We all understand that resources get lost in the cloud. Between working across regions, migrating accounts, and the ability to quickly spin up an instance and forget about it, it’s almost inevitable to have some mystery resources lurking in your AWS account.
Why should I care about lost AWS resources?
Well, resources cost money, so that’s a thing.
But here’s another thing: What if you migrate accounts and forget about some old snapshots and volumes? An attacker gains access to the old AWS account. They mount the old snapshots and volumes onto new instances they have access to, and inspect the volumes. The package and configuration data is mostly old and irrelevant, but they find source code, and in that source code, credentials to access the company’s private GitHub.
And what about those instances that developers created to test a feature and then forgot about? How many vulnerabilities do they have?
Ok, so how do I find AWS resources that might be lost or forgotten?
Use open source cnquery to explore all the resources in your AWS account, across all regions.
Open the shell
AWS_PROFILE="vvdefault" cnquery shell aws
Find snapshots
aws.ec2.snapshots { id region startTime }
Find volumes
aws.ec2.volumes { arn createTime }
Find EC2 instances with no tags attached, or with a specific tag
aws.ec2.instances.where(tags.length == 0) { arn } aws.ec2.instances.where(tags['Name'] == "k8s-operator03") { instanceId region }
Find AWS Security Groups with unrestricted ipRange access
aws.ec2.securityGroups.where(ipPermissions { ipRanges.contains("0.0.0.0/0") }) { arn }
Find the AWS EC2 instances that are using those security groups
aws.ec2.instances.where(securityGroups.where(ipPermissions { ipRanges.contains("0.0.0.0/0") })) { arn }
Explore all the resources under the EC2 service
aws.ec2 { * }
