A collection of scripts created to simplify the auditing of "open" ports in AWS security groups.

Download and execute run.cmd

you will be prompted to select a profile to run this against.

This tool supports MFA by way of the sts get-session-token api. Ideally your "real" aws cli key only has access to the sts:GetSessionToken api. Using that api this requests a set of temporary credentials and then updates your ".aws\credentials" file

First open your ".aws\config" file and an duplicate any existing named profile, a named profile is one that is identified by the [profile name] heading. Append -auth to the duplicated profile:

Original:

[default]
output = json
region = us-east-1

[profile prod]
output = json
region = us-east-1

New:

[default]
output = json
region = us-east-1

[profile prod]
output = json
region = us-east-1

[profile prod-auth]
output = json
region = us-east-1

Next edit your ".aws\credentials" the same way:

Original:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[prod]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

New:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[prod]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[prod-auth]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

From this point your named-auth profile will be your "original" profile and your named profile will use MFA credentials. After MFA authentication for the first time you will notice that the "named" non -auth profile will now have a AWS_SESSION_TOKEN field, this is normal.

When prompted to authenticate your MFA Serial, this is the full arn for your Assigned MFA device, this can be found under the "security credentials" tab below the last login field. It is similar to your User ARN except it has ":mfa/" instead of ":user/" in it.

For information about restricting api access to MFA verfied sessions please read the following documents:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Basically both aws:MultiFactorAuthAge & aws:MultiFactorAuthPresen conditions should be present on all of your apis that you want to protect with the only access to your non MFA api key being "sts getsessiontoken", speak with your AWS SYSOPS Administrator.

Additional note: the root account can not be MFA protected.

Most of the componets were a result of expanding the aws cli with small batch files so that i could gather information faster from the command line. Then being tasked with gathering all of the "open ports" that were accessible as a result of the security groups. That created new batch files and modfied some old ones.

feel free to use what ever