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/EBS/ebs-encrypted.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/EBS/ebs-encrypted-with-kms-customer-master-keys.html | ||
| #. | ||
| RED='\033[0;31m' | ||
| NC='\033[0m' | ||
| GREEN='\033[0;32m' | ||
| BOLD='\033[1m' | ||
| printf "\n\n" | ||
| printf "${BOLD}############\n" | ||
| printf " EC2\n" | ||
| printf "############${NC}\n\n" | ||
| for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do | ||
| check=`aws ec2 describe-instances --region $aws_region --query 'Reservations[*].Instances[?!IamInstanceProfile==\`true\`].InstanceId[]' --output text` | ||
| if [[ ! -z $check ]];then | ||
| checkb=`aws ec2 describe-instances --region $aws_region --query 'Reservations[*].Instances[?!IamInstanceProfile==\`true\`].InstanceId[]'` | ||
| printf "${RED}List of servers which are not associated with IamInstanceProfile $checkb in region $aws_region ${NC}\n" | ||
| fi | ||
| public=`aws ec2 describe-images --region $aws_region --owners self --query 'Images[?Public==\`true\`].ImageId' --output text` | ||
| if [ "$public" ]; then | ||
| printf "${RED}List of Images which are public $public for region $aws_region ${NC}\n" | ||
| fi | ||
| check=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?Encrypted==\`false\`].VolumeId' --output text` | ||
| if [[ ! -z $check ]];then | ||
| checkb=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?Encrypted==\`false\`].VolumeId'` | ||
| printf "${RED}List of volumes which are not encrypted $checkb for region $aws_region${NC}\n" | ||
| fi | ||
| kms=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?!KmsKeyId==\`true\`].VolumeId' --output text` | ||
| if [[ ! -z $kms ]];then | ||
| kmsb=`aws ec2 describe-volumes --region $aws_region --query 'Volumes[?!KmsKeyId==\`true\`].VolumeId'` | ||
| printf "${RED}List of volumes which are not encrypted with KMS key are $kmsb for region $aws_region ${NC}\n" | ||
| fi | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| #!/usr/bin/env bash | ||
| # audit_aws_elb | ||
| # | ||
| # Refer to http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/ELB/elb-access-log.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/ELB/elb-insecure-ssl-ciphers.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/ELB/elb-insecure-ssl-protocols.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/ELB/elb-listener-security.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/ELB/elb-security-group.html | ||
| #. | ||
| RED='\033[0;31m' | ||
| NC='\033[0m' | ||
| GREEN='\033[0;32m' | ||
| BOLD='\033[1m' | ||
| printf "\n\n" | ||
| printf "${BOLD}############\n" | ||
| printf " ELB\n" | ||
| printf "############${NC}\n\n" | ||
| for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do | ||
|
|
||
| elbs=`aws elb describe-load-balancers --region $aws_region --query "LoadBalancerDescriptions[].LoadBalancerName" --output text` | ||
| for elb in $elbs; do | ||
| #echo "$elb" | ||
| protocols=`aws elb describe-load-balancers --region $aws_region --load-balancer-name $elb --query "LoadBalancerDescriptions[].ListenerDescriptions[].Listener[].Protocol" --output text` | ||
| for protocol in $protocols;do | ||
| if [ "$protocol" == "HTTP" ];then | ||
| https=`aws elb describe-load-balancers --region $aws_region --load-balancer-name $elb --query "LoadBalancerDescriptions[].ListenerDescriptions[].Listener[]" | grep -B 1 80, | grep 443` | ||
| if [ ! "$https" ];then | ||
| printf "${RED}$elb is running only on http${NC}\n" | ||
| fi | ||
| fi | ||
| done | ||
| list=`aws elb describe-load-balancer-policies --region $aws_region --load-balancer-name $elb --output text` | ||
| for cipher in SSLv2 RC2-CBC-MD5 PSK-AES256-CBC-SHA PSK-3DES-EDE-CBC-SHA KRB5-DES-CBC3-SHA KRB5-DES-CBC3-MD5 \ | ||
| PSK-AES128-CBC-SHA PSK-RC4-SHA KRB5-RC4-SHA KRB5-RC4-MD5 KRB5-DES-CBC-SHA KRB5-DES-CBC-MD5 \ | ||
| EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-ADH-DES-CBC-SHA EXP-DES-CBC-SHA \ | ||
| SSLv3 EXP-RC2-CBC-MD5 EXP-KRB5-RC2-CBC-SHA EXP-KRB5-DES-CBC-SHA EXP-KRB5-RC2-CBC-MD5 \ | ||
| EXP-KRB5-DES-CBC-MD5 EXP-ADH-RC4-MD5 EXP-RC4-MD5 EXP-KRB5-RC4-SHA EXP-KRB5-RC4-MD5; do | ||
| check=`echo "$list" |grep $cipher |grep true` | ||
| if [ "$check" ]; then | ||
| printf "${RED}ELB $elb is using deprecated cipher $cipher${NC}\n" | ||
| fi | ||
| done | ||
| done | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| #!/usr/bin/env bash | ||
| # audit_aws_es | ||
| # | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/Elasticsearch/elasticsearch-domain-exposed.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/Elasticsearch/elasticsearch-accessible-only-from-whitelisted-ip-addresses.html | ||
| #. | ||
| RED='\033[0;31m' | ||
| NC='\033[0m' | ||
| GREEN='\033[0;32m' | ||
| BOLD='\033[1m' | ||
| printf "\n\n" | ||
| printf "${BOLD}############\n" | ||
| printf "ElasticSearch\n" | ||
| printf "############${NC}\n\n" | ||
| for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do | ||
| domains=`aws es list-domain-names --region $aws_region --query "DomainNames[].DomainName" --output text` | ||
| for domain in $domains; do | ||
| check=`aws es describe-elasticsearch-domain --domain-name $domain --query 'DomainStatus.AccessPolicies' --output text |grep Principle | grep "{\"AWS\":\"\*\"}"` | ||
| if [ ! "$check" ]; then | ||
| printf "${RED}Elasticsearch doamin $domain is not publicly accessible${NC}\n" | ||
| else | ||
| printf "${GREEN}Elasticsearch doamin $domain is publicly accessible${NC}\n" | ||
| fi | ||
| check=`aws es describe-elasticsearch-domain --domain-name $domain --query 'DomainStatus.AccessPolicies' --output text |grep "aws:SourceIp" |grep "[0-9]\."` | ||
| if [ ! "$check" ]; then | ||
| printf "${RED}Elasticsearch domain $domain does not have and IP based access policy${NC}\n" | ||
| else | ||
| printf "${GREEN}Elasticsearch doamin $domain has an IP based access policy${NC}\n" | ||
| fi | ||
| done | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| #!/usr/bin/env bash | ||
| # audit_aws_keys | ||
| # | ||
| # Refer to Section(s) 2.8 Page(s) 85-6 CIS AWS Foundations Benchmark v1.1.0 | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/IAM/unnecessary-ssh-public-keys.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/KMS/key-rotation-enabled.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/KMS/unused-customer-master-key.html | ||
| RED='\033[0;31m' | ||
| NC='\033[0m' | ||
| GREEN='\033[0;32m' | ||
| BOLD='\033[1m' | ||
| printf "\n\n" | ||
| aws_region=`aws configure get region` | ||
| printf "${BOLD}############\n" | ||
| printf " AWS SSH\n" | ||
| printf "############${NC}\n\n" | ||
| # Check for SSH keys | ||
| users=`aws iam list-users --query 'Users[].UserName' --output text` | ||
| for user in $users; do | ||
| check=`aws iam list-ssh-public-keys --region $aws_region --user-name $user |grep Active |wc -l` | ||
| if [ "$check" -gt 1 ]; then | ||
| printf "${RED}User $user does has more than one active SSH key${NC}\n" | ||
| else | ||
| printf "${GREEN}User $user does not have any active SSH key${NC}\n" | ||
| fi | ||
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| #!/usr/bin/env bash | ||
| # audit_aws_rds | ||
| # | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/RDS/rds-auto-minor-version-upgrade.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/RDS/rds-automated-backups-enabled.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/RDS/rds-encryption-enabled.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/RDS/rds-publicly-accessible.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/RDS/rds-encrypted-with-kms-customer-master-keys.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/RDS/instance-not-in-public-subnet.html | ||
| # Refer to https://www.cloudconformity.com/conformity-rules/RDS/rds-master-username.html | ||
| #. | ||
| RED='\033[0;31m' | ||
| NC='\033[0m' | ||
| GREEN='\033[0;32m' | ||
| BOLD='\033[1m' | ||
| printf "\n\n" | ||
| printf "${BOLD}############\n" | ||
| printf " RDS\n" | ||
| printf "############${NC}\n\n" | ||
| for aws_region in ap-south-1 eu-west-2 eu-west-1 ap-northeast-2 ap-northeast-1 sa-east-1 ca-central-1 ap-southeast-1 ap-southeast-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2;do | ||
| dbs=`aws rds describe-db-instances --region $aws_region --query 'DBInstances[].DBInstanceIdentifier' --output text` | ||
| for db in $dbs; do | ||
| check=`aws rds describe-db-instances --region $aws_region --db-instance-identifier $db --query 'DBInstances[].MasterUsername' |grep "awsuser"` | ||
| if [ "$check" ]; then | ||
| echo -e "${RED}RDS instance $db is using aws-user as master username${NC}\n" | ||
| else | ||
| echo -e "${GREEN}RDS instance $db is not using aws-user as master username${NC}\n" | ||
| fi | ||
| done | ||
| done |
Oops, something went wrong.