Skip to content

Instantly share code, notes, and snippets.

@mbrownnycnyc

mbrownnycnyc/aws_cli_ref.md

Last active September 27, 2022 19:06
Show Gist options
  • Save mbrownnycnyc/ab820c94916dce823d835e025f34efdb to your computer and use it in GitHub Desktop.
Save mbrownnycnyc/ab820c94916dce823d835e025f34efdb to your computer and use it in GitHub Desktop.
Download ZIP
aws cli reference and whoops... i'm learning `jq`.. but not really because it doesn't work well with powershell :D
Raw
aws_cli_ref.md

EC2 instances

obtain ec2 info

$awsec2instances = aws ec2 describe-instances

return all the keys from all the .instances

$awsec2instances | jq "[.Reservations[].Instances[] | keys[]] | unique"

return the list of keys for the first .instances

$awsec2instances | jq "[.Reservations[].Instances[]][0] | keys[]"

return a key KeyName from all .instances

$awsec2instances | jq ".Reservations[].Instances[].KeyName"

return a key KeyName from the first .instances

$awsec2instances | jq "[.Reservations[].Instances[]][0].KeyName"

return the .KeyName, .VpcId, and .InstanceId key values

$awsec2instances | jq "(.Reservations[].Instances[]) | .KeyName, .VpcId, .InstanceId"

return the .KeyName, .VpcId, and .InstanceId key values and build properly structured JSON

$awsec2instances | jq '[.Reservations[].Instances[]][] | {KeyName, VpcId, InstanceId}'

return the .KeyName, .VpcId, and .InstanceId key values and build CSV output

$awsec2instanceobj = $awsec2instances | jq -r '[\"keyname\",\"vpcid\",\"instanceid\"],([.Reservations[].Instances[]][] | [.KeyName, .VpcId, .InstanceId]) | @csv' | ConvertFrom-Csv

#validate the powershellobj array
$awsec2instances | jq '[.Reservations[].Instances[]] | length'
$awsec2instanceobj.count

VPCs

obtain VPC info

$awsvpcinstances = aws ec2 describe-vpcs

obtain security group info

$awssginstances = aws ec2 describe-security-groups

get root key

$awssginstances | jq "keys[]"

select first sg info

$awssginstances | jq "(.SecurityGroups[0])"

obtain ebs snapshot info

  • goal: validate that CSPMs' function regarding CVE scans is functioning "correctly" (by cleaning up EBS snapshots)
$awsebssnapshotsinstances = aws ec2 describe-snapshots

list keys

$awsebssnapshotsinstances | jq "keys[]"
"Snapshots"

list first item to understand the data

$awsebssnapshotsinstances | jq ".Snapshots[0]"

list the count of snapshots

$awsebssnapshotsinstances | jq "(.Snapshots) | length"

list the count of snapshots where the StartTime is older than 90 days

# "StartTime": "2017-02-08T12:14:09+00:00",
# stuck here... 
# .[] | select(
  (
    .StartTime | strptime(
      "%Y-%m-%dT%H:%M:%S+00:00"
    )
  )
>
  (
    (
      now | floor
    ) -
    (
      90 * 86400
    )
  )
)

guardduty findings

#this is not preferred, but it works.
#  what i need to do is understand how to build strings with jq... that way I can port my jq skills over to *nix without any issues (not relying on .net json classes to handle the json)

$awsguarddutydetectorslist = (((aws guardduty list-detectors | jq ".[]") -split "\[|\]|\""|\,").trim() | ?{$_.length -gt 0})

$awsguarddutyfindingslist = @()
foreach ($detector in $awsguarddutydetectorslist) {
  $tempobj = "" | select detectorid,findingid
  $tempobj.detectorid = $detector
  $tempobj.findingid = (((aws guardduty list-findings --detector-id $detector | jq ".[]") -split "\[|\]|\""|\,").trim() | ?{$_.length -gt 0})
  
  $awsguarddutyfindingslist += $tempobj
}


#this is a little not DRY, but whatever...
$awsguarddutyfindings = @()
foreach ($detector in $awsguarddutyfindingslist.detectorid) {

  $awsguarddutyfindings += % { (((aws guardduty get-findings --detectorid $_ --finding-id}

}

or if you'd rather

[string[]]$detectorids = ((aws guardduty list-detectors) | convertfrom-json).detectorids


# https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListFindings.html
# https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-date?view=powershell-7.2#notes
[int64]$earliestupdatedAt = [timespan]::fromseconds( $(get-date ( $([Datetime]::Parse("2022-09-01")).touniversaltime() ) -UFormat %s) ).totalmilliseconds
[int64]$latestupdatedAt = [timespan]::fromseconds( $(get-date ( $([Datetime]::Parse("2022-09-30")).touniversaltime() ) -UFormat %s) ).totalmilliseconds

#https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html#filter_criteria
#https://stackoverflow.com/a/51861924/843000
# https://stackoverflow.com/a/40970728/843000
#https://boto3.amazonaws.com/v1/documentation/api/1.11.4/reference/services/securityhub.html
# must be one of: Eq, Neq, Gt, Gte, Lt, Lte, Equals, NotEquals, GreaterThan, GreaterThanOrEqual, LessThan, LessThanOrEqual
$findingcriteria = (@{
  "Criterion" = @{
    "updatedAt" = @{
      "Gte" = $earliestupdatedAt;
      "Lte" = $latestupdatedAt
    }
  }
} | convertto-json ) -replace '"','\"'



# https://awscli.amazonaws.com/v2/documentation/api/latest/reference/inspector/list-findings.html
$findingidslist = @()
foreach ($detectorid in $detectorids) {
  $tempobj = "" | select detectorid,findingids
  $tempobj.detectorid = $detectorid
  
  $tempobj.findingids = (aws guardduty list-findings --detector-id $detectorid --finding-criteria $findingcriteria | convertfrom-json).findingids
 
  $findingidslist += , $tempobj
}

$findingsinfo = @()
foreach ($detectorid in $detectorids) {
  $targetfindings = '"'+ ((($findingidslist | ? {$_.detectorid -eq $detectorid}).findingids) -join '" "') + '"'
  $invoketheblock = [scriptblock]::Create("aws guardduty get-findings --detector-id $detectorid --finding-ids $targetfindings")
  $tempobj = $($invoketheblock.invoke() | convertfrom-json)
  
  $findingsinfo += , $tempobj
}

$findingsinfo.findings | export-csv -notypeinfo $env:userprofile\desktop\awsguardduty.csv
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment