sgCheckup generates nmap output based on scanning your AWS Security Groups for unexpected open ports.

sgCheckup - Check your Security Groups for Unexpected Open Ports & Generate nmap Output

sgcheckup copy

sgCheckup is a tool to scan your AWS Security Groups for a combination of open ports and attached Network Interfaces. The goal is to find anything listening on a port that you wouldn't consider safe. In addition to generating reports for security groups, sgCheckup can generate and run nmap to get specifics.

Why?

Security Groups are an important line of defense for your infrastructure, but as you make changes, it's easy to forget to revert some quick fix that was made to get something working. Having a view into what ports are open and what's listening can help you prioritize locking down access. Using nmap to pinpoint specifics as well as fingerprint the open ports further aides with context in locking down security groups.

Pre-requisites

  • AWS Credentials (~/.aws/, AWS_* environment variables, metadata server, etc.)
  • Docker
  • If running from source, go version >= go1.15

Installation Options

  1. Download the latest release:

Linux:

    curl -Lo sgCheckup https://github.com/goldfiglabs/sgCheckup/releases/latest/download/sgCheckup_linux
    chmod a+x ./sgCheckup

OSX x86:

    curl -Lo sgCheckup https://github.com/goldfiglabs/sgCheckup/releases/latest/download/sgCheckup_darwin_amd64
    chmod a+x ./sgCheckup

OSX M1/arm:

    curl -Lo sgCheckup https://github.com/goldfiglabs/sgCheckup/releases/latest/download/sgCheckup_darwin_arm64
    chmod a+x ./sgCheckup
  1. Run from source:
    git clone https://github.com/goldfiglabs/sgCheckup.git
    cd sgCheckup
    go run main.go
    

Usage

Run ./sgCheckup and view the reports generated in output/.

Screen Shot 2021-08-31 at 3 08 35 PM

nmap results are in output/nmap/ with a summary cross-referencing security groups found in nmap.html:

Screen Shot 2021-09-01 at 1 54 06 PM

Overview

sgCheckup uses goldfiglabs/introspector to snapshot the Security Groups and Network Interfaces from your AWS Account into a Postgres database. sgCheckup then runs SQL queries to look for Security Groups with open ports and attached Network Interfaces. This list is then used to configure running nmap against the targeted list of IPs and ports. The output of nmap is used to determine if a) anything is listening and b) what software is listening on open ports.

Notes

  1. 2 HTML and CSV reports are provided: one each organized by Security Group, and one each organized by IP/Port combination.

  2. By default, sgCheckup considers ports 22, 80, and 443 to be open intentionally. You can use the flag -safePorts <comma-separated port list> to override this behavior according to your own policies. Use --safe-ports "" to mark all ports unsafe.

  3. You can skip the nmap phase with -skip-nmap. You will still get the report focused on Security Groups, but not the report based on open IP/Port combinations.

License

Copyright (c) 2021 Gold Fig Labs Inc.

This Source Code Form is subject to the terms of the Mozilla Public License, v.2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.

Mozilla Public License v2.0

Similar Resources

Aws-cognito-demo-go - Source code for AWS Cognito in Go

AWS Cognito Demo in Go Source code for YouTube series, AWS Cognito in Go - https

Dec 10, 2022

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

Una prueba técnica: Servicio Golang REST API local, sobre Docker, gRPC, AWS Serverless y sobre Kubernetes en AWS EC2

May 7, 2022

Aws-cdk-go-examples - Example projects using the AWS CDK by Golang

aws-cdk-go-examples Example projects using the AWS CDK by Golang Useful commands

Nov 24, 2022

Automatically map wacom tablets area to your primary X output.

xsetwacom-auto Simple CLI tool that uses xsetwacom and xrandr to: map the to one monitor set the tablet area to match the aspect ratio of the monitor

Dec 7, 2021

Lambda stack to turn off and destroy all resources from your personal AWS Account to avoid billing surprises

Lambda stack to turn off and destroy all resources from your personal AWS Account to avoid billing surprises

AWS, Turn off my Account, please Lambda stack to turn off and destroy all resources from your personal AWS Account to avoid billing surprises Resource

Oct 25, 2022

efsu is for accessing AWS EFS from your machine without a VPN

efsu: VPN-less access to AWS EFS efsu is for accessing AWS EFS from your machine without a VPN. It achieves this by deploying a Lambda function and sh

Mar 11, 2022

A "passwordless" login experience for your AWS RDS

A

RDS Auth Proxy A two-layer proxy for connecting into RDS postgres databases based on IAM authentication. This tool allows you to keep your databases f

Dec 28, 2022

Automatically roll your AWS IAM access key (aws_access_key_id) and secret key (aws_secret_access_key).

roll-it Keep your AWS Credentials fresh 🍊 on Windows, Mac, Linux (arm or x86)! What it Does Programmatically rotate your AWS IAM access keys and secr

Jan 6, 2023

`ls` but for your AWS VPC(s)

`ls` but for your AWS VPC(s)

lsvpc A simple AWS VPC listing tool to provide quick introspection on the makeup of a VPC One really cool use of this tool is to run: watch -c lsvpc -

Dec 30, 2021
Comments
  • Error after launching sgCheckup

    Error after launching sgCheckup

    Hi,

    I've decide to test sgCheckup as it seems very helpful for me, especially with the reporting fonctionnality. I'm using the binary version on an Ubuntu. I've set up an AWS profile. Here is the error message I get after launching sgCheckup :

    ubuntu@ip-172-17-13-117:~/sgCheckup_bin$ sudo ./sgCheckup INFO[0000] Running postgres INFO[0001] Waiting for postgres to be healthy INFO[0033] Postgres is healthy INFO[0033] Checking for introspector image INFO[0035] Initializing introspector INFO[0038] Running introspector with service spec ec2=SecurityGroups,NetworkInterfaces INFO[0038] Introspector run may take a few minutes INFO[0050] # Report Rows: 0 panic: Failed to load metadata: Query for most recent import job found no results

    goroutine 1 [running]: main.main() /Users/vikrum/dev/sgCheckup/main.go:469 +0x1613

    Have you any idea of the problem ? Thank you in advance !

    Nicolas

  • Db Error

    Db Error

    In running the tools I am getting below error:

    INFO[0000] Running postgres
    INFO[0018] Waiting for postgres to be healthy
    INFO[0050] Postgres is healthy
    INFO[0050] Checking for introspector image
    INFO[0054] Initializing introspector
    INFO[0054] Running introspector with service spec ec2=SecurityGroups,NetworkInterfaces INFO[0054] Introspector run may take a few minutes
    panic: Failed to ping db: pq: password authentication failed for user "introspector"

    goroutine 1 [running]: main.main() /Users/vikrum/dev/sgCheckup/main.go:469 +0x1613

rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.
rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org     account access, and private resources.

rpCheckup - Catch AWS resource policy backdoors like Endgame rpCheckup is an AWS resource policy security checkup tool that identifies public, externa

Dec 26, 2022
A site displaying musical groups information by receiving a public API. The server was written in Go.
A site displaying musical groups information by receiving a public API. The server was written in Go.

A site displaying musical groups information by receiving a public API. The API consists of 4 parts with each represent a subset of the information. W

Dec 13, 2021
Simple no frills AWS S3 Golang Library using REST with V4 Signing (without AWS Go SDK)

simples3 : Simple no frills AWS S3 Library using REST with V4 Signing Overview SimpleS3 is a golang library for uploading and deleting objects on S3 b

Nov 4, 2022
Integrate AWS EKS Anywhere cluster with AWS Services
 Integrate AWS EKS Anywhere cluster with AWS Services

This article provides step-by-step instruction on integrating AWS EKS Anywhere with AWS Services so the applications running on customer data center can securely connect with these services.

Mar 6, 2022
Apis para la administracion de notifiaciones, utilizando servicios como AWS SNS y AWS SQS

notificacion_api Servicio para envío de notificaciónes por difusión en AWS SNS Especificaciones Técnicas Tecnologías Implementadas y Versiones Golang

Jan 7, 2022
AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.
AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

AWS credential_process utility to assume AWS IAM Roles with Yubikey Touch and Authenticator App TOPT MFA to provide temporary session credentials; With encrypted caching and support for automatic credential refresh.

Dec 20, 2022
A package for access aws service using AWS SDK for Golang

goaws ?? A package for access aws service using AWS SDK for Golang Advantage with goaws package Example for get user list IAM with AWS SDK for Golang

Nov 25, 2021
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.
Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure.

tutor-pet API Simple CRUD API written in Go, built using AWS SAM tool and using the AWS' infrastructure. Macro architecture: Code architecture: Pre-Re

Aug 17, 2022
Aws-parameter-bulk - Export AWS SSM Parameter Store values in bulk to .env files

aws-parameter-bulk Utility to read parameters from AWS Systems Manager (SSM) Par

Oct 18, 2022
Feb 7, 2022