From d099255859e914f0f3bfac7a7e8152c31a6655dc Mon Sep 17 00:00:00 2001
From: Olivia Campbell <olivia@dxw.com>
Date: Mon, 12 Feb 2024 15:47:33 +0000
Subject: [PATCH] Add list of exposed ports

From a security stance we should have the ability to find out which ports are
opened to the world across our AWS accounts.
---
 bin/waf/ip-port-exposed | 43 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100755 bin/waf/ip-port-exposed

diff --git a/bin/waf/ip-port-exposed b/bin/waf/ip-port-exposed
new file mode 100755
index 0000000..90ed529
--- /dev/null
+++ b/bin/waf/ip-port-exposed
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# exit on failures
+set -e
+set -o pipefail
+
+usage() {
+  echo "Usage: $(basename "$0") [OPTIONS]" 1>&2
+  echo "  -h                     - help"
+  echo "  -i <infrastructure>    - infrastructure name"
+  exit 1
+}
+
+# if there are no arguments passed exit with usage
+if [ $# -eq 0 ]
+then
+ usage
+fi
+
+while getopts "i:h" opt; do
+  case $opt in
+    i)
+      INFRASTRUCTURE_NAME=$OPTARG
+      ;;
+    h)
+      usage
+      ;;
+    *)
+      usage
+      ;;
+  esac
+done
+
+if [[
+  -z "$INFRASTRUCTURE_NAME"
+]]
+then
+  usage
+fi
+
+EXPOSED_PORTS=$(aws ec2 describe-security-groups --query "SecurityGroups[*].[GroupId, GroupName, IpPermissions[?IpRanges[?CidrIp == '0.0.0.0/0']].{FromPort:FromPort, ToPort:ToPort, IpRanges:IpRanges[*].CidrIp}]" --output json | jq -r '.[] | "\(.[0]) \(.[1]) \(.[2][].FromPort) \(.[2][].ToPort) \(.[2][].IpRanges | join(", "))"' | grep -E -v '443|80')
+
+echo -e "Retrieving list of exposed ports to the world >>>\n$EXPOSED_PORTS"