- To list all dependencies:
go list std | tr -d "\[|\]" | tr " " "\n" | sort -u > std-library
go list -f {{.Deps}} | tr -d "\[|\]" | tr " " "\n" | sort -u > all-dependencies
sort std-library std-library all-dependencies | uniq -uOthers:
Kinnaird McQuade kmcquade
kmcquade
/ calculating-golang-dependencies.md
Created
December 16, 2020 18:24
kmcquade
/ ecr-registry-enforcement.json
Last active
May 29, 2022 17:13
The Policy below prevents the account from self-managing container images. Users and Roles in the account cannot upload any container images unless the registry is owned by an approved ECR account ID.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "PreventSelfManagedImages", | |
| "Action": [ | |
| "ecr:BatchDeleteImage", | |
| "ecr:CompleteLayerUpload", | |
| "ecr:Create*", | |
| "ecr:Delete*", |
kmcquade
/ nuke-azure.sh
Last active
November 5, 2020 16:01
Nuke every Azure resource group in every Azure subscription
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| for sub in `az account list | jq -r '.[].id'`; do \ | |
| for rg in `az group list --subscription $sub | jq -r '.[].name'`; do \ | |
| az group delete --name ${rg} --subscription $sub --no-wait --yes; \ | |
| done; done; |
kmcquade
/ exploit-explanation.tf
Last active
October 30, 2020 16:15
Explanation: Recursively nuke things from a CICD build agent running Terraform with Azure God mode permissions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "null_resource" "nuke" { | |
| # Because we set this to timestamp, it *always* runs :D | |
| triggers = { | |
| party_like_its_jan_1_1970 = timestamp() | |
| } | |
| provisioner "local-exec" { | |
| # Pseudocode for some bash magic that: | |
| # 1. gets a list of all subscriptions | |
| # 2. For each subscription, list the resource groups |
kmcquade
/ input-serverless-iam-user.yml
Last active
October 30, 2020 13:44
Policy Sentry template to deploy full stack serverless app (Lambda functions, API Gateway, CloudFront distribution, and S3 objects)cat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mode: crud | |
| name: 'ServerlessAppDeployAutomationUser' | |
| # Specify resource ARNs | |
| read: | |
| - 'arn:aws:execute-api:*:*:*/*/*/*' | |
| - 'arn:aws:lambda:*:*:function:cloudsplaining-*' | |
| - 'arn:aws:s3:::cloudsplaining-serverless-*/*' | |
| - 'arn:aws:cloudfront::*:distribution/mydistributionid' | |
| write: | |
| - 'arn:aws:execute-api:*:*:*/*/*/*' |
kmcquade
/ image-baking-enforcement-scp.json
Created
October 19, 2020 15:59
image-baking-enforcement-scp.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "EnforceApprovedImageOwners", | |
| "Action": [ | |
| "ec2:RunInstances" | |
| ], | |
| "Effect": "Deny", | |
| "Resource": "arn:aws:ec2:*::image/ami-*", |
kmcquade
/ print_datetime_example.md
Created
September 30, 2020 15:10
Example of how to avoid TypeErrors with Boto3 scripts due to datetime errors
# add this class
class DatetimeEncoder(json.JSONEncoder):
def default(self, obj):
try:
return super().default(obj)
except TypeError:
return str(obj)
kmcquade
/ task-list-concept-for-cloudsplaining.md
Last active
August 30, 2020 14:34
task-list-concept-for-cloudsplaining.md
I think we should target the "task list" concept for the user. So, instead of "IAM Principals", "IAM Roles", and "IAM Groups" at the bottom as cards - we should really have it be a list of the policies themselves that are failing. I am not quite sure the best way to represent this. I have an idea, but let me express these as JSON.
- Data Exfiltration (collapsible and show count)
- AWS Managed Policies (collapsible and show count)
- Customer Managed Policies (collapsible and show count)
- Inline Policies (collapsible and show count)
- ... etc.
{
kmcquade
/ prevent-3rd-party-amis.json
Created
July 21, 2020 19:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Sid": "PreventMarketplaceImages", | |
| "Action": [ | |
| "ec2:RunInstances" | |
| ], | |
| "Effect": "Deny", | |
| "Resource": "arn:aws:ec2:*::image/ami-*", |
kmcquade
/ console-wut.txt
Created
July 13, 2020 19:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Traceback (most recent call last): | |
| File "/apps/consoleme/env/lib64/python3.7/site-packages/urllib3/connection.py", line 160, in _new_conn | |
| (self._dns_host, self.port), self.timeout, **extra_kw | |
| File "/apps/consoleme/env/lib64/python3.7/site-packages/urllib3/util/connection.py", line 84, in create_connection | |
| raise err | |
| File "/apps/consoleme/env/lib64/python3.7/site-packages/urllib3/util/connection.py", line 74, in create_connection | |
| sock.connect(sa) | |
| ConnectionRefusedError: [Errno 111] Connection refused | |
| During handling of the above exception, another exception occurred: |