diff --git a/audit-output-creds.sh b/audit-output-creds.sh index 9fa78b6..97648c2 100755 --- a/audit-output-creds.sh +++ b/audit-output-creds.sh @@ -1,6 +1,9 @@ #!/bin/bash # creates a file in /tmp/{scan_user}.{account}.{date}.txt +# call "list" in arg to list the key +# call "delete" in arg to delete the key +# call nothing and create the file if [ -r $HOME/.tf-control ] then @@ -18,6 +21,7 @@ fi DATE=$(date +%Y%m%d) S_ACCOUNT=$($TERRAFORM output caller_account_id) +profile=$($TERRAFORM output profile) #S_USER=$($TERRAFORM output scan_user) S_FILE="/tmp/${S_USER}.${S_ACCOUNT}.$DATE.txt" @@ -49,44 +53,18 @@ do ls -al $S_FILE cat $S_FILE + echo "# list access keys" + echo "aws --profile $profile iam list-access-keys --user-name $S_USER" + if [[ -z $1 ]] && [[ $1 == "list" ] + then + aws --profile $profile iam list-access-keys --user-name $S_USER + fi + echo "# delete access key" + echo "# aws --profile $profile iam delete-access-key --user-name $S_USER --access-key-id ${info["aws_access_key_id"]}" + if [[ -z $1 ]] && [[ $1 == "delete" ] + then + aws --profile $profile iam delete-access-key --user-name $S_USER --access-key-id ${info["aws_access_key_id"]}" + fi scount=$(( $scount + 1 )) done - -# in script form -#echo "# file=$S_FILE" > $S_FILE -#echo "# account=$S_ACCOUNT" >> $S_FILE -#echo "# date=$DATE" >> $S_FILE -#echo "scan_user=$S_USER" >> $S_FILE -#( echo -n "scan_aws_access_key_id="; $TERRAFORM output scan_aws_access_key_id ) >> $S_FILE -#( echo -n "scan_aws_secret_access_key="; $TERRAFORM output scan_aws_secret_access_key | base64 --decode | ( gpg --batch --decrypt 2> /dev/null) ; echo "" ) >> $S_FILE -#echo "" >> $S_FILE -# -#cat $S_FILE - - -## #service_profile=$($TERRAFORM output service_profile) -## service_profile="" -## profile=$($TERRAFORM output profile) -## username=$($TERRAFORM output scan_user) -## echo "" -## if [ ! -z $service_profile ] -## then -## echo "# test new access key after inserting above into $HOME/.aws/credentials in [$service_profile]" -## echo "aws --profile $service_profile iam list-access-keys --user-name $username" -## else -## echo "# test new access key after inserting above into $HOME/.aws/credentials in [$profile]" -## echo "aws --profile $profile iam list-access-keys --user-name $username" -## fi -## -## old_access_key=$($TERRAFORM output aws_access_key_id_prev|sed -e 's/^.*=//') -## if [ ! -z $old_access_key ] -## then -## echo "" -## echo "# dissable old access key" -## echo "aws --profile $profile iam update-access-key --user-name $username --access-key-id $old_access_key --status Inactive" -## echo "" -## echo "# delete old access key (only necessary if haven't rotated twice)" -## echo "# aws --profile $profile iam delete-access-key --user-name $username --access-key-id $old_access_key" -## fi -##