oxidizeddreams · October 12, 2018 14:45
diff --git a/helpers.sh b/helpers.sh
 # Security groups that contain 0.0.0.0/0 rules
 aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values=0.0.0.0/0 --output=text | grep SECURITYGROUPS

 # Security groups for ElasticSearch
 aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=9200 --output=text | grep SECURITYGROUPS

 # Search last 10,000/1MB of CloudTrail logs for 'AccessDenied' (removed AWS account number from stream name)
 aws logs get-log-events --log-group-name CloudTrail/DefaultLogGroup --log-stream-name 000000000000_CloudTrail_eu-west-1 | grep AccessDenied

 # Get number of AWS API calls in time period (assumes a Cloudwatch Logs 'catch-all' filter and metric has been created against CloudTrail logs)
 aws cloudwatch get-metric-statistics --namespace LogMetrics --metric-name AllApiCallsCount --period 60 --statistics Sum --start-time 2015-04-15T13:40:00 --end-time 2015-04-15T13:55:00

 # Security groups with particular name
 aws ec2 describe-security-groups --filters Name=group-name,Values=*external* --output=text | grep SECURITYGROUPS

 # Instance IDs on known subnet ranges
 aws ec2 describe-instances --filters Name="private-ip-address",Values="10.100.1.*","10.100.2.*" --query "Reservations[*].Instances[*].InstanceId"

 # Count instance types
 aws ec2 describe-instances --query 'Reservations[*].Instances[*].InstanceType' --output=text | sort | uniq -c | sort -r

 # ELB summaries
 aws elb describe-load-balancers --query 'LoadBalancerDescriptions[*].{Name:DNSName,Instances:Instances[*],SecurityGroups:SecurityGroups[*],Listeners:ListenerDescriptions[*].Listener.LoadBalancerPort}'

 # Elastic IP summaries
 aws ec2 describe-addresses --query "Addresses[*].{PublicIp:PublicIp,InstanceId:InstanceId}"

 # Show scheduled events
 aws ec2 describe-instance-status --filters Name=event.code,Values=instance-reboot,system-reboot,system-maintenance,instance-retirement,instance-stop --query "InstanceStatuses[*].{InstanceId:InstanceId,Event:[Events[*].Code,Events[*].NotBefore,Events[*].Description]}"

 # Show last 10 security group ingress changes
 aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AuthorizeSecurityGroupIngress  --max-results 10

 # Show IDs and names of instances in specified subnets
 aws ec2 describe-instances --filters Name="subnet-id",Values="subnet-<id>","subnet-<id>" \
 --query "Reservations[*].Instances[*].{InstanceId:InstanceId,SubnetId:SubnetId,Tags:[Tags[*].Value],PrivateIpAddress:PrivateIpAddress,\
 PublicIpAddress:PublicIpAddress,SecurityGroupNames:[SecurityGroups[*].GroupName],SecurityGroupIds:[SecurityGroups[*].GroupId]}"
	# Security groups that contain 0.0.0.0/0 rules
	aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values=0.0.0.0/0 --output=text \| grep SECURITYGROUPS

	# Security groups for ElasticSearch
	aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=9200 --output=text \| grep SECURITYGROUPS

	# Search last 10,000/1MB of CloudTrail logs for 'AccessDenied' (removed AWS account number from stream name)
	aws logs get-log-events --log-group-name CloudTrail/DefaultLogGroup --log-stream-name 000000000000_CloudTrail_eu-west-1 \| grep AccessDenied

	# Get number of AWS API calls in time period (assumes a Cloudwatch Logs 'catch-all' filter and metric has been created against CloudTrail logs)
	aws cloudwatch get-metric-statistics --namespace LogMetrics --metric-name AllApiCallsCount --period 60 --statistics Sum --start-time 2015-04-15T13:40:00 --end-time 2015-04-15T13:55:00

	# Security groups with particular name
	aws ec2 describe-security-groups --filters Name=group-name,Values=external --output=text \| grep SECURITYGROUPS

	# Instance IDs on known subnet ranges
	aws ec2 describe-instances --filters Name="private-ip-address",Values="10.100.1.","10.100.2." --query "Reservations[].Instances[].InstanceId"

	# Count instance types
	aws ec2 describe-instances --query 'Reservations[].Instances[].InstanceType' --output=text \| sort \| uniq -c \| sort -r

	# ELB summaries
	aws elb describe-load-balancers --query 'LoadBalancerDescriptions[].{Name:DNSName,Instances:Instances[],SecurityGroups:SecurityGroups[],Listeners:ListenerDescriptions[].Listener.LoadBalancerPort}'

	# Elastic IP summaries
	aws ec2 describe-addresses --query "Addresses[*].{PublicIp:PublicIp,InstanceId:InstanceId}"

	# Show scheduled events
	aws ec2 describe-instance-status --filters Name=event.code,Values=instance-reboot,system-reboot,system-maintenance,instance-retirement,instance-stop --query "InstanceStatuses[].{InstanceId:InstanceId,Event:[Events[].Code,Events[].NotBefore,Events[].Description]}"

	# Show last 10 security group ingress changes
	aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AuthorizeSecurityGroupIngress --max-results 10

	# Show IDs and names of instances in specified subnets
	aws ec2 describe-instances --filters Name="subnet-id",Values="subnet-<id>","subnet-<id>" \
	--query "Reservations[].Instances[].{InstanceId:InstanceId,SubnetId:SubnetId,Tags:[Tags[*].Value],PrivateIpAddress:PrivateIpAddress,\
	PublicIpAddress:PublicIpAddress,SecurityGroupNames:[SecurityGroups[].GroupName],SecurityGroupIds:[SecurityGroups[].GroupId]}"