Seems like pip didn't leave everything ok, or perhaps I'm missing some instructions on how to run it.

altimeter was installed at: /Users/gonzalovasquez/Library/Python/3.7/bin/altimeter as my user and also with sudo at /System/Volumes/Data/Users/gonzalovasquez/Library/Python/3.7/bin/altimeter, but both yield same error message about the missing aws2n.py

Facts:

aws --version
aws-cli/2.0.15 Python/3.7.4 Darwin/19.6.0 botocore/2.0.0dev19

macOS Catalina 10.15.7

Currently we are using a set of custom scripts. These could be replaced with tox and a small config.

Hey Guys,

We are running altimeter on our production AWS account.
It is running under a restricted access IAM role and continuously facing AccessDenied issue.
We request those permissions, but on the next run appear new ones and so on.

Is it possible to document all permissions, which should be allowed to run altimeter under a restricted access policy?

This is blocked by boto/botocore#2332 , once that is resolved we can bump boto versions and cut a new release.

To get this to work with a Python 3.10.13 environment I needed to change
v-env/lib/python3.10/site-packages/tornado/httputil.py
this line 25:
From:
import collections
To:
import collections.abc

and also here line 107:

From:
class HTTPHeaders(collections.MutableMapping):
To:
class HTTPHeaders(collections.abc.MutableMapping):

API Gateway V2 APIs have their tags defined as a simple dictionary, rather than the traditional Key/Value pairing. TagsField will throw a TypeError as a result.

An example response can be seen here: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/apigatewayv2.html#ApiGatewayV2.Client.get_apis

Nodes which have an arn should be represented by a URIRef rather than a BNode.

@jbmchuck, if I'm not wrong, after merging the PRs #168 and #163 no releases have been cut. Would it make sense to cut a new release including them?

$ git log --oneline 6.4.4..master
525750f (HEAD -> master, upstream/master, upstream/HEAD, origin/master) Gather user and group policies (#163)
09f974a Make the field UserId in a Security Group optional (#168)

Thanks in advance!

Add an additional 'name' triple on EC2 instances, derived from the Name tag where present.

Lambda's 15 min timeout becomes an issue as the number of accounts increases. Move the main aws2n process to ECS, continue using lambda for each account scan.

Code assumes that InvitedAt key is always present in the dictionary, but it is not required: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Master.html

Use .get(key) and add optional=True in schema.

I believe we could auto-generate this from schema classes.

pipx is a super useful way to install scripts into their own virtualenv. At the moment, it can make a good attempt at installing altimeter but doesn't set up the main scripts as these are defined as scripts in setup.py rather than console_scripts.

My suggestion is that that the scripts be converted to console_scripts to allow pipx to install them. (I appreciate I might be missing some of the reasons why this isn't possible.)

API Gateway domain names (and other API Gateway resources tbh) have their keys set to all lowercase letters. (an example can be seen in the response here: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/apigateway.html#APIGateway.Client.get_domain_names)

Because TagsField defaults to optional=True, the lowercase key will be missed and the tags will be empty.

Several classes are responsible only for holding data and serializing/deserializing. These could be replaced with Pydantic and remove a significant amount of code as well as provide a check against mutability where appropriate.

I am trying to set up altimeter. I have set up the config file ('current_single_account.toml') and am having trouble getting the 'altimeter' command to work. I am working on a MacOS machine with M1 chip, using Terminal. Any tips?

The Locate vpcs with no ec2 instances, rds instances lambdas or ENIs attached. query returns all VPCs in my account, including those containing EC2 instances, etc.

Apologies but my SPARQL isn't quite sharp enough to spot the issue.

This line of code causes Altimeter to crash upon first use.
s3_client = boto3.client("s3") throws NoRegionError: You must specify a region. error because the region parameter is not specified and the AWS_DEFAULT_REGION environment variable wasn't specified.

Suggest either adding region parameter to the call based on what's in the config file or pick a region by default, or tell user to set AWS_DEFAULT_REGION and/or update documentation.

IAM role resources appear to have the region added to their ARN which isn't required (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns). This in turn breaks links when trying to add connections to them (an example is the RoleArn attribute of lambda functions.)

Using the quickstart guide and running the below command runs to error. Am I missing some confirguration. I have AWS CLI setup and all the aws cli commands work fine.
altimeter --base_dir /tmp/altimeter --regions us-east-1
usage: aws2json.py [-h] --config CONFIG output_dir
aws2json.py: error: the following arguments are required: --config

I am currently trying to scan Base Path Mappings in API Gateway. This works as expected until it encounters an API Gateway V2 API. The get_base_mappings response data includes an API ID, but there is no way to tell whether this points to a V1 or a V2 API. As such, I can't just use a ResourceLinkField as usual.

Can you recommend a way to achieve the link? I'm thinking it would require checking the list of both v1 and v2 APIs for each mapping and setting my object as appropriate. I'll probably define two ResourceLinkFields and set them them as optional, unless there's some other better way to do this.

I am currently scanning an account in which I have close to full access but, due to compliance and security settings, I am unable to enumerate various settings. (SAML provider information and user access keys, as examples).

It would be useful if the scanning was allowed to continue when access errors are encountered, as I am only interested in the resources that I have access to. This would also help with being able to audit a user's access and ensure they do not have too many privileges.

(One potential way to achieve this could be a settings value that allowed you to exclude certain resources from scanning but that seems a little inelegant, plus could require repeated runs until no errors are generated.)