├── .gitignore
├── Makefile
├── README.md
├── infra
    ├── cloudwatch.tf
    ├── iam.tf
    ├── lambda-ingest-example.tf.example
    ├── lambda-ingest-urlscan.tf
    ├── lambda-scan.tf
    ├── lambda-upload.tf
    ├── s3-buckets.tf
    ├── sns.tf
    └── variables.tf
├── lambda
    ├── ingest-example
    │   ├── main.py
    │   └── requirements.txt
    ├── ingest-urlscan
    │   ├── main.py
    │   └── requirements.txt
    ├── pack.sh
    ├── scan
    │   ├── main.py
    │   └── requirements.txt
    ├── upload
    │   └── main.py
    └── uploader.py
└── res
    ├── icon.png
    ├── notif.png
    └── s3eker.png


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Mac
 2 | .DS_Store
 3 | 
 4 | # Terraform
 5 | infra/.terraform
 6 | 
 7 | # Lambda packages
 8 | lambda/dist/
 9 | 
10 | # Binaries for programs and plugins
11 | *.exe
12 | *.exe~
13 | *.dll
14 | *.so
15 | *.dylib
16 | 
17 | # Test binary, built with `go test -c`
18 | *.test
19 | 
20 | # Output of the go coverage tool, specifically when used with LiteIDE
21 | *.out
22 | 
23 | # Dependency directories (remove the comment below to include it)
24 | # vendor/
25 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | pack: ## Package the code into zip archive, upload to the S3 bucket, and update the functions.
2 | 	cd lambda && ./pack.sh
3 | 
4 | remove: ## Remove the test bucket from the list of previously scanned buckets.
5 | 	aws s3 rm s3://s3eker-buckets/s3eker-open.s3-website-us-east-1.amazonaws.com
6 | 
7 | test: remove ## Publish a test open bucket to the SNS topic.
8 | 	aws sns publish --topic-arn 'arn:aws:sns:us-east-1:xxxxxxxxxxxx:s3eker-upload' --message '{"bucket": "s3eker-open.s3-website-us-east-1.amazonaws.com"}'


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # s3eker <img src="res/icon.png" alt="icon" width="32"/>
 2 | 
 3 | s3eker is an extensible way to find open S3 buckets and notify via Slack. There are no limits on what can be used to ingest bucket names as long as it has a way to publish to the AWS SNS topic (REST API, CLI, SDK). Almost all of the infrastructure can be created using Terraform.
 4 | 
 5 | <img src="res/notif.png" alt="notification" width="200"/>
 6 | 
 7 | ## Ingestion Example
 8 | 
 9 | A Lambda function searches [urlscan.io](https://urlscan.io) every hour for websites that reach out to a `s3-website-us-east-1.amazonaws.com` subdomain. The theory being if a bucket is being used as a static site, it may have more relaxed permissions.
10 | 
11 | ## Getting Started
12 | 
13 | See the [Configuration and Deployment](https://github.com/becksteadn/s3eker/wiki/Configuration-and-Deployment) section of the [Wiki](https://github.com/becksteadn/s3eker/wiki).
14 | 
15 | ## Infrastructure Overview
16 | 
17 | s3eker runs on AWS and can be spun up using Terraform with the exception of a Secrets Manager entry for the Slack webhook. No API key is needed for urlscan.io. Ingestion functions are run periodically using Cloudwatch events. They publish all found buckets to an SNS topic. This notifies the upload function which will check if the bucket has already been scanned. If it has not been scanned, the bucket name is uploaded to an S3 bucket, triggering the scan function.
18 | 
19 | <img src="res/s3eker.png" alt="diagram"/>


--------------------------------------------------------------------------------
/infra/cloudwatch.tf:
--------------------------------------------------------------------------------
1 | resource "aws_cloudwatch_event_rule" "every-hour" {
2 |   name = "s3eker-fetch-interval"
3 |   description = "Time interval to trigger s3eker fetch Lambda."
4 |   schedule_expression = "rate(1 hour)"
5 | }
6 | 


--------------------------------------------------------------------------------
/infra/iam.tf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scriptingislife/s3eker/071718a3fb98048f384dbfde263de4db71c92465/infra/iam.tf


--------------------------------------------------------------------------------
/infra/lambda-ingest-example.tf.example:
--------------------------------------------------------------------------------
 1 | resource "aws_lambda_function" "ingest-example" {
 2 |     function_name   = "s3eker-ingest-example"
 3 |     s3_bucket       = var.lambda_bucket_name
 4 |     s3_key          = "ingest-example/ingest-example.zip"
 5 | 
 6 |     memory_size     = 128
 7 |     timeout         = 240
 8 | 
 9 |     handler         = "main.main"
10 |     runtime         = "python3.7"
11 |     role            = aws_iam_role.exec-ingest-example.arn
12 | }
13 | 
14 | resource "aws_iam_role" "exec-ingest-example" { 
15 |   name                = "s3eker-lambda-ingest-example"
16 |   assume_role_policy  = <<EOF
17 | {
18 |   "Version": "2012-10-17",
19 |   "Statement": [
20 |     {
21 |       "Action": "sts:AssumeRole",
22 |       "Principal": {
23 |         "Service": "lambda.amazonaws.com"
24 |       },
25 |       "Effect": "Allow",
26 |       "Sid": ""
27 |     }
28 |   ]
29 | }
30 | EOF
31 | }
32 | 
33 | resource "aws_iam_role_policy_attachment" "attach-ingest-example-lambda-execute" {
34 |   role = aws_iam_role.exec-ingest-example.name
35 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
36 | }
37 | 
38 | resource "aws_iam_role_policy_attachment" "attach-ingest-urlscan-upload-write" {
39 |   role = aws_iam_role.exec-ingest-urlscan.name
40 |   policy_arn = aws_iam_policy.upload-write.arn
41 | }
42 | 
43 | resource "aws_lambda_permission" "allow-cloudwatch-to-call-s3eker-ingest-example" {
44 |   statement_id = "AllowExecutionFromCloudWatch"
45 |     action = "lambda:InvokeFunction"
46 |     function_name = aws_lambda_function.ingest-example.function_name
47 |     principal = "events.amazonaws.com"
48 |     source_arn = aws_cloudwatch_event_rule.every-hour.arn
49 | }
50 | 
51 | resource "aws_cloudwatch_event_target" "ingest-example" {
52 |   rule = aws_cloudwatch_event_rule.every-hour.name
53 |   target_id = "s3eker-ingest-example"
54 |   arn = aws_lambda_function.ingest-example.arn
55 | }
56 | 


--------------------------------------------------------------------------------
/infra/lambda-ingest-urlscan.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_lambda_function" "ingest-urlscan" {
 2 |     function_name   = "s3eker-ingest-urlscan"
 3 |     s3_bucket       = var.lambda_bucket_name
 4 |     s3_key          = "ingest-urlscan/ingest-urlscan.zip"
 5 | 
 6 |     memory_size     = 128
 7 |     timeout         = 240
 8 | 
 9 |     handler         = "main.main"
10 |     runtime         = "python3.7"
11 |     role            = aws_iam_role.exec-ingest-urlscan.arn
12 | }
13 | 
14 | resource "aws_iam_role" "exec-ingest-urlscan" { 
15 |   name                = "s3eker-lambda-ingest-urlscan"
16 |   assume_role_policy  = <<EOF
17 | {
18 |   "Version": "2012-10-17",
19 |   "Statement": [
20 |     {
21 |       "Action": "sts:AssumeRole",
22 |       "Principal": {
23 |         "Service": "lambda.amazonaws.com"
24 |       },
25 |       "Effect": "Allow",
26 |       "Sid": ""
27 |     }
28 |   ]
29 | }
30 | EOF
31 | }
32 | 
33 | resource "aws_iam_role_policy_attachment" "attach-ingest-urlscan-lambda-execute" {
34 |   role = aws_iam_role.exec-ingest-urlscan.name
35 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
36 | }
37 | 
38 | resource "aws_iam_role_policy_attachment" "attach-ingest-urlscan-upload-write" {
39 |   role = aws_iam_role.exec-ingest-urlscan.name
40 |   policy_arn = aws_iam_policy.upload-write.arn
41 | }
42 | 
43 | resource "aws_lambda_permission" "allow_cloudwatch_to_call_s3eker_ingest-urlscan" {
44 |   statement_id = "AllowExecutionFromCloudWatch"
45 |     action = "lambda:InvokeFunction"
46 |     function_name = aws_lambda_function.ingest-urlscan.function_name
47 |     principal = "events.amazonaws.com"
48 |     source_arn = aws_cloudwatch_event_rule.every-hour.arn
49 | }
50 | 
51 | resource "aws_cloudwatch_event_target" "ingest-urlscan" {
52 |   rule = aws_cloudwatch_event_rule.every-hour.name
53 |   target_id = "s3eker-ingest-urlscan"
54 |   arn = aws_lambda_function.ingest-urlscan.arn
55 | }
56 | 


--------------------------------------------------------------------------------
/infra/lambda-scan.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_lambda_function" "scan" {
 2 |     function_name   = "s3eker-scan"
 3 |     s3_bucket       = var.lambda_bucket_name
 4 |     s3_key          = "scan/scan.zip"
 5 | 
 6 |     memory_size     = 128
 7 |     timeout         = 15
 8 | 
 9 |     handler         = "main.main"
10 |     runtime         = "python3.7"
11 |     role            = aws_iam_role.exec_scan.arn
12 | }
13 | 
14 | resource "aws_iam_role" "exec_scan" {
15 |   name                = "s3eker-lambda-scan"
16 |   assume_role_policy  = <<EOF
17 | {
18 |   "Version": "2012-10-17",
19 |   "Statement": [
20 |     {
21 |       "Action": "sts:AssumeRole",
22 |       "Principal": {
23 |         "Service": "lambda.amazonaws.com"
24 |       },
25 |       "Effect": "Allow",
26 |       "Sid": ""
27 |     }
28 |   ]
29 | }
30 | EOF
31 | }
32 | 
33 | resource "aws_iam_role_policy_attachment" "attach-scan-lambda-execute" {
34 |   role = aws_iam_role.exec_scan.name
35 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
36 | }
37 | 
38 | resource "aws_iam_role_policy_attachment" "attach-scan-buckets-read" {
39 |     role = aws_iam_role.exec_scan.name
40 |     policy_arn = aws_iam_policy.buckets-read.arn
41 | }
42 | 
43 | resource "aws_iam_policy" "webhook-read" {
44 |     name = "s3eker-webhook-read"
45 |     description = "Allows reading the Slack webhook for the s3eker channel."
46 |     policy = <<EOF
47 | {
48 |   "Version": "2012-10-17",
49 |   "Statement": {
50 |       "Action": "secretsmanager:GetSecretValue",
51 |       "Effect": "Allow",
52 |       "Resource": "arn:aws:secretsmanager:us-east-1:358663747217:secret:s3ekerSlackWebhook-rrNAba"
53 |     }
54 | }
55 |     EOF
56 | }
57 | 
58 | resource "aws_iam_role_policy_attachment" "attach-scan-webhook-read" {
59 |   role = aws_iam_role.exec_scan.name
60 |   policy_arn = aws_iam_policy.webhook-read.arn
61 | }
62 | 
63 | resource "aws_lambda_permission" "allow_bucket" {
64 |   statement_id  = "AllowExecutionFromS3Bucket"
65 |   action        = "lambda:InvokeFunction"
66 |   function_name = aws_lambda_function.scan.arn
67 |   principal     = "s3.amazonaws.com"
68 |   source_arn    = aws_s3_bucket.buckets.arn
69 | }
70 | 
71 | resource "aws_s3_bucket_notification" "bucket_notification" {
72 |   bucket = aws_s3_bucket.buckets.id
73 | 
74 |   lambda_function {
75 |     lambda_function_arn = aws_lambda_function.scan.arn
76 |     events              = ["s3:ObjectCreated:*"]
77 |   }
78 | 
79 |   depends_on = [aws_lambda_permission.allow_bucket]
80 | }


--------------------------------------------------------------------------------
/infra/lambda-upload.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_lambda_function" "upload" {
 2 |     function_name   = "s3eker-upload"
 3 |     s3_bucket       = var.lambda_bucket_name
 4 |     s3_key          = "upload/upload.zip"
 5 | 
 6 |     memory_size     = 128
 7 |     timeout         = 240
 8 | 
 9 |     handler         = "main.main"
10 |     runtime         = "python3.7"
11 |     role            = aws_iam_role.exec_upload.arn
12 | }
13 | 
14 | resource "aws_iam_role" "exec_upload" {
15 |   name                = "s3eker-lambda-upload"
16 |   assume_role_policy  = <<EOF
17 | {
18 |   "Version": "2012-10-17",
19 |   "Statement": [
20 |     {
21 |       "Action": "sts:AssumeRole",
22 |       "Principal": {
23 |         "Service": "lambda.amazonaws.com"
24 |       },
25 |       "Effect": "Allow",
26 |       "Sid": ""
27 |     }
28 |   ]
29 | }
30 | EOF
31 | }
32 | 
33 | resource "aws_iam_role_policy_attachment" "attach-upload-lambda-execute" {
34 |   role = aws_iam_role.exec_upload.name
35 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
36 | }
37 | 
38 | resource "aws_iam_role_policy_attachment" "attach-upload-buckets-read" {
39 |   role = aws_iam_role.exec_upload.name
40 |   policy_arn = aws_iam_policy.buckets-read.arn
41 | }
42 | 
43 | resource "aws_iam_role_policy_attachment" "attach-upload-buckets-write" {
44 |   role = aws_iam_role.exec_upload.name
45 |   policy_arn = aws_iam_policy.buckets-write.arn
46 | }
47 | 
48 | resource "aws_lambda_permission" "upload-sns" {
49 |   statement_id  = "AllowExecutionFromSNS"
50 |   action        = "lambda:InvokeFunction"
51 |   function_name = aws_lambda_function.upload.function_name
52 |   principal     = "sns.amazonaws.com"
53 |   source_arn    = aws_sns_topic.upload.arn
54 | }
55 | 
56 | resource "aws_sns_topic_subscription" "upload-sub" {
57 |   topic_arn = aws_sns_topic.upload.arn
58 |   protocol = "lambda"
59 |   endpoint = aws_lambda_function.upload.arn
60 | }


--------------------------------------------------------------------------------
/infra/s3-buckets.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_s3_bucket" "buckets" {
 2 |     bucket  = "s3eker-buckets"
 3 |     acl     = "private"
 4 | }
 5 | 
 6 | resource "aws_iam_policy" "buckets-write" {
 7 |     name = "s3eker-s3-buckets-write"
 8 |     description = "Allows writing to S3 bucket used for storing bucket domains."
 9 |     policy = <<EOF
10 | {
11 | "Version": "2012-10-17",
12 | "Statement": [
13 |     {
14 |     "Sid": "VisualEditor0",
15 |     "Action": [
16 |         "s3:PutObject"
17 |     ],
18 |     "Effect": "Allow",
19 |     "Resource": "${aws_s3_bucket.buckets.arn}/*"
20 |     }
21 | ]
22 | }
23 | EOF
24 | }
25 | 
26 | resource "aws_iam_policy" "buckets-read" {
27 |     name = "s3eker-s3-buckets-read"
28 |     description = "Allows reading S3 bucket used for storing bucket domains."
29 |     policy = <<EOF
30 | {
31 | "Version": "2012-10-17",
32 | "Statement": [
33 |     {
34 |     "Sid": "VisualEditor0",
35 |     "Action": [
36 |         "s3:GetObject",
37 |         "s3:ListBucket"
38 |     ],
39 |     "Effect": "Allow",
40 |     "Resource": [
41 |         "${aws_s3_bucket.buckets.arn}",
42 |         "${aws_s3_bucket.buckets.arn}/*"
43 |     ]
44 |     }
45 | ]
46 | }
47 | EOF
48 | }


--------------------------------------------------------------------------------
/infra/sns.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_sns_topic" "upload" {
 2 |     name = "s3eker-upload"
 3 | }
 4 | 
 5 | resource "aws_iam_policy" "upload-write" {
 6 |     name = "s3eker-sns-upload-write"
 7 |     description = "Allow ingestion Lambdas to write to SNS topic."
 8 |     policy = <<EOF
 9 | {
10 |   "Id": "Policy1595299188603",
11 |   "Version": "2012-10-17",
12 |   "Statement": [
13 |     {
14 |       "Sid": "Stmt1595299187036",
15 |       "Action": [
16 |         "sns:Publish"
17 |       ],
18 |       "Effect": "Allow",
19 |       "Resource": "${aws_sns_topic.upload.arn}"
20 |     }
21 |   ]
22 | }
23 |     EOF
24 | }


--------------------------------------------------------------------------------
/infra/variables.tf:
--------------------------------------------------------------------------------
1 | variable "lambda_bucket_name" {
2 |     default = "s3eker-lambda-store"
3 | }


--------------------------------------------------------------------------------
/lambda/ingest-example/main.py:
--------------------------------------------------------------------------------
 1 | from uploader import upload
 2 | import requests
 3 | import logging
 4 | import boto3
 5 | import json
 6 | 
 7 | logging.basicConfig()
 8 | logging.getLogger().setLevel(logging.INFO)
 9 | 
10 | def main(event, context):
11 |     client = boto3.client('sns')
12 |     sns_arn = "arn:aws:sns:us-east-1:358663747217:s3eker-upload"
13 | 
14 |     site = "example.com.s3-website-us-east-1.amazonaws.com"
15 |     upload(client, sns_arn, site)
16 | 
17 | if __name__ == "__main__":
18 |     main(None, None)


--------------------------------------------------------------------------------
/lambda/ingest-example/requirements.txt:
--------------------------------------------------------------------------------
1 | requests


--------------------------------------------------------------------------------
/lambda/ingest-urlscan/main.py:
--------------------------------------------------------------------------------
 1 | from uploader import upload
 2 | import requests
 3 | import logging
 4 | import boto3
 5 | import json
 6 | 
 7 | logging.basicConfig()
 8 | logging.getLogger().setLevel(logging.INFO)
 9 | 
10 | def main(event, context):
11 |     # Gather URLScan.io results for scans with a request to s3-website domains.
12 |     req_results = requests.get("https://urlscan.io/api/v1/search/?q=domain:s3-website-us-east-1.amazonaws.com&size=20")
13 |     if req_results.status_code != 200:
14 |         logging.error("Bad request.")
15 | 
16 |     client = boto3.client('sns')
17 |     sns_arn = "arn:aws:sns:us-east-1:358663747217:s3eker-upload"
18 | 
19 |     results = req_results.json()
20 |     logging.info("Running through search results.")
21 |     for result in results["results"]:
22 |         logging.info(f"Getting info from scan {result['result']}")
23 |         req_scan = requests.get(result["result"])
24 |         if req_scan.status_code != 200:
25 |             logging.error("Bad request.")
26 | 
27 |         scan = req_scan.json()
28 |         domains = scan["lists"]["domains"]
29 |         logging.debug(f"Got list of domains. {domains}")
30 |         s3_sites = [domain for domain in domains if "s3-website" in domain]
31 |         logging.info(f"Made list of s3 domains. {s3_sites}")
32 |         for site in s3_sites:
33 |             upload(client, sns_arn, site)
34 | 
35 | if __name__ == "__main__":
36 |     main(None, None)


--------------------------------------------------------------------------------
/lambda/ingest-urlscan/requirements.txt:
--------------------------------------------------------------------------------
1 | requests


--------------------------------------------------------------------------------
/lambda/pack.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | LAMBDA_BUCKET="s3eker-lambda-store"
 4 | ORIG_DIR="$PWD"
 5 | 
 6 | mkdir dist 2>/dev/null
 7 | 
 8 | for D in */
 9 | do
10 |     FUNCTION_NAME="${D%%/}" # Remove slash at end of dir name. dir/ to dir
11 |     if [ "$FUNCTION_NAME" = "dist" ] || [ "$FUNCTION_NAME" = "ingest-example" ] # Ignore some directories
12 |     then
13 |         continue
14 |     fi
15 | 
16 |     TARGET_DIR="./dist/$D" # Place to put code before zipping.
17 | 
18 |     echo
19 |     #echo -e "\e[31mPacking $D\e[0m"
20 |     echo "Packing $D"
21 |     
22 |     # Install dependencies in dist/FUNCTION_NAME/
23 |     cp -r "$D" "$TARGET_DIR"
24 | 
25 |     if [[ "$FUNCTION_NAME" == ingest-* ]];
26 |     then
27 |         cp uploader.py "$TARGET_DIR"
28 |     fi
29 | 
30 |     if [ -f "$FUNCTION_NAME/requirements.txt" ]; then
31 |         pip3 install -r "$FUNCTION_NAME/requirements.txt" --target "$TARGET_DIR"
32 |     fi
33 |     
34 |     cd "$TARGET_DIR"
35 |     
36 |     DIST_DIR=".."
37 |     ZIP_FILENAME="$FUNCTION_NAME.zip"
38 |     ZIP_FILE="$DIST_DIR/$ZIP_FILENAME"
39 |     
40 |     if zip -r "$ZIP_FILE"  *; then
41 |         echo "Successfully zipped $FUNCTION_NAME"
42 |         aws s3 cp "$ZIP_FILE" "s3://$LAMBDA_BUCKET/$FUNCTION_NAME/$ZIP_FILENAME"
43 | 
44 |         # Update Lambda function with new code.
45 |         aws lambda update-function-code --function-name "s3eker-$FUNCTION_NAME" --s3-bucket $LAMBDA_BUCKET --s3-key "$FUNCTION_NAME/$ZIP_FILENAME" > /dev/null
46 |     fi    
47 |     
48 |     cd $ORIG_DIR
49 |     rm -r $TARGET_DIR
50 | 
51 | done


--------------------------------------------------------------------------------
/lambda/scan/main.py:
--------------------------------------------------------------------------------
 1 | import logging
 2 | import requests
 3 | import boto3
 4 | import json
 5 | from botocore.exceptions import ClientError
 6 | import base64
 7 | 
 8 | logging.basicConfig()
 9 | logging.getLogger().setLevel(logging.INFO)
10 | 
11 | def main(event, context):
12 |     s3_event = event["Records"][0]["s3"]
13 |     s3_object = s3_event["object"]["key"]
14 | 
15 |     target_bucket = s3_object.split('.')[0]
16 | 
17 |     s3 = boto3.client("s3")
18 |     try:
19 |         s3.list_objects(Bucket=target_bucket)
20 |         logging.info(f"Bucket {target_bucket} is open!")
21 |         
22 |         webhook = get_secret()
23 |         response = requests.post(webhook, headers={'Content-type': 'application/json'}, data=json.dumps({"text": f"Bucket `{target_bucket}` is open!"}))
24 |         if response.status_code != 200:
25 |             logging.error(f"Slack returned status code {response.status_code}.")
26 | 
27 |     except ClientError as e:
28 |         if e.response['Error']['Code'] == "AccessDenied":
29 |             logging.info(f"Permission denied for bucket {target_bucket}")
30 |         else:
31 |             raise
32 | 
33 | def get_secret():
34 | 
35 |     secret_name = "s3ekerSlackWebhook"
36 |     region_name = "us-east-1"
37 | 
38 |     # Create a Secrets Manager client
39 |     session = boto3.session.Session()
40 |     client = session.client(
41 |         service_name='secretsmanager',
42 |         region_name=region_name
43 |     )
44 | 
45 |     # In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
46 |     # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
47 |     # We rethrow the exception by default.
48 | 
49 |     try:
50 |         get_secret_value_response = client.get_secret_value(
51 |             SecretId=secret_name
52 |         )
53 |     except ClientError as e:
54 |         if e.response['Error']['Code'] == 'DecryptionFailureException':
55 |             # Secrets Manager can't decrypt the protected secret text using the provided KMS key.
56 |             # Deal with the exception here, and/or rethrow at your discretion.
57 |             raise e
58 |         elif e.response['Error']['Code'] == 'InternalServiceErrorException':
59 |             # An error occurred on the server side.
60 |             # Deal with the exception here, and/or rethrow at your discretion.
61 |             raise e
62 |         elif e.response['Error']['Code'] == 'InvalidParameterException':
63 |             # You provided an invalid value for a parameter.
64 |             # Deal with the exception here, and/or rethrow at your discretion.
65 |             raise e
66 |         elif e.response['Error']['Code'] == 'InvalidRequestException':
67 |             # You provided a parameter value that is not valid for the current state of the resource.
68 |             # Deal with the exception here, and/or rethrow at your discretion.
69 |             raise e
70 |         elif e.response['Error']['Code'] == 'ResourceNotFoundException':
71 |             # We can't find the resource that you asked for.
72 |             # Deal with the exception here, and/or rethrow at your discretion.
73 |             raise e
74 |     else:
75 |         # Decrypts secret using the associated KMS CMK.
76 |         # Depending on whether the secret is a string or binary, one of these fields will be populated.
77 |         if 'SecretString' in get_secret_value_response:
78 |             return get_secret_value_response['SecretString']
79 |         else:
80 |             return base64.b64decode(get_secret_value_response['SecretBinary'])
81 |             
82 | 
83 | if __name__ == "__main__":
84 |     blah = {
85 |         'Records': [
86 |             {
87 |                 's3': {
88 |                     'bucket': {
89 |                         'name': 'bloopy'
90 |                     },
91 |                     'object': {
92 |                         'key': 's3eker-open.s3-website-us-east-1.amazonaws.com'
93 |                     }
94 |                 }
95 |             }
96 |         ]
97 |     }
98 |     main(blah, None)


--------------------------------------------------------------------------------
/lambda/scan/requirements.txt:
--------------------------------------------------------------------------------
1 | requests


--------------------------------------------------------------------------------
/lambda/upload/main.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import requests
 3 | import logging
 4 | import boto3
 5 | import botocore
 6 | 
 7 | logging.basicConfig()
 8 | logging.getLogger().setLevel(logging.INFO)
 9 | 
10 | 
11 | def main(event, context):
12 |     sns_event = event["Records"][0]["Sns"]
13 |     sns_message = json.loads(sns_event["Message"])
14 |     logging.info("SNS Message is " + sns_message)
15 |     bucket = sns_message["bucket"]
16 | 
17 |     s3 = boto3.client('s3')
18 |     bucket_name = "s3eker-buckets"
19 | 
20 |     logging.info("Checking if domain exists in bucket.")
21 |     # https://stackoverflow.com/questions/33842944/check-if-a-key-exists-in-a-bucket-in-s3-using-boto3
22 |     
23 |     logging.info(f"Loading object {bucket}")
24 |     response = s3.list_objects_v2(Bucket=bucket_name, Prefix=bucket)
25 |     found = False
26 |     for obj in response.get('Contents', []):
27 |         if obj['Key'] == bucket:
28 |             found = True
29 | 
30 |     if not found:
31 |         create_key(bucket_name, bucket)
32 |                 
33 | def create_key(bucket, key):
34 |     logging.info(f"Creating key {key} in bucket {bucket}.\n")
35 |     s3 = boto3.client('s3')
36 |     try:
37 |         s3.put_object(Bucket=bucket, Key=key)
38 |     except botocore.exceptions.ClientError as e:
39 |         logging.error(e)
40 |         return False
41 |     return True
42 | 
43 | 
44 | if __name__ == "__main__":
45 |     main(None, None)


--------------------------------------------------------------------------------
/lambda/uploader.py:
--------------------------------------------------------------------------------
1 | import json
2 | import boto3
3 | import logging
4 | 
5 | def upload(client, topic_arn,site):
6 |     logging.info(f"Publishing {site} to SNS topic.\n")
7 |     client.publish(TargetArn=topic_arn, Message=json.dumps({'default': json.dumps({'bucket': site}), 'sms':site, 'email':site}), Subject=f"New site to check",MessageStructure='json')
8 | 


--------------------------------------------------------------------------------
/res/icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scriptingislife/s3eker/071718a3fb98048f384dbfde263de4db71c92465/res/icon.png


--------------------------------------------------------------------------------
/res/notif.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scriptingislife/s3eker/071718a3fb98048f384dbfde263de4db71c92465/res/notif.png


--------------------------------------------------------------------------------
/res/s3eker.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/scriptingislife/s3eker/071718a3fb98048f384dbfde263de4db71c92465/res/s3eker.png


--------------------------------------------------------------------------------