limed’s gists

limed / ensure-cloudtrail.py

Created October 1, 2015 21:09 — forked from vrivellino/ensure-cloudtrail.py

Ensure CloudTrail is activated in all regions

limed / mfa.json

Last active October 12, 2015 23:37

Policy to enforce mfa

	{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Create policy to enforce MFA",
	"Resources": {
	"AdminMFAGroup": {
	"Type": "AWS::IAM::Group",
	"Properties": {
	"ManagedPolicyArns": [
	{
	"Ref": "AdminMFAPolicy"

limed / gist:920f87e8cc5a4c0e6015

Created October 14, 2015 22:05

	{
	"Sid": "DoNotAllowAnythingOtherThanAboveUnlessMFAd",
	"Effect": "Deny",
	"NotAction": "iam:*",
	"Resource": "*",
	"Condition": {
	"Null": {
	"aws:MultiFactorAuthAge": "true"
	}
	}

limed / forcemfa.json

Created October 14, 2015 23:36

	{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Create policy to enforce MFA",
	"Resources": {
	"AdminMFAGroup": {
	"Type": "AWS::IAM::Group",
	"Properties": {
	"ManagedPolicyArns": [
	{
	"Ref": "ForceMFA"

limed / assumeawsrole

Created October 15, 2015 23:51 — forked from sneak/assumeawsrole

shell script to ease MFA use with aws role assumption

	#!/bin/bash

	if [[ $# -ne 1 ]]; then
	echo "usage: $0 <rolename> (e.g. \`$0 EngineerProd\`)" > /dev/stderr
	exit 127
	fi

	if ! which jq 2>&1 > /dev/null ; then
	echo "$0 error: Please install 'jq'." > /dev/stderr
	exit 127

limed / eni-attach

Created November 2, 2015 17:40

Attaches ENI to an EC2 instance

	#!/bin/bash
	# Attempts to attach ENI to an EC2 instance, the way it attaches is via
	# tags in the ENI. If you ENI is in the same availability zone and is "available" and has the same
	# stack name tag then you are cool to take the ENI
	#
	# Policy Statement:
	# {
	# "Effect": "Allow",
	# "Action": [
	# "ec2:AssociateAddress",

limed / gist:305c1fef0658a39f8992

Created November 24, 2015 16:46

	[root@ip-10-164-2-55 home]# /usr/local/bin/consulate kv mkdir limed-test
	Traceback (most recent call last):
	File "/usr/local/bin/consulate", line 9, in <module>
	load_entry_point('consulate==0.6.0', 'console_scripts', 'consulate')()
	File "/usr/local/lib/python2.7/site-packages/consulate/cli.py", line 469, in main
	KV_ACTIONS[args.action](consul, args)
	File "/usr/local/lib/python2.7/site-packages/consulate/cli.py", line 288, in kv_mkdir
	consul.kv.set(args.path, None)
	File "/usr/local/lib/python2.7/site-packages/consulate/api/kv.py", line 259, in set
	return self.__setitem__(item, value)

limed / check_rtb

Created December 1, 2015 23:02

	#!/bin/bash

	eval $(curl -s -fq http://169.254.169.254/latest/user-data)
	region=$(curl --retry 3 -s -fq http://169.254.169.254/latest/dynamic/instance-identity/document \| jq '.region' -r)

	function __get_availability_zone() {
	local availability_zone=$(curl -s -fq http://169.254.169.254/latest/meta-data/placement/availability-zone)
	echo "${availability_zone}"
	}

limed / ssh_config.pp

Last active January 15, 2016 01:16

Fixes CVE-2016-0777 and CVE-2016-0778

	augeas { 'ssh_config UseRoaming no':
	onlyif => 'match /files/etc/ssh/ssh_config/UseRoaming[.= "no" ] size == 0',
	changes => [
	'ins UseRoaming before /files/etc/ssh/ssh_config/Host[1]',
	'set /files/etc/ssh/ssh_config/UseRoaming no',
	]
	}

limed / gist:5419c66d4b69dcd4d9b5

Created January 22, 2016 17:38

	else
	echo "Nope, no love for limed"
	if [[ ! -d "${basedir}/ssh_keys" ]]; then
	echo "Directory where we store ssh keys ${basedir}/ssh_keys does not exist"
	else
	scp -pr ${basedir}/ssh_keys/${username}.pub ec2-user@${jumphost}:/tmp/${username}.pub
	ssh -t ec2-user@${jumphost} "sudo mv /tmp/${username}.pub /home/${username}/.ssh/authorized_keys" > /dev/null 2>&1
	#cat ${basedir}/ssh_keys/${username}.pub \| ssh -t -t ec2-user@${jumphost} "sudo su - root -c 'cat >> /home/${username}/.ssh/authorized_keys'"
	fi
	fi

Ed Lim limed