{ "info": { "author": "", "author_email": "", "bugtrack_url": null, "classifiers": [], "description": "# pysec-aws\nRepository approach to security groups, create easy to modify files and use cloudformation to manage your security groups.\n\n## Sample Text File and Syntax\n```\n## File: rules.pysec\n## Syntax: /:-^\n\n52.35.22.100/32:80-443^tcp\n52.35.22.101/32:443^udp\n52.35.23.0/21:80^tcp\n```\n\n## Install\n\n```bash\npip install pysec-aws\n```\n\n## Usage From Shell\n\n```bash\n# Initiate a new repository of rules, folder path defaults to current directory.\n$ pysec init --folder-path /my-repo\n$\n\n# Configure the new repository with required configuration items, --aws-profile-name will search for AWS credential profile\n$ pysec configure --vpc-id vpc-12345678 --group-name MySecurityGroup --aws-region us-west-2 --aws-profile-name myprofile\n$\n\n# Get a digest of VPC Flow logs - who is connecting to my endpoint?\n$ pysec --use-profile testflow --log-group myFlowLogs --log-stream eni-63e3e655-all --look-back 1\nQuerying log stream eni-63e3e655-all from 1514052976000 to 1514139376000 showing FLOW DIGEST report\n\n Hits From To ACCEPT/REJECT\n------ --------------- ------------- ---------------\n 4391 172.31.42.101 191.88.99.255 ACCEPT\n 827 46.23.161.189 172.31.42.101 REJECT\n 719 141.214.87.12 172.31.42.101 REJECT\n 714 73.72.82.97 172.31.42.101 REJECT\n 711 73.72.82.147 172.31.42.101 REJECT\n 611 73.72.82.158 172.31.42.101 REJECT\n 110 87.93.20.244 172.31.42.101 REJECT\n\n## Add / Remove rules in rules.pysec ##\necho \"52.33.24.1/32:80^tcp\" >> rules.pysec\n\n# Get repository status\n$ pysec status\nFile Path MD5 Hash (Committed) MD5 Hash (Current) Diff?\n------------------- -------------------------------- -------------------------------- -------\n/my-repo/rules.pysec f6722d7eabfcfb0df9bdbb80b7439fdf 654e160cd132a40ed630da0c4d2d8032 True\n\n# Stage a change\n$ pysec --use-profile stage\n # Suggested Change Security Group Action\n--- ---------------------------------------------------- ---------------- --------------\n 1 CIDR-IP: 52.33.24.1/32 FROM: 80 TO: 80 PROTOCOL: tcp MySecurityGroup ++ addition ++\n 2 CIDR-IP: 52.35.23.0/32 FROM: 80 TO: 80 PROTOCOL: tcp MySecurityGroup -- removal --\n\n# Get a digest of VPC Flow logs - who is connecting to my endpoint?\n$ pysec --use-profile testflow --log-group myFlowLogs --log-stream eni-63e3e655-all --look-back 1\nQuerying log stream eni-63e3e655-all from 1514052976000 to 1514139376000 showing CHANGE RISK report\n\n Hits From To ACCEPT/REJECT\n------ --------------- ------------- ---------------\n 835 52.33.24.0 191.88.99.255 ACCEPT\n 691 52.35.22.100 191.88.99.255 ACCEPT\n 647 52.35.22.101 191.88.99.255 ACCEPT\n 32 52.33.24.1 172.31.42.101 REJECT\n\n# Commit the changes using profile\n$ pysec --use-profile --yes commit\n[INFO] Creating Stack arn:aws:cloudformation:us-west-2:123456789123:stack/PysecSecurityGroup-DH447K/0ef530a0-e74a-14e7-9c17-50d5ca789eae\n[INFO] Stack created successfully\n\n# Destroy stack and repository\n$ pysec --use-profile --yes destroy\n[INFO] Deleting Stack arn:aws:cloudformation:us-west-2:123456789123:stack/PysecSecurityGroup-DH447K/0ef530a0-e74a-14e7-9c17-50d5ca789eae\n[INFO] Stack deleted successfully\n```\n\n## Usage From Code\n\n```python\n>>> import pysec\n# Loading a single file\n>>> p = pysec.SecurityTemplate(input_file_path='/my-repo/rules.pysec')\n[INFO] File /my-repo/rules.pysec loaded successfully - 3 ingress rules detected\n\n# Loading a folder of files\n>>> p2 = pysec.SecurityTemplate(folder_path='/my-repo')\n[INFO] File /my-repo/rules.pysec loaded successfully - 3 ingress rules detected\n[INFO] File /my-repo/rules_02.pysec loaded successfully - 3 ingress rules detected\n\n>>> p\n{'requests': [{'toPort': '443', 'ip': '52.35.22.100', 'cidr': '32', 'ipProtocol': 'tcp', 'fromPort': '80'}, {'toPort': '443', 'ip': '52.35.22.101', 'cidr': '32', 'ipProtocol': 'udp', 'fromPort': '443'}, {'toPort': '80', 'ip': '52.35.23.0', 'cidr': '21', 'ipProtocol': 'tcp', 'fromPort': '80'}]}\n\n>> p.generate_template(group_name='MySecurityGroup', vpc='vpc-82c92af3')\n[INFO] Generated Troposphere object\n\n>>> p.to_file(output_file_path='/my-repo/artifact.yaml', format='yml')\n[INFO] CF Template flushed to disk: /my-repo/artifact.yaml\n\n>>> p.to_file(output_file_path='/my-repo/artifact.json', format='json')\n[INFO] CF Template flushed to disk: /my-repo/artifact.json\n\n>>> p.to_cfdict()\n{'Outputs': {'SecurityGroupId': {'Description': 'Security Group Id', 'Value': {'Ref': 'MySecurityGroup'}}}, 'Resources': {'MySecurityGroup': {'Type': 'AWS::EC2::SecurityGroup', 'Properties': {'SecurityGroupIngress': [{'ToPort': '443', 'FromPort': '80', 'IpProtocol': 'tcp', 'CidrIp': '52.35.22.100/32'}, {'ToPort': '443', 'FromPort': '443', 'IpProtocol': 'udp', 'CidrIp': '52.35.22.101/32'}, {'ToPort': '80', 'FromPort': '80', 'IpProtocol': 'tcp', 'CidrIp': '52.35.23.0/21'}], 'VpcId': 'vpc-82c92af3', 'GroupDescription': 'Security group created by PySec-AWS - MySecurityGroup'}}}}\n\n```\n\n### Artifacts\n\nYou can generate either YAML or JSON artifacts.\n\n```yaml\nOutputs:\n SecurityGroupId:\n Description: Security Group Id\n Value: !Ref 'MySecurityGroup'\nResources:\n MySecurityGroup:\n Properties:\n GroupDescription: Security group created by automated process - MySecurityGroup\n SecurityGroupIngress:\n - CidrIp: 52.35.22.100/32\n FromPort: '80'\n IpProtocol: tcp\n ToPort: '443'\n - CidrIp: 52.35.22.101/32\n FromPort: '443'\n IpProtocol: udp\n ToPort: '443'\n - CidrIp: 52.35.23.0/21\n FromPort: '80'\n IpProtocol: tcp\n ToPort: '80'\n VpcId: vpc-82c92af3\n Type: AWS::EC2::SecurityGroup\n```\n\n## Use cases\n\nIf you need to manage a lot of dynamic security group that allow access between multiple AWS accounts, you can use this to keep simple ip lists in your repo per environment / branch, and build them into cloudformation templates during your CICD process, it is easier to manage then making changes directly to a template stored on git.\nAlternatively, one could automate the process of building CF templates using this tool -- pull requests can trigger build and update of existing stack (this will require contributions to this tool).\n\nConsider a github repository as a source for whitelisted IP addresses:\n\n```bash\nRepository-Root/\n\u251c\u2500\u2500 Production/\n\u2502 \u251c\u2500\u2500 Service-A/\n\u2502 \u2502 \u251c\u2500\u2500 .pysec # pysec state file\n\u2502 \u2502 \u251c\u2500\u2500 .hashes # pysec files hash table\n\u2502 \u2502 \u251c\u2500\u2500 rules.pysec # pysec rules file\n\u2502 \u251c\u2500\u2500 Service-B/\n\u2502 \u2502 \u251c\u2500\u2500 .pysec\n\u2502 \u2502 \u251c\u2500\u2500 .hashes\n\u2502 \u2502 \u251c\u2500\u2500 rules.pysec\n\u251c\u2500\u2500 Pre-Production/\n\u2502 \u251c\u2500\u2500 .../\n```\n\nGiven changes to a rules file, after cloning this repository, pysec can update relevant stacks in relevant account,\nthis allows you to delegate control to other teams over relevant security groups, while letting you be a reviewer of\nsaid changes.", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "", "keywords": "", "license": "", "maintainer": "", "maintainer_email": "", "name": "pysec-aws", "package_url": "https://pypi.org/project/pysec-aws/", "platform": "", "project_url": "https://pypi.org/project/pysec-aws/", "project_urls": null, "release_url": "https://pypi.org/project/pysec-aws/0.3/", "requires_dist": null, "requires_python": "", "summary": "", "version": "0.3" }, "last_serial": 3440955, "releases": { "0.1": [ { "comment_text": "", "digests": { "md5": "2aab2094796f87b84a03ceed4f94738d", "sha256": "c7939fa048caa68d816f622d77626c2d33bada78d8e2ef5197948131279b1718" }, "downloads": -1, "filename": "pysec_aws-0.1-py2.7.egg", "has_sig": false, "md5_digest": "2aab2094796f87b84a03ceed4f94738d", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 6669, "upload_time": "2017-12-21T18:23:46", "url": "https://files.pythonhosted.org/packages/98/a9/800d001dc69dddcd3da4b220ab59c92eb591af7183410654fcd7e5349e28/pysec_aws-0.1-py2.7.egg" } ], "0.2": [ { "comment_text": "", "digests": { "md5": "c23d09076c6e33488f4dbb2f8bc9ff02", "sha256": "9de09629b33c4eee1f39068e4ad7744f2e286309ac647fef6a4419a25a79ee24" }, "downloads": -1, "filename": "pysec_aws-0.2-py2.7.egg", "has_sig": false, "md5_digest": "c23d09076c6e33488f4dbb2f8bc9ff02", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 18552, "upload_time": "2017-12-23T03:31:55", "url": "https://files.pythonhosted.org/packages/72/b1/5735c16334de91212541b6e31c660819e6046c976381d8d8115e9ae56218/pysec_aws-0.2-py2.7.egg" }, { "comment_text": "", "digests": { "md5": "82f00bc3f0e913a8ed77b0fe03694ebd", "sha256": "efb772861b04f85acdb1fb6d1713c765376fa5153c8c92abab95766f0f9a8dc8" }, "downloads": -1, "filename": "pysec-aws-0.2.tar.gz", "has_sig": false, "md5_digest": "82f00bc3f0e913a8ed77b0fe03694ebd", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7283, "upload_time": "2017-12-23T03:31:53", "url": "https://files.pythonhosted.org/packages/89/8c/30d15955fa0a32f5b29b066e718c7f2d72d0f7db0bce38baf657152ca7be/pysec-aws-0.2.tar.gz" } ], "0.3": [ { "comment_text": "", "digests": { "md5": "f8bcfa48897fe0fd82410c020cc1d8b1", "sha256": "cb49298456721dbf1f7f4e4ae7764adcef534743bbd116a00b1fe523feffa3b6" }, "downloads": -1, "filename": "pysec-aws-0.3.tar.gz", "has_sig": false, "md5_digest": "f8bcfa48897fe0fd82410c020cc1d8b1", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12413, "upload_time": "2017-12-24T21:38:36", "url": "https://files.pythonhosted.org/packages/0e/f3/913a737a6d12096bcb6c2e8eb0ecdd1043ef5de593bfeeeb3f9eb9508ef2/pysec-aws-0.3.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "f8bcfa48897fe0fd82410c020cc1d8b1", "sha256": "cb49298456721dbf1f7f4e4ae7764adcef534743bbd116a00b1fe523feffa3b6" }, "downloads": -1, "filename": "pysec-aws-0.3.tar.gz", "has_sig": false, "md5_digest": "f8bcfa48897fe0fd82410c020cc1d8b1", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12413, "upload_time": "2017-12-24T21:38:36", "url": "https://files.pythonhosted.org/packages/0e/f3/913a737a6d12096bcb6c2e8eb0ecdd1043ef5de593bfeeeb3f9eb9508ef2/pysec-aws-0.3.tar.gz" } ] }