Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.

Overview

NOTE: Security Monkey is in maintenance mode and will be end-of-life in 2020.

Security Monkey

Security Monkey Logo 2017

Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. Support is available for OpenStack public and private clouds. Security Monkey can also watch and monitor your GitHub organizations, teams, and repositories.

It provides a single UI to browse and search through all of your accounts, regions, and cloud services. The monkey remembers previous states and can show you exactly what changed, and when.

Security Monkey can be extended with custom account types, custom watchers, custom auditors, and custom alerters.

It works on CPython 2.7. It is known to work on Ubuntu Linux and OS X.

Gitter chat

Develop Branch Master Branch
Build Status Build Status
Coverage Status Coverage Status

Special Note:

Netflix's support for Security Monkey has been reduced for minor bug fixes only. That being said, we are happy to accept and merge pull-requests that fix bugs and add new features as appropriate.

🚨 ⚠️ 🥁 🎺 PLEASE READ: BREAKING CHANGES FOR 1.0 🎺 🥁 ⚠️ 🚨

If you are upgrading to 1.0 for the first time, please review the Quickstart and the Autostarting documents as there is a new deployment pattern for Security Monkey. Also, new IAM permissions have been added.

Project resources

Instance Diagram

The components that make up Security Monkey are as follows (not AWS specific): diagram

Access Diagram

Security Monkey accesses accounts to scan via credentials it is provided ("Role Assumption" where available). diagram

Comments
  • Cannot reach web service

    Cannot reach web service

    Hello,

    I followed the instruction but I cannot reach the webservice. I checked the security group and set it to public. but it still says "this page is not available". Could anyone let me know what could be the reason?

    Here is part of the process list that relevant to security monkey within in box:

    postgres 13821     1  0 00:23 ?        00:00:05 /usr/lib/postgresql/9.3/bin/postgres -D /var/lib/postgresql/9.3/main -c config_file=/etc/postgresql/9.3/main/postgresql.conf
    postgres 13823 13821  0 00:23 ?        00:00:00 postgres: checkpointer process
    postgres 13824 13821  0 00:23 ?        00:00:00 postgres: writer process
    postgres 13825 13821  0 00:23 ?        00:00:00 postgres: wal writer process
    postgres 13826 13821  0 00:23 ?        00:00:02 postgres: autovacuum launcher process
    postgres 13827 13821  0 00:23 ?        00:00:00 postgres: stats collector process
    root     14575     2  0 00:27 ?        00:00:00 [kworker/u30:2]
    root     14947     2  0 00:47 ?        00:00:00 [kworker/u30:1]
    root     15190     1  0 01:48 ?        00:00:00 /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
    www-data 15192 15190  0 01:48 ?        00:00:01 python /usr/local/src/security_monkey/manage.py run_api_server
    www-data 15203 15192  0 01:48 ?        00:00:00 python /usr/local/src/security_monkey/manage.py run_api_server
    www-data 15205 15192  0 01:48 ?        00:00:00 python /usr/local/src/security_monkey/manage.py run_api_server
    www-data 15206 15192  0 01:48 ?        00:00:00 python /usr/local/src/security_monkey/manage.py run_api_server
    www-data 15208 15192  0 01:48 ?        00:00:00 python /usr/local/src/security_monkey/manage.py run_api_server
    www-data 15209 15192  0 01:48 ?        00:00:00 python /usr/local/src/security_monkey/manage.py run_api_server
    www-data 15212 15192  0 01:48 ?        00:00:00 python /usr/local/src/security_monkey/manage.py run_api_server
    root     15322     1  0 02:00 ?        00:00:00 nginx: master process /usr/sbin/nginx
    www-data 15325 15322  0 02:00 ?        00:00:00 nginx: worker process
    www-data 15326 15322  0 02:00 ?        00:00:00 nginx: worker process
    www-data 15327 15322  0 02:00 ?        00:00:00 nginx: worker process
    www-data 15328 15322  0 02:00 ?        00:00:00 nginx: worker process
    root     15424  1075  0 02:33 ?        00:00:00 sshd: ubuntu [priv]
    
    

    Thanks and look forward to hearing from you,

    question 
    opened by westlifezs 65
  • 11 Accounts Show no data.

    11 Accounts Show no data.

    Hi All, Hoping someone could help me identify an issue with getting data from 11 accounts. Here's where I'm at:

    1. I just upgraded to the latest Security Monkey build which replaced the AP Scheduler with Celery #911 to see if that would resolve this. Simply built a new instance with the same DB.
    2. I have a total of 36 AWS accounts configured - 25 are pulling data in without an issue 11 show no data for some reason.
    3. Running Security Monkey on Centos with an RDS PostgreSQL Database
    4. After upgrading I did not see any logs in /var/log/security_monkey/securitymonkey.log however I did find the two Database errors there after running find_changes manually. The KeyError did not show up there.
    5. Here is the status of supervisor securitymonkeyscheduler RUNNING pid 28938, uptime 1:46:14 securitymonkeyui RUNNING pid 10923, uptime 19:11:23 securitymonkeyworkers RUNNING pid 29280, uptime 0:07:18
    6. I've scripted (terraform) the creation of the Security Monkey Role and Policy so the 11 accounts are all identical to the working 25.
    7. The fetch_aws_canonical_ids worked and shows the number for all accounts.
    8. I'm thinking the KeyError stops processing and is causing the missing data but that is just speculation.

    Any ideas would be very much appreciated. Thanks, Fred

    (venv)[root@aeinfsmkpl01 security_monkey]# monkey find_changes
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): sts.amazonaws.com
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.ap-northeast-1.amazonaws.com
    ...
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.sa-east-1.amazonaws.com
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-east-1.amazonaws.com
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Resetting dropped connection: ec2.us-east-1.amazonaws.com
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Resetting dropped connection: ec2.us-east-1.amazonaws.com
    ...
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Resetting dropped connection: ec2.us-east-1.amazonaws.com
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-east-2.amazonaws.com
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-west-1.amazonaws.com
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-west-2.amazonaws.com
    
    2018-01-26 14:21:13,031 ERROR: [X] Database error processing accounts _<ACCOUNT NAME>_, cleaning up session. [in /usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py:242]
    Traceback (most recent call last):
      File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 232, in _audit_changes
        au.audit_objects()
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 661, in audit_objects
        self.prep_for_audit()
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 654, in prep_for_audit
        self._load_object_store()
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 278, in _load_object_store
        cls._load_userids()
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 405, in _load_userids
        add(cls.OBJECT_STORE['userid'], item.latest_config.get('RoleId'), item.account.identifier)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/ext/hybrid.py", line 740, in __get__
        return self.fget(instance)
      File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 317, in latest_config
        ).filter(ItemRevision.id==self.latest_revision_id).one().config
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/query.py", line 2354, in one
        raise orm_exc.NoResultFound("No row was found for one()")
    NoResultFound: No row was found for one()
    
    ERROR:security_monkey:[X] Database error processing accounts _<ACCOUNT NAME>_, cleaning up session.
    Traceback (most recent call last):
      File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 232, in _audit_changes
        au.audit_objects()
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 661, in audit_objects
        self.prep_for_audit()
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 654, in prep_for_audit
        self._load_object_store()
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 278, in _load_object_store
        cls._load_userids()
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 405, in _load_userids
        add(cls.OBJECT_STORE['userid'], item.latest_config.get('RoleId'), item.account.identifier)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/ext/hybrid.py", line 740, in __get__
        return self.fget(instance)
      File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 317, in latest_config
        ).filter(ItemRevision.id==self.latest_revision_id).one().config
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/query.py", line 2354, in one
        raise orm_exc.NoResultFound("No row was found for one()")
    NoResultFound: No row was found for one()
    
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): sts.amazonaws.com
    ...
    INFO:botocore.vendored.requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): ec2.us-west-2.amazonaws.com
    
    Traceback (most recent call last):
      File "/usr/local/src/security_monkey/venv/bin/monkey", line 11, in <module>
        load_entry_point('security-monkey', 'console_scripts', 'monkey')()
      File "/usr/local/src/security_monkey/security_monkey/manage.py", line 728, in main
        manager.run()
      File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/__init__.py", line 397, in run
        result = self.handle(sys.argv[0], sys.argv[1:])
      File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/__init__.py", line 376, in handle
        return handle(app, *positional_args, **kwargs)
      File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/commands.py", line 145, in handle
        return self.run(*args, **kwargs)
      File "/usr/local/src/security_monkey/security_monkey/manage.py", line 88, in find_changes
        manual_run_change_finder(account_names, monitor_names)
      File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 126, in manual_run_change_finder
        find_changes(account, tech)
      File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 156, in find_changes
        audit_changes([account_name], [monitor_name], False, debug)
      File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 180, in audit_changes
        _audit_changes(account, monitor.auditors, send_report, debug)
      File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 232, in _audit_changes
        au.audit_objects()
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 674, in audit_objects
        method(item)
      File "/usr/local/src/security_monkey/security_monkey/auditors/security_group.py", line 129, in check_friendly_cross_account_ingress
        self._check_cross_account(item, 'FRIENDLY', self.record_friendly_access, severity=0)
      File "/usr/local/src/security_monkey/security_monkey/auditors/security_group.py", line 117, in _check_cross_account
        if key in self.inspect_entity(entity, item):
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 476, in inspect_entity
        result_set = set([self.inspect_entity_account(entity, account_identifier, same)])
      File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 506, in inspect_entity_account
        for account in self.OBJECT_STORE['ACCOUNTS']['DESCRIPTIONS']:
    KeyError: 'DESCRIPTIONS'
    
    opened by fstuck37 49
  • Release v0.8.0

    Release v0.8.0

    v0.8.0 (2016-12-02-delayed->2017-01-13)

    • PR #425 - @crruthe - Fixed a few report hyperlinks.
    • PR #428 - @nagwww - Documentation fix. Renamed module: security_monkey.auditors.elb to module: security_monkey.auditors.elasticsearch_service
    • PR #424 - @mikegrima - OS X Install doc updates for El Capitan and higher.
    • PR #426 - @mikegrima - Added "route53domains:getdomaindetail" to permissions doc.
    • PR #427 - @mikegrima - Fix for ARN parsing of cloudfront ARNs.
    • PR #431 - @mikegrima - Removed s3 ARN check for ElasticSearch Service.
    • PR #448 - @zollman - Fix exception logging in store_exception.
    • PR #444 - @zollman - Adds exception logging listener for appscheduler.
    • PR #454 - @mikegrima - Updated S3 Permissions to reflect latest changes to cloudaux.
    • PR #455 - @zollman - Add Dashboard.
    • PR #456 - @zollman - Increase issue note size.
    • PR #420 - @crruthe - Added support for SSO OneLogin.
    • PR #432 - @robertoriv - Add pagination for whitelist and ignore list.
    • PR #438 - @AngeloCiffa - Pin moto==0.4.25. (TODO: Bump Jinja2 version.)
    • PR #433 - @jnbnyc - Added Docker/Docker Compose support for local dev.
    • PR #408 - @zollman - Add support for custom account metadata. (An important step that will allow us to support multiple cloud providers in the future.)
    • PR #439 - @monkeysecurity - Replace botor lib with Netflix CloudAux.
    • PR #441 - @monkeysecurity - Auditor ChangeItems now receive ARN.
    • PR #446 - @zollman - Fix item 'first_seen' query .
    • PR #447 - @zollman - Refactor rdsdbcluster array params.
    • PR #445 - @zollman - Make misfire grace time and reporter start time configurable.
    • PR #451 - @monkeysecurity - Add coverage with Coveralls.io.
    • PR #452 - @monkeysecurity - Refactor & add tests for the PolicyDiff module.
    • PR #449 - @monkeysecurity - Refactoring s3 watcher to use Netflix CloudAux.
    • PR #453 - @monkeysecurity - Fixing two policy diff cases.
    • PR #442 - @monkeysecurity - Adding index to region. Dropping unused item.cloud.
    • PR #450 - @monkeysecurity - Moved test & onelogin requirements to the setup.py extras_require section.
    • PR #407 - @zollman - Link together issues by enabling auditor dependencies.
    • PR #419 - @monkeysecurity - Auditor will now fix any issues that are not attached to an AuditorSetting.
    • PR NONE - @monkeysecurity - Item View no longer returns revision configuration bodies. Should improve UI for items with many revisions.
    • PR NONE - @monkeysecurity - Fixing bug where SSO arguments weren't passed along for branded sso. (Where the name is not google or ping or onelogin)
    • PR #476 - @markofu - Update aws_accounts.json to add Canada and Ohio regions.
    • PR NONE - @monkeysecurity - Fixing manage.py::amazon_accounts() to use new AccountType and adding delete_unjustified_issues().
    • PR #480 - @monkeysecurity - Making Gunicorn an optional import to help support dev on Windows.
    • PR #481 - @monkeysecurity - Fixing a couple dart warnings.
    • PR #482 - @monkeysecurity - Replacing Flask-Security with Flask-Security-Fork.
    • PR #483 - @monkeysecurity - issue #477 - Fixes IAM User Auditor login_profile check.
    • PR #484 - @monkeysecurity - Bumping Jinja2 to >=2.8.1
    • PR #485 - @robertoriv - New IAM Role Auditor feature - Check for unknown cross account assumerole.
    • PR #487 - @hyperbolist - issue #486 - Upgrade setuptools in Dockerfile.
    • PR #489 - @monkeysecurity - issue #251 - Fix IAM SSL Auditor regression. Issue should be raised if we cannot obtain cert issuer.
    • PR #490 - @monkeysecurity - issue #421 - Adding ephemeral field to RDS DB issue.
    • PR #491 - @monkeysecurity - Adding new RDS DB Cluster ephemeral field.
    • PR #492 - @monkeysecurity - issue #466 - Updating S3 Auditor to use the ARN class.
    • PR NONE - @monkeysecurity - Fixing typo in dart files.
    • PR #495 - @monkeysecurity - issue #494 - Refactoring to work with the new Flask-WTF.
    • PR #493 - @monkeysecurity - Windows 10 Development instructions.
    • PR NONE - @monkeysecurity - issue #496 - Bumping CloudAux to >=1.0.7 to fix IAM User UploadDate field JSON serialization error.

    Important Notes:

    • New permissions required:
      • s3:getaccelerateconfiguration
      • s3:getbucketcors
      • s3:getbucketnotification
      • s3:getbucketwebsite
      • s3:getreplicationconfiguration
      • s3:getanalyticsconfiguration
      • s3:getmetricsconfiguration
      • s3:getinventoryconfiguration
      • route53domains:getdomaindetail
      • cloudtrail:gettrailstatus

    Contributors:

    • @zollman
    • @robertoriv
    • @hyperbolist
    • @markofu
    • @AngeloCiffa
    • @jnbnyc
    • @crruthe
    • @nagwww
    • @mikegrima
    • @monkeysecurity
    opened by scriptsrc 43
  • Not able to create account

    Not able to create account

    Hello,

    I have followed Quick Start Guide and facing below issues -

    1. When i first time open the url/page, as per doc, i should see the 'Login' page, instead i see all options available after login, and user is Anonymous.
    2. When i tried to add account, it does nothing. Nginx log says " [error] 17478#0: *99 connect() failed (111: Connection refused) while connecting to upstream, client: x.x.x.x, server: , request: "POST /api/1/account HTTP/1.1", upstream: "http://127.0.0.1:5000/api/1/account", host: "ec2-x-x-x-x.us-west-2.compute.amazonaws.com", referrer: "https://ec2-x-x-x-x.us-west-2.compute.amazonaws.com/"
    3. I also noticed that port 5000 is not running.

    Please guide me to right direction.

    opened by skdubey 36
  • Memory requirements and Server Out of memory exception - help

    Memory requirements and Server Out of memory exception - help

    Please make sure that you have checked the boxes:

    • [x] Review the Quickstart guide
    • [x] Search for both open and closed issues regarding the problem you are experiencing
    • [x] For permissions issues (Access Denied and credential related errors), please refer to the requisite docs before submitting an issue: AWS, GCP, OpenStack, GitHub

    Description of issue:

    There is a memory leak on monkey process that is leaking until our security monkey server does not respond. Here is what atop looks like - image

    Server has 2vcpu and 8 GB of RAM. Is that sufficient for security monkey operations? Could someone please guide / help.

    performance 
    opened by pklanka 19
  • Login page fails to load CSS and images

    Login page fails to load CSS and images

    Working on OS X, doing initial setup.

    The page loads from http://127.0.0.1:5000/login but CSS and images don't load. The dart console shows:

    Failed to load resource: the server responded with a status of 404 (NOT FOUND)
      http://127.0.0.1:5000/static/css/bootstrap.min.css
    Failed to load resource: the server responded with a status of 404 (NOT FOUND)
      http://127.0.0.1:5000/static/css/main.css
    Failed to load resource: the server responded with a status of 404 (NOT FOUND)
      http://127.0.0.1:5000/static/css/signin.css
    Failed to load resource: the server responded with a status of 404 (NOT FOUND)
      http://127.0.0.1:5000/static/js/bootstrap.min.js
    Failed to load resource: the server responded with a status of 404 (NOT FOUND)
      http://127.0.0.1:5000/static/images/securitymonkeyHead.png
    
    opened by ivanlei 19
  • Monkey command does not run

    Monkey command does not run

    I setup Security monkey on AWS ... I went through the full quickstart quide. But when I try to run the command "monkey db upgrade" there is no command called monkey.

    Has anyone seen this problem before ...

    question 
    opened by devonartis 18
  • Not able to launch the application

    Not able to launch the application

    Hi Team,

    I have setup the security monkey in Ubuntu and done all the configuration as per the below link. I am not able to launch the application. Please help me to resolve the same. Thank you.

    Link: http://securitymonkey.readthedocs.io/en/latest/quickstart.html

    Regards, Santosh

    bug ready 
    opened by santoshpatha12 18
  • SecurityMonkey for GovClod region

    SecurityMonkey for GovClod region

    Hi,

    I am trying to setup SecurityMonkey for GovCloud region, but later found that non of the region is being listed in Dashboard. Is there any change require to make it work on GovCloud ?

    wontfix 
    opened by skdubey 18
  • Odd Openstack Access Behavior

    Odd Openstack Access Behavior

    Hey folks,

    I'm working on getting Security Monkey working with Openstack and I'm trying to tune the permissions with the team that supports our Openstack environment. They would like to use an existing readonly role, rather than create a new one, and it looks like the permissions are equivalent to those specified in the iam_openstack.md doc. This existing readonly role enables visibility to all of the assets via CLI and Horizon. However, Security Monkey is only getting a subset of the security groups. The main question that I have is why there might be a discrepancy between what's visible in CLI/Horizon versus Security Monkey?

    Thanks for the help!

    opened by badllama 17
  • Notification Settings panel not working

    Notification Settings panel not working

    Please make sure that you have checked the boxes:

    • [x] Review the Quickstart guide
    • [x] Search for both open and closed issues regarding the problem you are experiencing
    • [x] For permissions issues (Access Denied and credential related errors), please refer to the requisite docs before submitting an issue: AWS, GCP, OpenStack, GitHub

    Description of issue:

    Notification Settings panel is not allowing me to enable notifications on my account.

    I select the Notify box on my account, set the Change Emails dropdown to With Issues, and click Save.

    screen shot 2018-03-12 at 11 20 49 am

    After clicking Save, I get the following error:

    screen shot 2018-03-12 at 11 21 02 am bug help wanted 
    opened by johnjeffers 17
  • How to Generate a change item email

    How to Generate a change item email

    Please make sure that you have checked the boxes:

    Description of issue:

    Hi,

    I'm wanting to test out sending jinja_change_item.html emails. I'm currently able to receive "Changes w/justified issues in repository" emails so I know the SMTP server is correctly set up. Here's my question:

    How can I successfully send a jinja_change_item.html email during a "change item" event?

    Thanks for the help.

    opened by mrthankyou 11
  • frequent null value in column

    frequent null value in column "item_id" violates not-null constraint exception

    I am frequently seeing these exceptions for securitygroup, elb, and alb. I have ran monkey db upgrade but still getting below exceptions. anyway, my setup is just 2-3 weeks old so it should not be required.

    Traceback (most recent call last):
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/base.py", line 1246, in _execute_context
        cursor, statement, parameters, context
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/default.py", line 588, in do_execute
        cursor.execute(statement, parameters)
    psycopg2.errors.NotNullViolation: null value in column "item_id" violates not-null constraint
    DETAIL:  Failing row contains (138221, 10, Unknown Access, null, f, null, null, 2020-08-17 11:07:28.174966, null, null, null, null, null, null, null, f).
    
    The above exception was the direct cause of the following exception:
    
    Traceback (most recent call last):
      File "/usr/local/lib/python3.6/dist-packages/security_monkey/task_scheduler/tasks.py", line 343, in _audit_changes
        au.audit_objects()
      File "/usr/local/lib/python3.6/dist-packages/security_monkey/auditor.py", line 683, in audit_objects
        method(item)
      File "/usr/local/lib/python3.6/dist-packages/security_monkey/auditors/elb.py", line 184, in check_internet_scheme
        sub_issue_message=issue.issue, score=issue.score)
      File "/usr/local/lib/python3.6/dist-packages/security_monkey/auditor.py", line 1005, in link_to_support_item_issues
        issue = self.add_issue(link_score, issue_message, item)
      File "/usr/local/lib/python3.6/dist-packages/security_monkey/auditor.py", line 631, in add_issue
        self.override_scores = query.all()
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/query.py", line 3233, in all
        return list(self)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/query.py", line 3388, in __iter__
        self.session._autoflush()
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/session.py", line 1597, in _autoflush
        util.raise_from_cause(e)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/util/compat.py", line 398, in raise_from_cause
        reraise(type(exception), exception, tb=exc_tb, cause=cause)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/util/compat.py", line 153, in reraise
        raise value
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/session.py", line 1586, in _autoflush
        self.flush()
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/session.py", line 2479, in flush
        self._flush(objects)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/session.py", line 2617, in _flush
        transaction.rollback(_capture_exception=True)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/util/langhelpers.py", line 68, in __exit__
        compat.reraise(exc_type, exc_value, exc_tb)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/util/compat.py", line 153, in reraise
        raise value
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/session.py", line 2577, in _flush
        flush_context.execute()
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/unitofwork.py", line 422, in execute
        rec.execute(self)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/unitofwork.py", line 589, in execute
        uow,
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/persistence.py", line 245, in save_obj
        insert,
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/orm/persistence.py", line 1137, in _emit_insert_statements
        statement, params
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/base.py", line 982, in execute
        return meth(self, multiparams, params)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/sql/elements.py", line 293, in _execute_on_connection
        return connection._execute_clauseelement(self, multiparams, params)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/base.py", line 1101, in _execute_clauseelement
        distilled_params,
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/base.py", line 1250, in _execute_context
        e, statement, parameters, cursor, context
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/base.py", line 1476, in _handle_dbapi_exception
        util.raise_from_cause(sqlalchemy_exception, exc_info)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/util/compat.py", line 398, in raise_from_cause
        reraise(type(exception), exception, tb=exc_tb, cause=cause)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/util/compat.py", line 152, in reraise
        raise value.with_traceback(tb)
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/base.py", line 1246, in _execute_context
        cursor, statement, parameters, context
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/default.py", line 588, in do_execute
        cursor.execute(statement, parameters)
    sqlalchemy.exc.IntegrityError: (raised as a result of Query-invoked autoflush; consider using a session.no_autoflush block if this flush is occurring prematurely)
    (psycopg2.errors.NotNullViolation) null value in column "item_id" violates not-null constraint
    DETAIL:  Failing row contains (138221, 10, Unknown Access, null, f, null, null, 2020-08-17 11:07:28.174966, null, null, null, null, null, null, null, f).
    
    [SQL: INSERT INTO itemaudit (score, issue, notes, action_instructions, background_info, origin, origin_summary, class_uuid, fixed, justified, justified_user_id, justification, justified_date, item_id, auditor_setting_id) VALUES (%(score)s, %(issue)s, %(notes)s, %(action_instructions)s, %(background_info)s, %(origin)s, %(origin_summary)s, %(class_uuid)s, %(fixed)s, %(justified)s, %(justified_user_id)s, %(justification)s, %(justified_date)s, %(item_id)s, %(auditor_setting_id)s) RETURNING itemaudit.id]
    [parameters: {'score': 10, 'issue': 'Unknown Access', 'notes': None, 'action_instructions': None, 'background_info': None, 'origin': None, 'origin_summary': None, 'class_uuid': None, 'fixed': False, 'justified': False, 'justified_user_id': None, 'justification': None, 'justified_date': datetime.datetime(2020, 8, 17, 11, 7, 28, 174966), 'item_id': None, 'auditor_setting_id': None}]
    (Background on this error at: http://sqlalche.me/e/gkpj)
    ERROR:security_monkey:[X] Database error processing accounts Dev Account, cleaning up session.
    Traceback (most recent call last):
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/base.py", line 1246, in _execute_context
        cursor, statement, parameters, context
      File "/usr/local/lib/python3.6/dist-packages/sqlalchemy/engine/default.py", line 588, in do_execute
        cursor.execute(statement, parameters)
    psycopg2.errors.NotNullViolation: null value in column "item_id" violates not-null constraint
    DETAIL:  Failing row contains (138221, 10, Unknown Access, null, f, null, null, 2020-08-17 11:07:28.174966, null, null, null, null, null, null, null, f).
    
    
    opened by Deepak1100 4
  • Hardcoded reference to Riot Games

    Hardcoded reference to Riot Games

    https://github.com/Netflix/security_monkey/blob/4d198ad29b2f7a828ce130d222c6e76e71b9ce11/scripts/secmonkey_auto_install.sh#L606

    Seeing as this is a netflix product, the only hardcoding I would expect would be for Netflix.

    Either way. This should probably be configurable

    opened by blazingkin 4
  • not getting description of Unknown issue

    not getting description of Unknown issue

    Hi,

    we have installed the Security Monkey version 1.1.1 on an EC2-instance. we are able to get reports. but for issue category, we are getting "Unknown Access" for multiple services, like RDS-Snapshots, SecurityGroups. attached is the screenshot.

    image

    Second Security-Monkey is not able to scan the S3 buckets, or we can say we are not able to find out the any report regarding S3.

    looking forward to get the support on this.

    opened by chitender 2
  • Unable to store ACM certificate that contains UpdatedAt field

    Unable to store ACM certificate that contains UpdatedAt field

    Please make sure that you have checked the boxes:

    Description of issue:

    find_changes script is not able to process ACM certificates that contain the "UpdatedAt" key under "RenewalSummary".

    This occurs since the key contains a datetime.datetime() object that is not properly parsed by watchers/acm.py slurp() method.

    For each certificate the method converts the datetime object into a ISO formatted string for several keys, but "UpdateAt" conversion is not present.

    Error message:

    2019-06-19 17:04:08,537 ERROR: [X] Database error processing cleaning up session. [in /usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py:205]
    Traceback (most recent call last):
      File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 199, in manual_run_change_finder
        find_changes(account, tech)
      File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 240, in find_changes
        cw.save()
      File "/usr/local/src/security_monkey/security_monkey/watcher.py", line 502, in save
        item.save(self.datastore)
      File "/usr/local/src/security_monkey/security_monkey/watcher.py", line 655, in save
        source_watcher=self.watcher)
      File "/usr/local/src/security_monkey/security_monkey/datastore.py", line 666, in store
        db.session.commit()
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/scoping.py", line 162, in do
        return getattr(self.registry(), name)(*args, **kwargs)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 1026, in commit
        self.transaction.commit()
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 493, in commit
        self._prepare_impl()
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 472, in _prepare_impl
        self.session.flush()
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 2451, in flush
        self._flush(objects)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 2589, in _flush
        transaction.rollback(_capture_exception=True)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/util/langhelpers.py", line 68, in __exit__
        compat.reraise(exc_type, exc_value, exc_tb)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/session.py", line 2549, in _flush
        flush_context.execute()
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/unitofwork.py", line 422, in execute
        rec.execute(self)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/unitofwork.py", line 589, in execute
        uow,
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/persistence.py", line 245, in save_obj
        insert,
      File "build/bdist.linux-x86_64/egg/sqlalchemy/orm/persistence.py", line 1120, in _emit_insert_statements
        statement, params
      File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 988, in execute
        return meth(self, multiparams, params)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/sql/elements.py", line 287, in _execute_on_connection
        return connection._execute_clauseelement(self, multiparams, params)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 1107, in _execute_clauseelement
        distilled_params,
      File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 1182, in _execute_context
        e, util.text_type(statement), parameters, None, None
      File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 1466, in _handle_dbapi_exception
        util.raise_from_cause(sqlalchemy_exception, exc_info)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/util/compat.py", line 383, in raise_from_cause
        reraise(type(exception), exception, tb=exc_tb, cause=cause)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/base.py", line 1179, in _execute_context
        context = constructor(dialect, self, conn, *args)
      File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/default.py", line 735, in _init_compiled
        for key in compiled_params
      File "build/bdist.linux-x86_64/egg/sqlalchemy/engine/default.py", line 735, in <genexpr>
        for key in compiled_params
      File "build/bdist.linux-x86_64/egg/sqlalchemy/sql/sqltypes.py", line 2241, in process
        serialized = json_serializer(value)
      File "/usr/lib/python2.7/json/__init__.py", line 244, in dumps
        return _default_encoder.encode(obj)
      File "/usr/lib/python2.7/json/encoder.py", line 207, in encode
        chunks = self.iterencode(o, _one_shot=True)
      File "/usr/lib/python2.7/json/encoder.py", line 270, in iterencode
        return _iterencode(o, 0)
      File "/usr/lib/python2.7/json/encoder.py", line 184, in default
        raise TypeError(repr(o) + " is not JSON serializable")
    StatementError: (exceptions.TypeError) datetime.datetime(2019, 6, 5, 12, 37, 23, tzinfo=tzlocal()) is not JSON serializable
    
    opened by pdallegrave 1
Releases(1.1.3)
  • 1.1.3(May 24, 2018)

  • 1.1.2(May 21, 2018)

    v.1.1.2

    Bug-fix roll-up from v.1.1.1.

    This release introduces a significant number of database stability improvements.

    Other features:

    • Log CloudWatch Metrics on the status of the watchers.
    • Multiple search terms with a , as a delimiter

    *Please see the release notes from v.1.1.0.

    Special thanks to the following contributors:

    • @mikegrima
    • @mcpeak
    • @zpritcha
    • @mstair
    • @anners
    • @ollytheninja
    • @tabletcorry
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.10 MB)
  • 1.1.1(Apr 30, 2018)

  • v1.1.0(Apr 20, 2018)

    v 1.1.0

    Many fixes in this release and some new features as well.

    BREAKING CHANGES FROM 1.0

    The celeryconfig.py file has been moved to security_monkey/celeryconfig.py. Please don't forget to do this or the Celery scheduler and workers will break.

    Important:

    • Database upgrade is required
    • New permissions are also now required for AWS (Please review the AWS IAM docs for details):
    ec2:describevpcattribute
    ec2:describevpcclassiclink
    ec2:describevpcclassiclinkdnssupport
    ec2:describeflowlogs
    
    • celeryconfig.py file now lives in security_monkey/celeryconfig.py

    New Features

    • Lots and lots of bug fixes that affect the database
    • Better VPC watcher
    • Dedicated watcher support (See this)
    • Less Flask deprecation warnings
    • Zero-interval watcher support
    • Docker improvements
    • Documentation improvements

    Special thanks to the following contributors:

    • @mikegrima
    • @mstair
    • @mcpeak
    • @jcmcken
    • @senorcinco
    • @markofu
    • @naggappan
    • @cclauss
    • @ArtemSokoliuk
    • @sbasgall
    • @EmptyLaughter
    • @MKgridSec
    • @nickthetait
    • @fahrishb

    Python 3 Support?

    Not yet... but getting there! Special thanks to @cclauss for assistance here. There is still a lot of work to do to update unit tests and libraries to support Python 3.

    We hope to be able to get a working version in Python 3 in the coming months.

    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.13 MB)
  • v1.0.0(Feb 19, 2018)

    v1.0.0

    Major Milestone release.

    There are many, many changes that have been made. Below are some of the most important items to keep note of.

    BREAKING CHANGES -- ALL NEW DEPLOYMENT MODEL

    Please review the Upgrading and Autostarting docs for details.

    New features:

    We swapped out APScheduler in favor of Celery. This allows us to actually scale Security Monkey with multiple UI instances, and many, many workers so you can get data into Security Monkey much faster! Lots, and lots of bug fixes and documentation updates.

    Additionally:

    • OpenStack watching and auditing support
    • GitHub Organization, Repos, and Teams watching and auditing
    • AWS GovCloud Support
    • Azure AD SSO provider support
    • AWS Glacier support
    • Support for SWAG account syncing.
    • Auditor improvements
    • Ability to import bulk network whitelists (and via S3)
    • Many IAM changes. Please review the IAM docs and update your permissions accordingly.

    Too many PRs to list... Special thanks to the following contributors:

    • @mikegrima
    • @monkeysecurity
    • @mstair
    • @kevgliss
    • @mcpeak
    • @zpritcha
    • @mark-ignacio
    • @falcoris
    • @vishbhalla
    • @frohoff
    • @tabletcorry
    • @shrikant0013
    • @pjbgf
    • @billy-lechtenberg
    • @Qmando
    • @jleaniz
    • @wozz
    • @markofu
    • @cxmcc
    • @jpohjolainen
    • @PyScott
    • @sysboy
    • @gellerb
    • @fabiop
    • @joaquin386
    • @oba11
    • @castrapel
    • @NunoPinheiro
    • @apettinen
    • @johnclaus

    KNOWN BUGS: Daily emails are not getting sent out. See #953

    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.14 MB)
  • v0.9.2(May 25, 2017)

    v0.9.2 (2017-05-24)

    • PR #695 - @mikegrima - Fixing jinja import bug affecting change emails.
    • PR #692 - @LukeKennedy - Reduce number of API calls in Managed Policy watcher.
    • PR #694 - @supertom - GCP Documentation Updates
    • PR #701 - @supertom - Update GCP ServiceAccount Name to use email instead of DisplayName.
    • PR #702 - @rodriguezsergio - Update KMS Auditor. Don't create issue when Effect is Deny for a wildcard principal.
    • PR #697 - @mcpeak - Pylint fixes and TravisCI pylint enforcement.
    • PR #706 - @monkeysecurity Fix bug where batched watchers did not send change alert emails.
    • PR #708 - @redixin - Fix bug in docker config where SECURITY_MONKEY_POSTGRES_PORT would not work if passed as a string.
    • PR #714 - @monkeysecurity - Fix bug where change emails from batched watchers had incorrect color in the JSON diff.
    • PR #713 - @monkeysecurity - Fix path to favicon from flask-security jinja templates.
    • PR #709 - @crruthe - Exempt SSO API from CSRF protection.
    • PR #719 - @monkeysecurity - New simplified watcher format for CloudAux Technologies.
    • PR #726 - @monkeysecurity, @willbengtson - Add new SAMLProvider watcher.
    • PR #730 - @monkeysecurity - Fix bug where ephemerals were not respected for CloudAuxWatcher subclasses.
    • PR #727 - @supertom - Fix bug where duplicate GCP names would violate DB's unique constraint. Names now contain project ID.
    • PR #728 - @supertom - Basic Auditor Tests for GCP.
    • @monkeysecurity - Updated link to Ubuntu's SSL documentation.
    • @monkeysecurity - Bumped version of Cryptography dependency.
    • PEP8 updates.

    Important Notes:

    • Additional Permissions Required:
      • "elasticloadbalancing:describelisteners",
      • "elasticloadbalancing:describerules",
      • "elasticloadbalancing:describesslpolicies",
      • "elasticloadbalancing:describetags",
      • "elasticloadbalancing:describetargetgroups",
      • "elasticloadbalancing:describetargetgroupattributes",
      • "elasticloadbalancing:describetargethealth",
      • "iam:listsamlproviders",
    • New Watcher: ALB (elbv2)
    • ELB (v1) Watcher re-written with boto3 in CloudAux. Now respects the config value SECURITYGROUP_INSTANCE_DETAIL when determining whether to add the instance id's to the ELB definition.

    Contributors:

    • @LukeKennedy
    • @rodriguezsergio
    • @redixin
    • @crruthe
    • @supertom
    • @mcpeak
    • @mikegrima
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.11 MB)
  • v0.9.1(Apr 20, 2017)

    v0.9.1 (2017-04-20)

    • PR #666 - @redixin - Use find_packages in setup.py to include nested packages.
    • PR #667 - @monkeysecurity - Explicitly adding urllib3[secure] to setup.py (REVERTED in #683)
    • PR #668 - @monkeysecurity - IPv6 support in security groups.
    • PR #669 - @monkeysecurity - Updating the security group auditor to treat ::/0 the same as 0.0.0.0/0
    • PR #671 - @monkeysecurity - Enhancing PolicyDiff to be able to handle non-ascii strings.
    • PR #673 - @monkeysecurity - Fixing path to aws_accounts.json. (Broken my moving manage.py)
    • PR #675 - @monkeysecurity - Adding package_data and data_files sections to setup.py.
    • PR #677 - @willbengtson - Fixing the security trackable information.
    • PR #682 - @monkeysecurity - Updating packaged supervisor config to provide full path to monkey
    • PR #681 - @AlexCline - Add reference_policies for TLS transitional ELB security policies
    • PR #684 - @monkeysecurity - Disabling DB migration b8ccf5b8089b. Was freezing some db upgrades
    • PR #683 - @monkeysecurity - Reverted #667. Added pip install --upgrade urllib3[secure] to quickstart and Dockerfile.
    • PR #685 - @monkeysecurity - Running docker-compose build in Travis-CI.
    • PR #688 - @mcpeak - Add Bandit gate to Security Monkey.
    • PR #687 - @mikegrima - Fix for issue #680. (Unable to edit account names)
    • PR #689 - @mikegrima - Enhancements to Travis-CI: parallelized the workloads. (docker/python/dart in parallel)

    Important Notes:

    • This is a hotfix release to correct a number of installation difficulties reported since 0.9.0.

    Contributors:

    • @redixin
    • @AlexCline
    • @willbengtson
    • @mcpeak
    • @mikegrima
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.11 MB)
  • v0.9.0(Apr 14, 2017)

    v0.9.0 (2017-04-13)

    • PR #500 - @monkeysecurity - Updating ARN.py to look for StringEqualsIgnoreCase in policy condition blocks
    • PR #511 - @kalpatel01 - Fix KMSAuditor exceptions
    • PR #510 - @kalpatel01 - Add additional JIRA configurations
    • PR #504 - @redixin - Plugins support
    • PR #515 - @badraufran - Add ability to press enter to search in search bar component
    • PR #514 - @badraufran - Update dev_setup_osx.rst to get it up-to-date
    • PR #513 / #545- @mikegrima - Fix for S3 watcher errors.
    • PR #516 - @badraufran - Remove broken packages link
    • PR #518 - @badraufran - Update dev_setup_osx (Remove sudo)
    • PR #519 - @selmanj - Minor reformatting/style changes to Docker docs
    • PR #512 / #521 - @kalpatel01 - Organize tests into directories
    • PR #524 - @kalpatel01 - Remove DB mock class
    • PR #522 - @kalpatel01 - Optimize SQL for account delete
    • PR #525 - @kalpatel01 - Handle known kms boto exceptions
    • PR #529 - @mariusgrigaitis - Usage of GOOGLE_HOSTED_DOMAIN in sample configs
    • PR #532 - @kalpatel01 - Add sorting to account tables (UI)
    • PR #538 - @cu12 - Add more Docker envvars
    • PR #536 / #540 - @supertom - Add account type field to item, item details and search bar.
    • PR #534 / #541 - @kalpatel01 - Add bulk enable and disable account service
    • PR #546 - @supertom - GCP: fixed accounttypes typo.
    • PR #547 - @monkeysecurity - Delete deprecated Account fields
    • PR #528 - @kalpatel01 - Fix reaudit issue for watchers in different intervals
    • PR #553 - @mikegrima - Fixed bugs in the ES watcher
    • PR #535 / #552 - @kalpatel01 - Add support for overriding audit scores
    • PR #560 / #587 - @mikegrima - Bump CloudAux version
    • PR #533 / #559 - @kalpatel01 - Add Watcher configuration
    • PR #562 - @monkeysecurity - Re-adding reporter timing information to the logs.
    • PR #557 - @kalpatel01 - Add justified issues report
    • PR #573 - @monkeysecurity - fixing issue duplicate ARN issue…
    • PR #564 - @kalpatel01 - Fix justification preservation bug
    • PR #565 - @kalpatel01 - Handle unicode name tags
    • PR #571 - @kalpatel01 - Explicitly set export filename
    • PR #572 - @kalpatel01 - Fix minor watcher bugs
    • PR #576 - @kalpatel01 - Set user role via SSO profile
    • PR #569 - @kalpatel01 - Split check_access_keys method in the IAM User Auditor
    • PR #566 - @kalpatel01 - Convert watchers to boto3
    • PR #568 - @kalpatel01 - Replace ELBAuditor DB query with support watcher
    • PR #567 - @kalpatel01 - Reduce AWS managed policy audit noise
    • PR #570 - @kalpatel01 - Add support for custom watcher and auditor alerters
    • PR #575 - @kalpatel01 - Add functionality to clean up stale issues
    • PR #582 - @supertom - [GCP] Watchers/Auditors for GCP
    • PR #588 - @supertom - GCP docs: Draft of GCP changes
    • PR #592 - @monkeysecurity - SSO Role Modifications
    • PR #597 - @supertom - GCP: fixed issue where client wasn't receiving user-specified creds
    • PR #598 - @redixin - Implement add_account_%s for custom accounts
    • PR #600 - @supertom - GCP: fixed issue where bucket watcher wasn't sending credentials to Cloudaux
    • PR #602 - @crruthe - Added permission for DescribeVpnGateways missing
    • PR #605 - @monkeysecurity - ELB Auditor - Fixing reference to check_rfc_1918
    • PR #610 - @monkeysecurity - Adding Unique Index to TechName and AccountName
    • PR #612 - @carise - Add a section on using GCP Cloud SQL Postgres with Cloud SQL Proxy
    • PR #613 - @monkeysecurity - Setting Item.issue_count to deferred. Only joining tables in distinct if necessary.
    • PR #614 - @monkeysecurity - Increasing default timeout
    • PR #607 - @supertom - GCP: Set User Agent
    • PR #609 - @mikegrima - Added ephemeral section to S3 for "GrantReferences"
    • PR #611 - @roman-vynar - Quick start improvements
    • PR #619 - @mikegrima - Fix for plaintext passwords in DB if using CLI for user creation
    • PR #622 - @jonhadfield - Fix ACM certificate ImportedAt timestamp
    • PR #616 - @redixin - Fix docs and variable names related to custom alerters
    • PR #502 - @mikegrima - Batching support for watchers
    • PR #631 - @supertom - Added __version__ property
    • PR #632 - @sysboy - Set the default value of SECURITY_REGISTERABLE to False
    • PR #629 - @BobPeterson1881 - Fix security group rule parsing
    • PR #630 - @BobPeterson1881 - Update dashboard view filter links
    • PR #633 - @sysboy - Log Warning when S3 ACL can't be retrieved.
    • PR #639 - @monkeysecurity - Removing reference to zerotodocker.
    • PR #624 - @mikegrima - Adding utilities to get S3 canonical IDs.
    • PR #640 - @supertom - GCP: fixed UI Account Type filtering
    • PR #642 - @monkeysecurity - Adding active and third_party flags to account view API
    • PR #646 - @monkeysecurity - Removing s3_name from exporter and renaming Account.number to identifier
    • PR #648 - @mikegrima - Fix for UI Account creation bug
    • PR #657 #658 - @jeyglk - Fix Docker
    • PR #655 - @monkeysecurity - Updating quickstart/install documentation to simplify.
    • PR #659 - @monkeysecurity - Quickstart GCP Fixes
    • PR #625 - @bungoume - Fix principal KeyError
    • PR #662 - @monkeysecurity - Replacing python manage.py with monkey
    • PR #660 - @mcpeak - Adding an option to allow group write for logfiles
    • PR #661 - @shrikant0013 - Added doc on update/upgrade steps

    Important Notes:

    • SECURITY_MONKEY_SETTINGS is no longer a required environment variable.
      • If supplied, security_monkey will respect the variable. Otherwise it will default to env-config/config.py
    • manage.py has been moved inside the package and a monkey alias has been setup.
      • Where you might once call python manage.py <arguments> you will now call monkey <arguments>
    • Documentation has been converted from RST to Markdown.
      • I will no longer be using readthedocs or RST.
      • Quickstart guide has been largely re-written.
      • Quickstart now instructs you to create and use a virtualenv (and how to get supervisor to work with it)
    • This release contains GCP Watcher Support.
    • Additional Permissions Required:
      • ec2:DescribeVpnGateways

    Contributors:

    • @kalpatel01
    • @redixin
    • @badraufran
    • @selmanj
    • @mariusgrigaitis
    • @cu12
    • @supertom
    • @crruthe
    • @carise
    • @roman-vynar
    • @jonhadfield
    • @sysboy
    • @jeyglk
    • @bungoume
    • @mcpeak
    • @shrikant0013
    • @mikegrima
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.11 MB)
  • v0.8.0(Jan 13, 2017)

    v0.8.0 (2016-12-02-delayed->2017-01-13)

    • PR #425 - @crruthe - Fixed a few report hyperlinks.
    • PR #428 - @nagwww - Documentation fix. Renamed module: security_monkey.auditors.elb to module: security_monkey.auditors.elasticsearch_service
    • PR #424 - @mikegrima - OS X Install doc updates for El Capitan and higher.
    • PR #426 - @mikegrima - Added "route53domains:getdomaindetail" to permissions doc.
    • PR #427 - @mikegrima - Fix for ARN parsing of cloudfront ARNs.
    • PR #431 - @mikegrima - Removed s3 ARN check for ElasticSearch Service.
    • PR #448 - @zollman - Fix exception logging in store_exception.
    • PR #444 - @zollman - Adds exception logging listener for appscheduler.
    • PR #454 - @mikegrima - Updated S3 Permissions to reflect latest changes to cloudaux.
    • PR #455 - @zollman - Add Dashboard.
    • PR #456 - @zollman - Increase issue note size.
    • PR #420 - @crruthe - Added support for SSO OneLogin.
    • PR #432 - @robertoriv - Add pagination for whitelist and ignore list.
    • PR #438 - @AngeloCiffa - Pin moto==0.4.25. (TODO: Bump Jinja2 version.)
    • PR #433 - @jnbnyc - Added Docker/Docker Compose support for local dev.
    • PR #408 - @zollman - Add support for custom account metadata. (An important step that will allow us to support multiple cloud providers in the future.)
    • PR #439 - @monkeysecurity - Replace botor lib with Netflix CloudAux.
    • PR #441 - @monkeysecurity - Auditor ChangeItems now receive ARN.
    • PR #446 - @zollman - Fix item 'first_seen' query .
    • PR #447 - @zollman - Refactor rdsdbcluster array params.
    • PR #445 - @zollman - Make misfire grace time and reporter start time configurable.
    • PR #451 - @monkeysecurity - Add coverage with Coveralls.io.
    • PR #452 - @monkeysecurity - Refactor & add tests for the PolicyDiff module.
    • PR #449 - @monkeysecurity - Refactoring s3 watcher to use Netflix CloudAux.
    • PR #453 - @monkeysecurity - Fixing two policy diff cases.
    • PR #442 - @monkeysecurity - Adding index to region. Dropping unused item.cloud.
    • PR #450 - @monkeysecurity - Moved test & onelogin requirements to the setup.py extras_require section.
    • PR #407 - @zollman - Link together issues by enabling auditor dependencies.
    • PR #419 - @monkeysecurity - Auditor will now fix any issues that are not attached to an AuditorSetting.
    • PR NONE - @monkeysecurity - Item View no longer returns revision configuration bodies. Should improve UI for items with many revisions.
    • PR NONE - @monkeysecurity - Fixing bug where SSO arguments weren't passed along for branded sso. (Where the name is not google or ping or onelogin)
    • PR #476 - @markofu - Update aws_accounts.json to add Canada and Ohio regions.
    • PR NONE - @monkeysecurity - Fixing manage.py::amazon_accounts() to use new AccountType and adding delete_unjustified_issues().
    • PR #480 - @monkeysecurity - Making Gunicorn an optional import to help support dev on Windows.
    • PR #481 - @monkeysecurity - Fixing a couple dart warnings.
    • PR #482 - @monkeysecurity - Replacing Flask-Security with Flask-Security-Fork.
    • PR #483 - @monkeysecurity - issue #477 - Fixes IAM User Auditor login_profile check.
    • PR #484 - @monkeysecurity - Bumping Jinja2 to >=2.8.1
    • PR #485 - @robertoriv - New IAM Role Auditor feature - Check for unknown cross account assumerole.
    • PR #487 - @hyperbolist - issue #486 - Upgrade setuptools in Dockerfile.
    • PR #489 - @monkeysecurity - issue #251 - Fix IAM SSL Auditor regression. Issue should be raised if we cannot obtain cert issuer.
    • PR #490 - @monkeysecurity - issue #421 - Adding ephemeral field to RDS DB issue.
    • PR #491 - @monkeysecurity - Adding new RDS DB Cluster ephemeral field.
    • PR #492 - @monkeysecurity - issue #466 - Updating S3 Auditor to use the ARN class.
    • PR NONE - @monkeysecurity - Fixing typo in dart files.
    • PR #495 - @monkeysecurity - issue #494 - Refactoring to work with the new Flask-WTF.
    • PR #493 - @monkeysecurity - Windows 10 Development instructions.
    • PR NONE - @monkeysecurity - issue #496 - Bumping CloudAux to >=1.0.7 to fix IAM User UploadDate field JSON serialization error.

    Important Notes:

    • New permissions required:
      • s3:getaccelerateconfiguration
      • s3:getbucketcors
      • s3:getbucketnotification
      • s3:getbucketwebsite
      • s3:getreplicationconfiguration
      • s3:getanalyticsconfiguration
      • s3:getmetricsconfiguration
      • s3:getinventoryconfiguration
      • route53domains:getdomaindetail
      • cloudtrail:gettrailstatus

    Contributors:

    • @zollman
    • @robertoriv
    • @hyperbolist
    • @markofu
    • @AngeloCiffa
    • @jnbnyc
    • @crruthe
    • @nagwww
    • @mikegrima
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.09 MB)
  • v0.7.0(Oct 11, 2016)

    v0.7.0 (2016-09-21)

    • PR #410/#405 - @zollman - Custom Watcher/Auditor Support. (Dynamic Loading)
    • PR #412 - @llange - Google SSO Fixes
    • PR #409 - @kyleberry - Fixed Report URLs in UI.
    • PR #413 - @markofu - Better handle IAM SSL certificates that we cannot parse.
    • PR #411 - @zollman - Many, many new watchers and auditors.

    New Watchers:

    * CloudTrail
    * AWSConfig
    * AWSConfigRecorder
    * DirectConnect::Connection
    * EC2::EbsSnapshot
    * EC2::EbsVolume
    * EC2::Image
    * EC2::Instance
    * ENI
    * KMS::Grant
    * KMS::Key
    * Lambda
    * RDS::ClusterSnapshot
    * RDS::DBCluster
    * RDS::DBInstace
    * RDS::Snapshot
    * RDS::SubnetGroup
    * Route53
    * Route53Domains
    * TrustedAdvisor
    * VPC::DHCP
    * VPC::Endpoint
    * VPC::FlowLog
    * VPC::NatGateway
    * VPC::NetworkACL
    * VPC::Peering
    

    Important Notes:

    • New permissions required:
      • cloudtrail:describetrails
      • config:describeconfigrules
      • config:describeconfigurationrecorders
      • directconnect:describeconnections
      • ec2:describeflowlogs
      • ec2:describeimages
      • ec2:describenatgateways
      • ec2:describenetworkacls
      • ec2:describenetworkinterfaces
      • ec2:describesnapshots
      • ec2:describevolumes
      • ec2:describevpcendpoints
      • ec2:describevpcpeeringconnections,
      • iam:getaccesskeylastused
      • iam:listattachedgrouppolicies
      • iam:listattacheduserpolicies
      • lambda:listfunctions
      • rds:describedbclusters
      • rds:describedbclustersnapshots
      • rds:describedbinstances
      • rds:describedbsnapshots
      • rds:describedbsubnetgroups
      • redshift:describeclusters
      • route53domains:listdomains

    Contributors:

    • @zollman
    • @kyleberry
    • @llange
    • @markofu
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.09 MB)
  • v0.6.0(Aug 29, 2016)

    v0.6.0 (2016-08-29)

    • issue #292 - PR #332 - Add ephemeral sections to the redshift watcher
    • PR #338 - Added access key last used to IAM Users.
    • Added an IAM User auditor check to look for access keys without use in past 90 days.
    • PR #334 - @alexcline - Route53 watcher and auditor. (Updated to use botor in PR #343)
    • Logo updated. Weapon replaced with banana. Expect more logo changes soon.
    • PR #345 - Ephemeral changes now update the latest revision. Revisions now have a date_last_ephemeral_change column as well as a date_created column.
    • PR #349 - @mikegrima - Install documentation updates
    • PR #354 - Feature/SSO (YAY)
    • PR #365 - @alexcline - Added ACM (Amazon Certificate Manager) watcher/auditor
    • PR #358/#370 - @AlexCline - Alex cline feature/kms
    • Updated Dart/Angular dart versions.
    • PR #362 - @crruthe - Changed to dictConfig logging format
    • PR #372 - @ollytheninja - SQS principal bugfix
    • PR #379 - @bunjiboys - Adding Mumbai region
    • PR #380 - @bunjiboys - Adding Mumbai ELB Log AWS Account info
    • PR #381 - @ollytheninja - Adding tags to the S3 watcher
    • Boto updates
    • PR #376 - Adding item.arn field. Adding item.latest_revision_complete_hash and item.latest_revision_durable_hash. These are for the bananapeel rearchitecture.
    • PR #386 - Shortening sessions from default value to 60 minutes. Setting Cookie HTTPONLY and SECURE flags.
    • PR #389 - Adding CloudTrail table, linked to itemrevision. (To be used by bananapeel rearchitecture.)
    • PR #390 - @ollytheninja - Adding export CSV button.
    • PR #394 - @mikegrima - Saving exceptions to database table
    • PR #402 - issue #401 - Adding new ELB Reference Policy ELBSecurityPolicy-2016-08

    Hotfixes:

    • Upgraded Cryptography to 1.3.1
    • Updated docs to use sudo -E when calling manage.py amazon_accounts.
    • Updated the @record_exception decorator to allow the region to be overwritten. (Useful for region-less technology that likes to be recorded in the "universal" region.)
    • issue #331 - IAMSSL watcher failed on elliptic curve certs

    Important Notes:

    • Route53 IgnoreList entries may match zone name or recordset name.
    • Checkout the new log configuration format from PR #362. You may want to update your config.py.
    • New permissions required:
      • "acm:ListCertificates",
      • "acm:DescribeCertificate",
      • "kms:DescribeKey",
      • "kms:GetKeyPolicy",
      • "kms:ListKeys",
      • "kms:ListAliases",
      • "kms:ListGrants",
      • "kms:ListKeyPolicies",
      • "s3:GetBucketTagging"
    • Some dependencies have been updated (cryptography, boto, boto3, botocore, botor, pyjwt) Please re-run python setup.py install.
    • Please add the following lines to your config.py for more time-limited sessions:
        PERMANENT_SESSION_LIFETIME=timedelta(minutes=60)   # Will logout users after period of inactivity.
        SESSION_REFRESH_EACH_REQUEST=True
        SESSION_COOKIE_SECURE=True
        SESSION_COOKIE_HTTPONLY=True
        PREFERRED_URL_SCHEME='https'
    
        REMEMBER_COOKIE_DURATION=timedelta(minutes=60)  # Can make longer if  you want remember_me to be useful
        REMEMBER_COOKIE_SECURE=True
        REMEMBER_COOKIE_HTTPONLY=True
    

    Contributors:

    • @alexcline
    • @crruthe
    • @ollytheninja
    • @bunjiboys
    • @mikegrima
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.08 MB)
  • v0.5.0(Apr 26, 2016)

    v0.5.0 (2016-04-26)

    • PR #286 - bunjiboys - Added Seoul region AWS Account IDs to import scripts
    • PR #291 - sbasgall - Corrected ignore_list.py variable names and help strings
    • PR #284 - mikegrima - Fixed cross-account root reporting for ES service (Issue #283)
    • PR #293 - mikegrima - Updated quickstart documentation to remove permission wildcards (Issue #287)
    • PR #301 - monkeysecurity - iamrole watcher can now handle many more roles (1000+) and no longer times out.
    • PR #316 - DenverJ - Handle database exceptions by cleaning up session.
    • PR #289 - delikat - Persist custom role names on account creation
    • PR #321 - monkeysecurity - Item List and Item View will no longer display disabled issues.
    • PR #322 (PR #308) - llange - Ability to add AWS owned managed policies to ignore list by ARN (Issue #148)
    • PR #323 - snixon - Breaks check_securitygroup_any into ingress and egress (Issue #239)
    • PR #309 - DenverJ - Significant database query optimizations by tuning itemrevision retrievals
    • PR #324 - mikegrima - Handling invalid ARNs more consistently between watchers (Issue #248)
    • PR #317 - ollytheninja - Add Role Based Access Control
    • PR #327 - monkeysecurity - Added Flask-Security's SECURITY_TRACKABLE to backend and UI
    • PR #328 - monkeysecurity - Added ability to parse AWS service "ARNs" like events.amazonaws.com as well as ARNS that use * for the account number like arn:aws:s3:​*:*​:some-s3-bucket
    • PR #314 - pdbogen - Update Logging to have the ability to log to stdout, useful for dockerizing.

    Hotfixes:

    • s3_acl_compare_lowercase: AWS now returns S3 ACLs with a lowercased owner. security_monkey now does a case insensitive compare
    • longer_resource_ids. Updating DB to handle longer AWS resource IDs: https://aws.amazon.com/blogs/aws/theyre-here-longer-ec2-resource-ids-now-available/
    • Removed requests from requirements.txt/setup.py as it was pinned to a very old version and not directly required (Issue #312)
    • arn_condition_awssourcearn_can_be_list. Updated security_monkey to be able to handle a list of ARNS in a policy condition.
    • ignore_list_fails_on_empty_string: security_monkey now properly handles an ignorelist entry containing a prefix string of length 0.
    • protocol_sslv2_deprecation: AWS stopped returning whether an ELB listener supported SSLv2. Fixed security_monkey to handle the new format correctly.

    Important Notes:

    • security_monkey IAM roles now require a new permission: iam:listattachedrolepolicies
    • Your security_monkey config file should contain a new flag: SECURITY_TRACKABLE = True
    • You'll need to rerun python setup.py install to obtain the new dependencies.

    Contributors:

    • @bunjiboys
    • @sbasgall
    • @mikegrima
    • @DenverJ
    • @delikat
    • @snixon
    • @ollytheninja
    • @pdbogen
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.23 MB)
  • v0.4.1(Dec 28, 2015)

    v0.4.1 (2015-12-22)

    • PR #269 - mikegrima - TravisCI now ensures that dart builds.
    • PR #270 - monkeysecurity - Refactored sts_connect to dynamically import boto resources.
    • PR #271 - OllyTheNinja-Xero - Fixed indentation mistake in auditor.py
    • PR #275 - AlexCline - Added elb logging to ELB watcher and auditor.
    • PR #279 - mikegrima - Added ElasticSearch Watcher and Auditor (with tests).
    • PR #280 - monkeysecurity - PolicyDiff better handling of changes to primitives (like ints) in dictionay values and added explicit escaping instead of relying on Angular.
    • PR #282 - mikegrima - Documentation Fixes to configuration.rst and quickstart.rst adding es: permissions and other fixes.

    Hotfixes:

    • Added OSSMETADATA file to master/develop for internal Netflix tracking.

    Contributors:

    • @mikegrima
    • @monkeysecurity
    • @OllyTheNinja-Xero
    • @AlexCline
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.25 MB)
  • v0.4.0(Nov 23, 2015)

    v0.4.0 (2015-11-20)

    • PR #228 - jeremy-h - IAM check misses '*' when found within a list. (Issue #223)
    • PR #230 - markofu - New error and echo functions to simplify code for scripts/secmonkey_auto_install.sh
    • PR #233 - mikegrima - Write tests for security_monkey.common.ARN (Issue #222)
    • PR #238 - monkeysecurity - Refactoring _check_rfc_1918 and improving VPC ELB Internet Accessible Check
    • PR #241 - bunjiboys - Seed Amazon owned AWS accounts (Issue #169)
    • PR #243 - mikegrima - Fix for underscores not being detected in SNS watcher. (Issue #240)
    • PR #244 - mikegrima - Setup TravisCI (Issue #227)
    • PR #250 - OllyTheNinja-Xero - upgrade deprecated botocore calls in ELB watcher (Issue #249)
    • PR #256 - mikegrima - Latest Boto3/botocore versions (Issue #254)
    • PR #261 - bunjiboys - Add ec2:DescribeInstances to quickstart role documentation (Issue #260)
    • PR #263 - monkeysecurity - Updating docs/scripts to pin to dart 1.12.2-1 (Issue #259)
    • PR #265 - monkeysecurity - Remove ratelimiting max attempts, wrap ELB watcher with try/except/continue

    Hotfixes:

    • Issue #235 - OllyTheNinja-Xero - SNS Auditor - local variable 'entry' referenced before assignment

    Contributors:

    • @jeremy-h
    • @markofu
    • @mikegrima
    • @bunjiboys
    • @OllyTheNinja-Xero
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.25 MB)
  • v0.3.9(Oct 8, 2015)

    v0.3.9 (2015-10-08)

    • PR #212 - bunjiboys - Make email failures warnings instead of debug messages
    • PR #203 - markofu - Added license to secmonkey_auto_install.sh.
    • PR #207 - cbarrac - Updated dependencies and dart installation for secmonkey_auto_install.sh
    • PR #209 - mikegrima - Make SNS Ignorelist use name instead of ARN.
    • PR #213 - Qmando - Added more exception handling to the S3 watcher.
    • PR #215 - Dklotz-Circle - Added egress rules to the security group watcher.
    • monkeysecurity - Updated quickstart.rst IAM policy to remove wildcards and include redshift permissions.
    • PR #218 - monkeysecurity - Added exception handling to the S3 bucket.get_location API call.
    • PR #221 - Qmando - Retry on AWS API error when slurping ELBs.
    • monkeysecurity - Updated cryptography package from 1.0 to 1.0.2 for easier installation under OS X El Capitan.

    Hotfixes:

    • Updated quickstart.rst and secmonkey_auto_install.sh to remove swig/python-m2crypto and add libffi-dev
    • Issue #220 - SQS Auditor not correctly parsing ARNs, halting security_monkey. Fixed by abstracting ARN parsing into a new class (security_monkey.common.arn). Updated the SNS Auditor to also use this new class.

    Contributors:

    • bunjiboys
    • markofu
    • cbarrac
    • mikegrima
    • Qmando
    • Dklotz-Circle
    • monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.25 MB)
  • v0.3.8(Aug 28, 2015)

    v0.3.8 (2015-08-28)

    • PR #165 - echiu64 - S3 watcher now tracking S3 Logging Configuration.
    • None - monkeysecurity - Certs with an invalid issuer now flagged.
    • PR #177 - DenverJ -Added new SQS Auditor.
    • PR #188 - kevgliss - Removed dependency on M2Crypto/Swig and replaced with Cryptography.
    • PR #164 - Qmando - URL encoding issue with certain searches containing spaces corrected.
    • None - monkeysecurity - Fixed issue where corrected issues were not removed.
    • PR #198 - monkeysecurity - Adding ability to select up to four items or revisions to be compared.
    • PR #194 #195 - bunjiboys - SECURITY_TEAM_EMAIL should accept not only a list, but also a string or tuple.
    • PR #180 #181 #190 #191 #192 #193 - cbarrac - A number of udpates and fixes for the bash installer. (scripts/secmonkey_auto_installer.sh)
    • PR #176 #178 - mikegrima - Updated documentation for contributors on OS X and Ubuntu to use Webstorm instead of the Dart Editor.

    Contributors:

    • @Qmando
    • @echiu64
    • @DenverJ
    • @cbarrac
    • @kevgliss
    • @mikegrima
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.25 MB)
  • v0.3.5(Mar 31, 2015)

    v0.3.5 (2015-03-28)

    • Adding policy minimizer & expander to the revision component
    • Adding tracking of instance profiles attached to a role
    • Adding marker/pagination code to redshift.describe_clusters()
    • Adding pagination to IAM User get_all_user_policies, get_all_access_keys, get_all_mfa_devices, get_all_signing_certs
    • Typo & minor corrections on postgres commands
    • CLI command to save your current configurations to a JSON file for backup
    • added a VPC watcher
    • Adding DHCP Options and Internet Gateways to the VPC Watcher
    • Adding a subnet watcher. Fixing the VPC watcher with deep_dict
    • Adding the vpc route_table watcher
    • Removing subnet remaining IP field until ephemeral section is merged in
    • Adding IAM Managed Policies
    • Typo & minor corrections on postgres commands in documentation
    • Adds ELBSecurityPolicy-2015-03. Moves export grade ciphers to their own section and alerts on FREAK vuln.
    • Provides context on refpol 2015-03 vs 2015-02.
    • Adding a Managed Policies Auditor
    • Added Manged Policy tracking to the IAM users, groups, and roles

    Summary of new watchers:

    • vpc -- DHCP Options -- Internet Gateways
    • subnet
    • routetable
    • managed policies

    Summary of new Auditors or audit checks:

    • managed policies
    • New reference policy 2015-03 for ELB listeners.
    • New alerts for FREAK vulnerable ciphers.

    Contributors:

    • markofu
    • monkeysecurity

    static.tar.gz is attached to this release and contains the output of compiling the dart web UI to javascript. Simply extract this tar.gz to your security_monkey/static folder.

    Source code(tar.gz)
    Source code(zip)
    static.tar.gz(1.28 MB)
  • lsv0.3.4(Feb 20, 2015)

    v0.3.4 (2015-2-19)

    • Merged in a new AuditorSettings tab created by Qmando at Yelp enabling you to disable audit checks with per-account granularity.

    • security_monkey is now CSP compliant.

    • security_monkey has removed all shadow-DOM components. Also removed webcomponents.js and dart_support.js, as they were not CSP compliant.

    • security_monkey now advises users to enable the following standard security headers:

      X-Content-Type-Options "nosniff"; X-XSS-Protection "1; mode=block"; X-Frame-Options "SAMEORIGIN"; Strict-Transport-Security "max-age=631138519"; Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com; script-src 'self' https://ajax.googleapis.com; style-src 'self' https://fonts.googleapis.com;"

    • security_monkey now has XSRF protection against all DELETE, POST, PUT, and PATCH calls.

    • Updated the ELB Auditor to be aware of the ELBSecurityPolicy-2015-02 reference policy.

    Contributers:

    • @Qmando
    • @monkeysecurity
    Source code(tar.gz)
    Source code(zip)
    static.tar(4.38 MB)
Owner
Netflix, Inc.
Netflix Open Source Platform
Netflix, Inc.
a simple python script that monitors the binance hotwallet and refunds the withdrawal fee to encourage people to withdraw their Nano and help decentralisation

Nano_Binance_Refund_Bot a simple python script that monitors the binance hotwallet and refunds the withdrawal fee to encourage people to withdraw thei

James Coxon 5 Apr 7, 2022
AWS CloudSaga - Simulate security events in AWS

AWS CloudSaga - Simulate security events in AWS AWS CloudSaga is for customers to test security controls and alerts within their Amazon Web Services (

Amazon Web Services - Labs 325 Dec 1, 2022
Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Automate activities in Control Tower provisioned AWS accounts Table of contents Introduction Architecture Prerequisites Tools and services Usage Clean

AWS Samples 20 Dec 7, 2022
Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

AWS Samples 8 Nov 22, 2022
Fetch the details of assets hosted on AWS.

onaws onaws is a simple tool to check if an IP/hostname belongs to the AWS IP space or not. It uses the AWS IP address ranges data published by AWS to

Amal Murali 80 Dec 29, 2022
POC de uma AWS lambda que executa a consulta de preços de criptomoedas, e é implantada na AWS usando Github actions.

Cryptocurrency Prices Overview Instalação Repositório Configuração CI/CD Roadmap Testes Overview A ideia deste projeto é aplicar o conteúdo estudado s

Gustavo Santos 3 Aug 31, 2022
An open-source Discord bot that alerts your server when it's Funky Monkey Friday!

Funky-Monkey-Friday-Bot An open-source Discord bot that alerts your server when it's Funky Monkey Friday! Add it to your server here! https://discord.

Cole Swinford 0 Nov 10, 2022
Lambda-function - Python codes that allow notification of changes made to some services using the AWS Lambda Function

AWS Lambda Function This repository contains python codes that allow notificatio

Elif Apaydın 3 Feb 11, 2022
aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in a future time.

aws-lambda-scheduler aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in the future. This functionality is achieved by dyn

Oğuzhan Yılmaz 57 Dec 17, 2022
A python script that changes our background based on current weather and time of the day.

Desktop background on Windows 10, based on current weather and time A python script that changes our background based on current weather and time of t

Maj Gaberšček 1 Nov 16, 2021
Compares and analyzes GCP IAM roles.

gcp-iam-analyzer I wrote this to help in my day to day working in GCP. A lot of the time I am doing role comparisons to see which role has more permis

Jason Dyke 37 Dec 28, 2022
DevSecOps pipeline for Python based web app using Jenkins, Ansible, AWS, and open-source security tools and checks.

DevSecOps pipeline for Python Web App A Jenkins end-to-end DevSecOps pipeline for Python web application, hosted on AWS Ubuntu 20.04 Note: This projec

Devanshu Vashishtha 4 Aug 15, 2022
Project template for using aws-cdk, Chalice and React in concert, including RDS Postgresql and AWS Cognito

What is This? This repository is an opinonated project template for using aws-cdk, Chalice and React in concert. Where aws-cdk and Chalice are in Pyth

Rasmus Jones 4 Nov 7, 2022
(@Tablada32BOT is my bot in twitter) This is a simple bot, its main and only function is to reply to tweets where they mention their bot with their @

Remember If you are going to host your twitter bot on a page where they can read your code, I recommend that you create an .env file and put your twit

null 3 Jun 4, 2021
AWS Auto Inventory allows you to quickly and easily generate inventory reports of your AWS resources.

Photo by Denny Müller on Unsplash AWS Automated Inventory ( aws-auto-inventory ) Automates creation of detailed inventories from AWS resources. Table

AWS Samples 123 Dec 26, 2022
A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

Amazon Web Services - Labs 1.9k Jan 7, 2023
Unauthenticated enumeration of services, roles, and users in an AWS account or in every AWS account in existence.

Quiet Riot ?? C'mon, Feel The Noise ?? An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, roo

Wes Ladd 89 Jan 5, 2023
AWS Blog post code for running feature-extraction on images using AWS Batch and Cloud Development Kit (CDK).

Batch processing with AWS Batch and CDK Welcome This repository demostrates provisioning the necessary infrastructure for running a job on AWS Batch u

AWS Samples 7 Oct 18, 2022
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

aws-allowlister Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance fr

Salesforce 189 Dec 8, 2022