aws.ec2 package

Submodules

aws.ec2.helpers module

aws.ec2.helpers.ip_permission_opens_all_ports(ipp)[source]

Returns True if an EC2 security group IP permission opens all ports and False otherwise.

>>> ip_permission_opens_all_ports({'FromPort': 1, 'ToPort': 65535})
True
>>> ip_permission_opens_all_ports({'FromPort': 1, 'ToPort': 965535})
True
>>> ip_permission_opens_all_ports({'FromPort': -1, 'ToPort': 20})
True
>>> ip_permission_opens_all_ports({'FromPort': 20, 'ToPort': -1})
True

>>> ip_permission_opens_all_ports({'ToPort': -1})
False
aws.ec2.helpers.ip_permission_cidr_allows_all_ips(ipp)[source]

Returns True if any IPv4 or IPv6 range for an EC2 security group IP permission opens allows access to or from all IPs and False otherwise.

>>> ip_permission_cidr_allows_all_ips({'IpRanges': [{'CidrIp': '0.0.0.0/0'}]})
True
>>> ip_permission_cidr_allows_all_ips({'Ipv6Ranges': [{'CidrIpv6': '::/0'}]})
True

>>> ip_permission_cidr_allows_all_ips({'IpRanges': [{'CidrIp': '192.0.1.1/8'}]})
False
>>> ip_permission_cidr_allows_all_ips({'Ipv6Ranges': [{'CidrIpv6': '192.0.1.1/8'}]})
False
>>> ip_permission_cidr_allows_all_ips({})
False
aws.ec2.helpers.ip_permission_grants_access_to_group_with_id(ipp, security_group_id)[source]

Returns True if an EC2 security group IP permission opens access to a security with the given ID and False otherwise.

>>> ip_permission_grants_access_to_group_with_id(
... {'UserIdGroupPairs': [{'GroupId': 'test-sgid'}]}, 'test-sgid')
True
>>> ip_permission_grants_access_to_group_with_id(
... {'UserIdGroupPairs': [{'GroupId': 'test-sgid'}]}, 'not-test-sgid')
False
>>> ip_permission_grants_access_to_group_with_id({}, 'test-sgid')
False
aws.ec2.helpers.ec2_security_group_opens_all_ports(ec2_security_group)[source]

Returns True if an ec2 security group includes a permission allowing inbound access on all ports and False otherwise or if protocol is ICMP.

>>> ec2_security_group_opens_all_ports(
... {'IpPermissions': [{}, {'FromPort': -1,'ToPort': 65536}]})
True

>>> ec2_security_group_opens_all_ports(
... {'IpPermissions': [{}, {'IpProtocol': 'icmp', 'FromPort': -1,'ToPort': -1}]})
False
>>> ec2_security_group_opens_all_ports({})
False
aws.ec2.helpers.ec2_security_group_opens_all_ports_to_self(ec2_security_group)[source]

Returns True if an ec2 security group includes a permission allowing all IPs inbound access on all ports and False otherwise or if protocol is ICMP.

>>> ec2_security_group_opens_all_ports_to_self({
... 'GroupId': 'test-sgid',
... 'IpPermissions': [
...     {'FromPort': 1, 'ToPort': 65535, 'UserIdGroupPairs': [{'GroupId': 'test-sgid'}]},
... ]})
True

>>> ec2_security_group_opens_all_ports_to_self({
... 'GroupId': 'test-sgid',
... 'IpPermissions': [
...     {'IpProtocol': "icmp", 'FromPort': -1, 'ToPort': -1, 'UserIdGroupPairs': [{'GroupId': 'test-sgid'}]},
... ]})
False
>>> ec2_security_group_opens_all_ports_to_self({
... 'GroupId': 'test-sgid',
... 'IpPermissions': [
...     {'UserIdGroupPairs': [{'GroupId': 'test-sgid'}]},
... ]})
False
>>> ec2_security_group_opens_all_ports_to_self({'GroupId': 'test-sgid'})
False
>>> ec2_security_group_opens_all_ports_to_self({
... 'GroupId': 'test-sgid',
... 'IpPermissions': [
...     {'UserIdGroupPairs': []},
... ]})
False
>>> ec2_security_group_opens_all_ports_to_self({})
False
>>> ec2_security_group_opens_all_ports_to_self([])
False
aws.ec2.helpers.ec2_security_group_opens_all_ports_to_all(ec2_security_group)[source]

Returns True if an ec2 security group includes a permission allowing all IPs inbound access on all ports and False otherwise or if protocol is ICMP.

>>> ec2_security_group_opens_all_ports_to_all({'IpPermissions': [
... {'FromPort': -1,'ToPort': 65535,'IpRanges': [{'CidrIp': '0.0.0.0/0'}]},
... ]})
True
>>> ec2_security_group_opens_all_ports_to_all({'IpPermissions': [
... {'FromPort': 1,'ToPort': 65535,'Ipv6Ranges': [{'CidrIpv6': '::/0'}]}
... ]})
True

>>> ec2_security_group_opens_all_ports_to_all({'IpPermissions': [
... {'IpProtocol': 'icmp','FromPort': -1,'ToPort': -1,'IpRanges': [{'CidrIp': '0.0.0.0/0'}]},
... ]})
False
>>> ec2_security_group_opens_all_ports_to_all({'IpPermissions': []})
False
>>> ec2_security_group_opens_all_ports_to_all({})
False
>>> ec2_security_group_opens_all_ports_to_all([])
False
aws.ec2.helpers.ec2_security_group_opens_specific_ports_to_all(ec2_security_group, allowed_ports=None)[source]

Returns True if an ec2 security group includes a permission allowing all IPs inbound access on specific unsafe ports and False otherwise or if protocol is ICMP.

>>> ec2_security_group_opens_specific_ports_to_all({'IpPermissions': [
... {'FromPort': 22,'ToPort': 22,'IpRanges': [{'CidrIp': '0.0.0.0/0'}]},
... ]})
True
>>> ec2_security_group_opens_specific_ports_to_all({'IpPermissions': [
... {'FromPort': 234,'ToPort': 432,'IpRanges': [{'CidrIp': '0.0.0.0/0'}]},
... ]})
True

>>> ec2_security_group_opens_specific_ports_to_all({'IpPermissions': [
... {'FromPort': 80,'ToPort': 80,'IpRanges': [{'CidrIp': '0.0.0.0/0'}]},
... ]})
False
>>> ec2_security_group_opens_specific_ports_to_all({'IpPermissions': []})
False
>>> ec2_security_group_opens_specific_ports_to_all({})
False
>>> ec2_security_group_opens_specific_ports_to_all([])
False
aws.ec2.helpers.ec2_instance_test_id(ec2_instance)[source]

A getter fn for test ids for EC2 instances

aws.ec2.helpers.ec2_security_group_test_id(ec2_security_group)[source]

A getter fn for test ids for EC2 security groups

aws.ec2.helpers.ec2_address_id(ec2_address)[source]

Format an Elastic IP address.

aws.ec2.helpers.is_ebs_volume_encrypted(ebs)[source]

Checks the EBS volume ‘Encrypted’ value.

>>> is_ebs_volume_encrypted({'Encrypted': True})
True
>>> is_ebs_volume_encrypted({'Encrypted': False})
False
>>> is_ebs_volume_encrypted({})
Traceback (most recent call last):
...
KeyError: 'Encrypted'
>>> is_ebs_volume_encrypted(0)
Traceback (most recent call last):
...
TypeError: 'int' object is not subscriptable
>>> is_ebs_volume_encrypted(None)
Traceback (most recent call last):
...
TypeError: 'NoneType' object is not subscriptable
aws.ec2.helpers.is_ebs_volume_piops(ebs)[source]

Checks if the EBS volume type is provisioned iops

>>> is_ebs_volume_piops({'VolumeType': 'io1'})
True
>>> is_ebs_volume_piops({'VolumeType': 'standard'})
False
>>> is_ebs_volume_piops({})
Traceback (most recent call last):
...
KeyError: 'VolumeType'
>>> is_ebs_volume_piops(0)
Traceback (most recent call last):
...
TypeError: 'int' object is not subscriptable
>>> is_ebs_volume_piops(None)
Traceback (most recent call last):
...
TypeError: 'NoneType' object is not subscriptable
aws.ec2.helpers.is_ebs_snapshot_public(ebs_snapshot)[source]

Checks if the EBS snapshot’s ‘CreateVolumePermissions’ attribute allows for public creation.

>>> is_ebs_snapshot_public({'CreateVolumePermissions':[{'Group': 'all'}]})
True
>>> is_ebs_snapshot_public({'CreateVolumePermissions':[{'Group': ''}]})
False
>>> is_ebs_snapshot_public({'CreateVolumePermissions':[{'foo': 'bar'}]})
False
>>> is_ebs_snapshot_public({'CreateVolumePermissions':[]})
False
>>> is_ebs_snapshot_public({})
False
aws.ec2.helpers.ec2_instance_missing_tag_names(ec2_instance, required_tag_names)[source]

Returns any tag names that are missing from an EC2 Instance.

>>> ec2_instance_missing_tag_names({'Tags': [{'Key': 'Name'}]}, frozenset(['Name']))
frozenset()
>>> ec2_instance_missing_tag_names({
... 'InstanceId': 'iid', 'Tags': [{'Key': 'Bar'}]}, frozenset(['Name']))
frozenset({'Name'})
aws.ec2.helpers.ebs_volume_attached_to_instance(ebs, volume_created_days_ago=90)[source]

Check an ebs volume is attached to an instance. The “volume_created_days_ago” parameter allows checking for volumes that were created that many days ago.

>>> from datetime import datetime
>>> from datetime import timezone

>>> ebs_volume_attached_to_instance({"CreateTime": datetime.fromisoformat("2020-09-11T19:45:22.116+00:00"), "State": "in-use"})
True
>>> ebs_volume_attached_to_instance({"CreateTime": datetime.fromisoformat("2000-09-11T19:45:22.116+00:00"), "State": "in-use"})
True
>>> ebs_volume_attached_to_instance({"CreateTime": datetime.now(timezone.utc), "State": "available"})
True
>>> ebs_volume_attached_to_instance({"CreateTime": datetime.fromisoformat("2000-09-11T19:45:22.116+00:00"), "State": "available"})
False
aws.ec2.helpers.ebs_snapshot_not_too_old(snapshot, snapshot_started_days_ago=365)[source]

Check an ebs snapshot is created less than “snapshot_started_days_ago”.

>>> from datetime import datetime
>>> from datetime import timezone
>>> from aws.ec2.helpers import ebs_snapshot_not_too_old
>>> ebs_snapshot_not_too_old({"StartTime": datetime.now(timezone.utc)})
True
>>> ebs_snapshot_not_too_old({"StartTime": datetime.fromisoformat("2019-09-11T19:45:22.116+00:00")})
False

aws.ec2.resources module

aws.ec2.resources.ec2_instances()[source]

http://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_instances

aws.ec2.resources.ec2_security_groups()[source]

http://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_security_groups

aws.ec2.resources.ec2_ebs_volumes()[source]

http://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_volumes

aws.ec2.resources.ec2_ebs_snapshots()[source]

http://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_snapshots

aws.ec2.resources.ec2_ebs_snapshots_create_permission()[source]

https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/ec2.html#EC2.Client.describe_snapshot_attribute

aws.ec2.resources.ec2_flow_logs()[source]

https://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_flow_logs

aws.ec2.resources.ec2_vpcs()[source]

https://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_vpcs

aws.ec2.resources.ec2_addresses()[source]

https://botocore.readthedocs.io/en/latest/reference/services/ec2.html#EC2.Client.describe_addresses

aws.ec2.resources.ec2_security_groups_with_in_use_flag()[source]

Returns security groups with an additional “InUse” key, which is True if it is associated with at least one resource.

Possible resources: - EC2 - ELBs (v1 and v2) - RDS - Redshift - ElasticCache - ElasticSearchService - AutoScaling

aws.ec2.resources.ec2_images_owned_by(account_ids)[source]

Returns a list of EC2 images owned by a list of provided account ids

aws.ec2.test_ec2_all_eips_bound module

aws.ec2.test_ec2_ebs_snapshot_not_too_old module

aws.ec2.test_ec2_ebs_snapshots_are_private module

aws.ec2.test_ec2_ebs_volume_attached_to_instance module

aws.ec2.test_ec2_ebs_volume_encrypted module

aws.ec2.test_ec2_ebs_volume_not_piops module

aws.ec2.test_ec2_instance_has_required_tags module

aws.ec2.test_ec2_instance_on_acceptable_ami module

aws.ec2.test_ec2_security_group_in_use module

aws.ec2.test_ec2_security_group_opens_all_ports module

aws.ec2.test_ec2_security_group_opens_all_ports_to_all module

aws.ec2.test_ec2_security_group_opens_all_ports_to_self module

aws.ec2.test_ec2_security_group_opens_specific_ports_to_all module

aws.ec2.test_ec2_vpc_flow_log_enabled module

Module contents